lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu May  5 09:15:16 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Paypal Phishing Again

Jason Weisberger wrote:

> Wasn't sure if anybody spotted this one, ...

Well, given that its three weeks old AND that the login form this scam 
points is at a now-closed Netfirms account, I'd suggest that someone 
(or more likely, many someones) has not only spotted it, but done 
something more useful about it than posting a three-week-late "heads 
up" to Full-Disclosure.

About the only thing of any interest in this whole example is that the 
open-redirectors at:

   http://rds.yahoo.com/*<URL>

and:

   http://www.google.<TLD>/url?<stuff>

-- both of which are cunningly used in the HTML form submission that 
happens when a victim clicks the "button" in the HTML Email that 
apparently will take them to the PayPal login page at:

   https://www.paypal.com/cgi-bin/webscr?cmd=_update

<<snip>>
> 	<table width=3D"50%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
> olor=3D"#FFFFFF" align=3D"center">
> 			<FORM target=3D"_blank"  ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
> w&#009;.google.com/url  METHOD=3Dget>
> <INPUT TYPE=3DHIDDEN NAME=3Dq VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
> r038.netfirms.com/login/>
> <input type=3Dsubmit style=3D"color:#000080; border:solid 0px; background:=
> #white;" value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
> </form><br>
> </td>
> 		</tr>
> 	</table>

-- are both still fully functional and still being abused by phishers 
making their obfuscated URLs look "official" or "kosher" or whatever by 
leveraging the good name and reputation of "respected" web presences 
such as Yahoo! and Google.  

You'd have thought that Yahoo! and Google would being fixing those 
ASAP, but apparently there's some dosh at stake, so stupid, sucky, 
security-ignorant-to-the-detriment-of-the-rest-of-us design persists 
well past when it should have...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ