| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu May 5 15:26:01 2005 From: toddtowles at brookshires.com (Todd Towles) Subject: Paypal Phishing Again Hey Nick, I have been seeing a lot of e-mail from random address with a body like the following ----------------------------- "Hey, I tried to send a message to this address but it was bocked. Is there a e-mail file size limit?" Oman ----------------------------- Looks like DHAs, pretending to be more real, then the normal one word body and one word title. > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf > Of Nick FitzGerald > Sent: Thursday, May 05, 2005 3:14 AM > To: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] Paypal Phishing Again > > Jason Weisberger wrote: > > > Wasn't sure if anybody spotted this one, ... > > Well, given that its three weeks old AND that the login form > this scam points is at a now-closed Netfirms account, I'd > suggest that someone (or more likely, many someones) has not > only spotted it, but done something more useful about it than > posting a three-week-late "heads up" to Full-Disclosure. > > About the only thing of any interest in this whole example is > that the open-redirectors at: > > http://rds.yahoo.com/*<URL> > > and: > > http://www.google.<TLD>/url?<stuff> > > -- both of which are cunningly used in the HTML form > submission that happens when a victim clicks the "button" in > the HTML Email that apparently will take them to the PayPal > login page at: > > https://www.paypal.com/cgi-bin/webscr?cmd=_update > > <<snip>> > > <table width=3D"50%" cellpadding=3D"4" > cellspacing=3D"0" border=3D"0" > > bgc= olor=3D"#FFFFFF" align=3D"center"> > > <FORM target=3D"_blank" > > ACTION=3Dhttp://rds.yaho
o.com/*http://ww= > > w	.google.com/url METHOD=3Dget> > > <INPUT TYPE=3DHIDDEN NAME=3Dq > > VALUE=3Dhttp://rds.yahoo.com/*http://transfe= > > r038.netfirms.com/login/> > > <input type=3Dsubmit style=3D"color:#000080; border:solid 0px; > > background:= #white;" > > value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update> > > </form><br> > > </td> > > </tr> > > </table> > > -- are both still fully functional and still being abused by > phishers making their obfuscated URLs look "official" or > "kosher" or whatever by leveraging the good name and > reputation of "respected" web presences such as Yahoo! and Google. > > You'd have thought that Yahoo! and Google would being fixing > those ASAP, but apparently there's some dosh at stake, so > stupid, sucky, > security-ignorant-to-the-detriment-of-the-rest-of-us design > persists well past when it should have... > > > Regards, > > Nick FitzGerald > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists