[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40156246.276.8801E3ED@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Confirm Your VISA Card Email
"Bill Royds" <full-disclosure@...ds.net> replied to "yossarian":
[restructured to correct top-postingitis...]
> > http://www.visa.com/globalgateway/gg_selectcountry.html?retcountry=1 is
> > where the URL takes me. Looks like just a scam to harvest mail adresses. I
> > had something alike from ebay, just a webbug linking it to somewhere else.
> > Dunno of ebay has already taken action - i sent it there just to make sure.
> > I can;t check since you just gave the URL - not check the pics for other
> > link.
>
> Interesting quirk in that URL. It uses a null byte (%00) to prevent display
> of the rest of the URL (which points to a Korean IP), but this sometimes
> causes a browser to drop the rest of the URL as well and actually go to
> Visa.com. Phisher was being a bit too smart for him/herself.
Ahem...
I take it you both missed the fact that the page served by the real
spammed URL comprises (brackets munged to help readers with chronically
brain-dead mailers and lines indented and reflowed due to the
limitations of this one...):
[html]
[HEAD]
[SCRIPT LANGUAGE="JavaScript"]
function popUp(URL) {
day = new Date();
id = day.getTime();
eval("page" + id + " = window.open(URL, '" + id + "',
'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,
resizable=0,width=400,height=400');");
}
[/script]
[META HTTP-EQUIV=REFRESH CONTENT="1; URL=http://www.visa.com/"]
[/head]
[body]
[BODY onLoad="javascript:popUp('index4.php'/*tpa=index4.php*/)"]
[/body]
[/html]
In short, the default page furnished from http://220.68.214.213/ is
"blank" (has no visible elements) so it loads very quickly, pops up a
bogus "card verification" window (http://220.68.214.213/index4.php) if
you have scripting enabled, and almost instantly (after one second if
I'm reading it correctly) and regardless of scripting support the blank
page (which with most browsers is probably behind the "verification"
pop-up) refreshes to http://www.visa.com/, presumably adding a further
element of apparent legitimacy to the whole scam (at least for those
naive enough to be taken in by it in the first place). If you don't
have scripting enabled, you will not get the "verification" pop-up and
will just see www.visa.com load due to the blank spammed page loading
then refreshing (www.visa.com will also be "blank" in this case as it
created and maintained by severely intellectually retarded chimpanzees
that are seriously security-ignorant and think that, just because some
browsers have scripting enabled by default it is therefore fine to
assume everyone else is as stupid as the browser developers...).
BTW, the scam pages are still active (well, they were a few minutes ago
when I last checked for their existence...).
Regards,
Nick FitzGerald
Powered by blists - more mailing lists