| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <40D04512.20481.889DC91C@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: US Bank scam "Hamby, Charles D." <pfcdh1@...su.alaska.edu> wrote: > This is a slick phishing scam, I have to admit. ... It's been around for a month or more, so it may be slick, but it's not new... Back on 13 May Drew Copley from eEye posted the following to Bugtraq about it: http://www.securityfocus.com/archive/1/363326 http://www.securityfocus.com/archive/1/363350 It is listed as BID 10346 at securityfocus: http://www.securityfocus.com/bid/10346 > ... One thing I noticed > though; > I printed the various pages of the website out with IE to use as an > example and I noticed that the real URL appeared at the bottom of each > page as opposed to the bogus one. I thought that was interesting. Has > anyone else > noticed that this occurs with other phishing sites or is it just unique > to this case? For pity's sake -- did you not even look at the page sources to see how it works?? It slaps a fake URL window over roughly the screen area where the real URL is still displayed in the address bar. This is _NOT_ a case of "true" spoofing (in the sense that the browser is fooled -- note for one that the "https padlock" is not present; IE knows it is not at an https URL), so why would you think that IE might print the "spoofed" URL in printed headers/footers? The spoofing here is of the social engineering type. Clearly all those who have posted to the list so far commenting how effecitve this is are not the types to immediately notice the horrible, and to me immediately noticeable, two or three pixel offset of the faked URL window... Finally, this is the kind of problem that is relatively easily guarded against (though not entirely protected from) by running non-default configurations. To the extent you have the Address bar in IE positioned somewhere other than where the default locationj is, this "trick" becomes horribly obvious, so long as your users have the requisite clue count... (And yes, there are other ways to do this that are not so easily fooled as to show themselves by simply moving the Address bar, and these have reputedly already been used in some phishing scams -- see commentary in Drew's archived posts, linked above.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists