[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4a7b96ee0511141002x5f67c35al6ec41b45dcebaa23@mail.gmail.com>
Date: Mon Nov 14 18:02:16 2005
From: brian.l.johnson at gmail.com (Brian Johnson)
Subject: Phishing attack. Basic encoding
I was forwarded a very similiar message late last week.
When I loaded the page in IE it brought up the homepage of the domain
being phished and and a pop up window with a captcha image. Some more
analysis of the page showed that the image was being pulled from a
Russian email site while the rest of the pop up from a host in
Germany.
I was unable to locate any exploit code and it never asked me for
actual credentials so it is my belief this is an attempt to get people
to decode captcha images so that some phishers/spammers can create
email accounts.
On 11/13/05, Peter Harvey <peter.harvey@...il.com> wrote:
> I have had a number of reports of messages targetting users on domains
> for their credentials.
> The interesting part of this message is the very basic but effective
> encoding of the message. It appears that there are a couple of
> characters that instruct the mail program to display the characters in
> the reverse order.
>
> An example is attached. This appears to be random in the characters
> reversed based on a number of examples forwarded. I would say this is
> a simple yet effective way of bypassing signature based filters.
>
> They also appear to be bouncing through Google to the compromised
> website for phishing credentials. I am guessing it is phishing as the
> websites that I have seen were unavailable at the time.
>
> --
> Peter
> --
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
Powered by blists - more mailing lists