Bugtraq mailing list archives
RE: IE URL Issue Being Used In Phishing In the Wild [USBank]
From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 14 May 2004 11:18:51 -0700
These guys got it and catalogued it nicely. Scroll down for full details. http://www.antiphishing.org/phishing_archive/05-13-04_US_Bank_(Found_err or).html They did everything but put up full source code. Http-equiv pointed out Dror Shalev has catalogued an Citibank version he found in the wild: http://sec.drorshalev.com/dev/fakeaddress This has different source, however, and utilizes a different method altogether. The Italian version is cleaner, no munged graphics, but this citibank version doesn't miss on the url bar if you have an additional bar underneath the url bar (ie, google bar, or links). We should expect someone to figure out pretty soon that they can replace the warning dialogs for running executable content on the web (or for installing spyware activex)... imo. None of this is entirely new... but, it looks like exploit to implementation time has finally caught up with each other after several years. Guninski: "Javascript in IE may spoof the whole screen" [He also shows how it may spoof the executable warning box, this issue is still open] Date: 21 October 2001 Image moving over download/open dialog: http://www.guninski.com/opf2.html Really, I think this is a classic "failure of imagination" security issue here. Regardless, this is easy money. These guys have finally figure it out. Someone has spelled it out for them.
-----Original Message----- From: Todd C. Campbell [mailto:toddc () mordor beernutz com] On Behalf Of Todd C. Campbell Sent: Friday, May 14, 2004 10:45 AM To: Drew Copley Cc: bugtraq () securityfocus com Subject: Re: IE URL Issue Being Used In Phishing In the Wild [USBank] On Thu, May 13, 2004 at 03:30:29PM -0700, Drew Copley wrote:One of our developers (Laurentiu Nicula) received an alarming type of phishing attack today. received: from UsBank.com ([82.33.97.75]) [82.33.97.75 = [ 82-33-97-75.cable.ubr10.azte.blueyonder.co.uk ] The email looks legitimate enough, but links to: http://validation-required.info/This site seems to be suspended now. -- Todd C. Campbell CoreComm an ATX Company Systems Engineering
Current thread:
- IE URL Issue Being Used In Phishing In the Wild [USBank] Drew Copley (May 14)
- Re: IE URL Issue Being Used In Phishing In the Wild [USBank] Todd C. Campbell (May 14)
- Re: IE URL Issue Being Used In Phishing In the Wild [USBank] Nick FitzGerald (May 15)
- <Possible follow-ups>
- RE: IE URL Issue Being Used In Phishing In the Wild [USBank] Drew Copley (May 14)