lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200501292222.j0TMMkrs019043@lists.netsys.com> From: seclists at securinews.com (Paul Kurczaba) Subject: Is there a 0day vuln in this phisher's site? Interesting Site. When I went to the page, McAfee VirusScan notified me of an script it blocked on the page. The blocked script, a virus, was called "JS/Stealus.gen". After some research, I found the script "exploit(s) an Internet Explorer vulnerability resulting in Internet Explorer displaying one location in the Address bar, but actually loading the content from a different site." -http://vil.nai.com/vil/content/v_126246.htm -----Original Message----- From: full-disclosure-bounces@...ts.netsys.com [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of lists-security@...tracers.com Sent: Saturday, January 29, 2005 3:15 AM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] Is there a 0day vuln in this phisher's site? I was annoyed today by a phisher impersonating my favorite bank Washington Mutual http://www.Wamu.com The phisher's site: http://220.194.228.91:87/wa/ Obviously any data collected there will be abused by the phishers...but does it pose a greater risk of being exposed to a much wider audience of crackers? Have these phishers hardened their system enough to prevent attack and maybe even the discovery of their identity? So I did a quick scan of the "collector" system 220.194.228.91 setup by the phishers and found the Asia-Pacific based system to have TCP port 87 open for web, and UDP 7- Echo and UDP 161-SNMP open. Browsing the SNMP MIBS showed me a Win2K system with a private address 192.168.0.1 sitting in WORKGROUP with a LANMAN Name ZFZ. Network card MAC addresses (VITALCOM) 00e0433a4bbd and 00e0433a4957 and MTU's of 1500. sysUpTime TimeTicks 11 hours, 3 minutes, 22 seconds. Usernames Guest and cclogin Mib Oid; Type; Value; Type #; .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT able.svUserEntry.svUserName.5.71.117.101.115.116; String; Guest; 4; .iso.org.dod.internet.private.enterprises.lanmanager.lanmgr-2.server.svUserT able.svUserEntry.svUserName.7.99.99.108.111.103.105.110; String; cclogin; 4; Also, looking at the source on the /wa/index.htm and /wa/thank.htm pages shows that they were grabbed for malicious editing on 10/4/2004 ....that is as far as I could take it tonight. Regarding the open SNMP, I have seen "a buffer overrun is present in all implementations", but do not know if the phisher's system is exploitable and have not tried any code to actually do this. Once cracked, getting information regarding all connections could lead closer to the real identity of the phishers, especially if some trojan code can be placed using an SNMP exploit. If those phishers are getting wealthy by stealing identities, it would be possible for them to be trumped by yet another crook stealing their identity/bank accounts, etc. Some questions for the inclined: 1) What information can still be gathered regarding this fake banking site using both passive probes and active exploits? 2) How long has this particular site been active? 3) Is the network range repeatedly used for malicious activity, or is this unusual activity in that network? 4) While the proliferation of these sites has caused a tremendous amount of security awareness in businesses and the public, these scams continue to trick people. How can phishers be virtually neutered? 5) When secure transactions must be done via the web, users must be verified to the secure site, but web sites are not easily verified by the average user. What foolproof device, dongle, etc. could a clueless user employ to verify a secure site? 6) Should secure sites employ steganographic watermarking to allow for forensic tracking of images served by secure sites? (do they do this already like my Minolta QMS2300DL does with those little yellow dots?) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists