| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Nov 14 09:26:01 2005 From: alert at krusesecurity.dk (Peter Kruse) Subject: Phishing attack. Basic encoding Hi Peter, > I have had a number of reports of messages targetting users on domains > for their credentials. > The interesting part of this message is the very basic but effective > encoding of the message. It appears that there are a couple of > characters that instruct the mail program to display the characters in > the reverse order. Yep, this has been going on for a week or so. We have blocked many copies at our gateway service. > An example is attached. This appears to be random in the characters > reversed based on a number of examples forwarded. > I would say this is a simple yet effective way of bypassing signature > based filters. Indeed. > They also appear to be bouncing through Google to the compromised > website for phishing credentials. I am guessing it is phishing as the > websites that I have seen were unavailable at the time. Yes, it uses a google redirector and a encoding scheme in order to slip past filters. If clicked, it will post data to a remote cgi script "poch.cgi" in a small window. The domain where the cgi script is hosted changes, but "stand_artza._com" is the most popular. The poch.cgi returns the following code: <S_CRIPT> window.close(); </S_CRIPT> This is not phishing. My guess is this is data collection. The purpose is likely to collect IP addresses, domainname, date, time etc. What this information is used for, we can only speculate, but it could be some sort of seeding vector calculator. Regards Peter Kruse
Powered by blists - more mailing lists