| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41EBF79F.5010809@utc.edu> From: jeff-kell at utc.edu (Jeff Kell) Subject: New phishing trick? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's one I don't recall seeing before... very good looking eBay phishing notice (can supply full text if anyone wants, but I'll keep this to the interesting part) with the "money shot" URL consisting of the following link: | <p align="justify"><font face="Verdana" size="1">Click below to | continue :</font></p> <p align="left"><font face="Verdana" size="1"> <a | title="https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&page=0%..." | href="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://64.28.111.71/update"> | https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&page=0%...</a></font></tr> The "displayed" anchor is https:// and directed at eBay (no surprise) but the real URL really does go to eBay to a cgi that does a redirect to the phishing site, with the target of the redirect appearing at the extreme end of the URL (might have been a little better if obfuscated by escaped unicoding or similar, but it's plaintext). eBay may have tweaked the redirecting cgi by now, but when I checked it last night it worked (as a general redirect, I didn't examine the phishing site target itself). Jeff -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFB6/efot2VatFbXMERAhOUAJ4xuKIJh3IiNVKi2kvd036uNgScqQCeKPzj V/jt6jY+dd9P5WC1gPbaxLs= =gA3c -----END PGP SIGNATURE-----
Powered by blists - more mailing lists