Bugtraq mailing list archives

SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition

From: "http-equiv () excite com" <1 () malware com>
Date: Fri, 11 Jun 2004 02:44:56 -0000



We wrap this up with a full-on ssl site spoof. It seems limited 
how far you can 'shove' the real domain out of the way, but just 
enough to make it convincing so we adapt the window to 'cover' 
it up. Interestingly [with apologies to e-gold for playing with 
their site], they have a secured connection [ignore the warning] 
which gives us our https, our little golden 'safe' padlock and 
most interestingly, all the links inside the site function and 
show the spoofed address:

 
http://www.malware.com/gutted.html

couple all that with the absurd ability to trick Internet 
Explorer into believing it is in a 'trusted zone' by inserting 
whatever gibberish you want into the fake link regardless of the 
actual domain, and you have the catch of the day.

Big thanks to Drew Copley for whacking the sucker on the head,  
Brett Moore for correctly pointing out that it can be achieved 
without the 'redir' thing as well being able to stuff it with 
anything else you want and expedition leader: 'bitlance winter' 
who sighted it, tracked it, snagged it and reeled it in.

End Call

-- 
http://www.malware.com

Current thread:

SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition http-equiv () excite com (Jun 11)
- <Possible follow-ups>
- RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Drew Copley (Jun 12)
  - RE: [Full-Disclosure] RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Jelmer (Jun 12)
  - RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Nick FitzGerald (Jun 12)
  - RE: SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition Jelmer (Jun 19)
- SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition http-equiv () excite com (Jun 13)