| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <45DAC7DD.6520.E5938E60@nick.virus-l.demon.co.uk> Date: Tue, 20 Feb 2007 10:05:17 +1300 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: phishing sites examples "source code" Juergen Fiedler to Andres Riancho: > > For a research i'm doing I need a somehow "big"(around 100 would be > > nice...) amount of phishing sites html code . .... What kind of research? Where? Under whose/what's guidance? Seems unlikley to me that you would have both a genuine "need" for such stuff _AND NOT_ the ready means of obtaining it... > > ... I have googled for them but > > I only get a lot of screenshots of those sites, not the actual code. > > Anyone has an idea of where I could get those sites html ? > > Keep in mind that the HTML is most likely directly lifted from the > site that the phishers are spoofing - the only thing that changes is > the action for the login form; you can't readily get to the source > code for the form action because it is done in some sort of server > side scripting (CGI, PHP, ASP, whatever...) that can't readily be > viewed from the client side. Yep, except for the occasional phish where they simply use some stupidly "vulnerable" mail script which takes all its "instructions" as parameters to the script URL, or the phishers are such noobs/lusers that they rolled their own similar script, and then everything you really "need" is probably in the HTML. Such sites though are increasingly rare, I think, though there was something of an "outbreak" of this technique late last year, it seems to faded into near total oblivion again... > That said, I have run into one or two phishers who compromise a site > (or create a throwaway site themselves), upload their scripts in a > tarball, install them - and then leave the tarball around for > posterity to analyze. I kid you not. I'm sure there are a deal more than "one or two" such sites, but because you cannot see the existence of those files without having more privileged access (either direct or indirect through some hosting amin firing copies your way) you can't know they are there. Less common, but still far from unheard of, is a similar situation where the compromised (or ill-configured) server has directory indexing enabled, and you can simply discover the existence of such files through using a little address-bar editing fu. I probably see something like 5-10 such sites a week and I seldom have time to look so closely at all the (likely) phish I receive in a day. > Unfortunately, the only good way to get to that source code is by > asking the administrator of a compromised site whether they found > anything that they would be willing to share; ... Of course, that applies equally whether the perp left a copy of the nicely archived contents or not... > ... going in and poking > around yourself may put you into a legal position that you'd rather > not be in. ...and even index-trawling as suggested above and/or guessing "obvious" non-public URLs has been deeemed dubious through outright illegal in at least some jurisdictions. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists