lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <du27rd$svl$1@sea.gmane.org>
Date: Tue Feb 28 19:22:22 2006
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: Re: Google + Amazon fun scam

ad@...poverflow.com wrote:

> If i remember I saw on this list a post wich was warning about faking
> scam links within google.com domain.
> I got this scam today:
>
> [SCAM]http://google.com/url?sa=p&pref=ig&pval=2&q=http://wielrenneninlimburg.nl/forum/www.amazon.com/index.html[/SCAM]
>
> wich is pretty easy to discover but I have tried a variant wich the
> scammer probably forgot to use to grow his fooling possiblities:
>
> [SCAM]http://google.com/url?sa=p&pref=ig&pval=2&q=%68%74%74%70%3A%2F%2F%77%69%65%6C%72%65%6E%6E%65%6E%69%6E%6C%69%6D%62%75%72%67%2E%6E%6C%2F%66%6F%72%75%6D%2F%77%77%77%2E%61%6D%61%7A%6F%6E%2E%63%6F%6D%2F%69%6E%64%65%78%2E%68%74%6D%6C[/SCAM]

  This is the exact same vuln really, calling it a variant seems to be 
slightly exaggerated.

> should be nasty to scam google services or anything other via this
> way. the scammer will hide its domain + "steal" google.com domain.

  The scammer will do no such thing, that's a very ordinary redirect and the 
browser's address bar will show the scammer's domain and have nothing to do 
with google.  You should have tried it out before you said this!  Here's a 
couple of safe examples for you to try and see for yourself that it hides 
nothing and steals nothing.

http://google.com/url?sa=p&pref=ig&pval=2&q=http://news.bbc.co.uk

http://google.com/url?sa=p&pref=ig&pval=2&q=%68%74%74%70%3A%2F%2F%77%77%77%2E%62%62%63%2E%63%6F%2E%75%6B%2F


  I don't think this is much use for a scam; sure, it can to hide the real 
destination address, but it doesn't let you replace it with a bogus one, and 
besides, if you get an email from your bank telling you to update your 
account but the link says google.com, isn't that /more/ likely to make 
people suspicious and less likely to fool them then if it just had a domain 
name in plain text that was just very-similar-but-not-quite-the-same as the 
real bank name?

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ