|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] Paypal Phishing Again
From: Nick FitzGerald (nick
virus-l.demon.co.uk)
Date: Thu May 05 2005 - 03:14:03 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jason Weisberger wrote:
> Wasn't sure if anybody spotted this one, ...
Well, given that its three weeks old AND that the login form this scam
points is at a now-closed Netfirms account, I'd suggest that someone
(or more likely, many someones) has not only spotted it, but done
something more useful about it than posting a three-week-late "heads
up" to Full-Disclosure.
About the only thing of any interest in this whole example is that the
open-redirectors at:
http://rds.yahoo.com/*<URL>
and:
http://www.google.<TLD>/url?<stuff>
-- both of which are cunningly used in the HTML form submission that
happens when a victim clicks the "button" in the HTML Email that
apparently will take them to the PayPal login page at:
https://www.paypal.com/cgi-bin/webscr?cmd=_update
<<snip>>
> <table width=3D"50%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
> olor=3D"#FFFFFF" align=3D"center">
> <FORM target=3D"_blank" ACTION=3Dhttp://rds.yaho
o.com/*http://ww=
> w	.google.com/url METHOD=3Dget>
> <INPUT TYPE=3DHIDDEN NAME=3Dq VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
> r038.netfirms.com/login/>
> <input type=3Dsubmit style=3D"color:#000080; border:solid 0px; background:=
> #white;" value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
> </form><br>
> </td>
> </tr>
> </table>
-- are both still fully functional and still being abused by phishers
making their obfuscated URLs look "official" or "kosher" or whatever by
leveraging the good name and reputation of "respected" web presences
such as Yahoo! and Google.
You'd have thought that Yahoo! and Google would being fixing those
ASAP, but apparently there's some dosh at stake, so stupid, sucky,
security-ignorant-to-the-detriment-of-the-rest-of-us design persists
well past when it should have...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]