Full Disclosure mailing list archives
RE: Confirm Your VISA Card Email
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 26 Jan 2004 18:53:58 +1300
"Bill Royds" <full-disclosure () royds net> replied to "yossarian": [restructured to correct top-postingitis...]
http://www.visa.com/globalgateway/gg_selectcountry.html?retcountry=1 is where the URL takes me. Looks like just a scam to harvest mail adresses. I had something alike from ebay, just a webbug linking it to somewhere else. Dunno of ebay has already taken action - i sent it there just to make sure. I can;t check since you just gave the URL - not check the pics for other link.Interesting quirk in that URL. It uses a null byte (%00) to prevent display of the rest of the URL (which points to a Korean IP), but this sometimes causes a browser to drop the rest of the URL as well and actually go to Visa.com. Phisher was being a bit too smart for him/herself.
Ahem... I take it you both missed the fact that the page served by the real spammed URL comprises (brackets munged to help readers with chronically brain-dead mailers and lines indented and reflowed due to the limitations of this one...): [html] [HEAD] [SCRIPT LANGUAGE="JavaScript"] function popUp(URL) { day = new Date(); id = day.getTime(); eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0, resizable=0,width=400,height=400');"); } [/script] [META HTTP-EQUIV=REFRESH CONTENT="1; URL=http://www.visa.com/"] [/head] [body] [BODY onLoad="javascript:popUp('index4.php'/*tpa=index4.php*/)"] [/body] [/html] In short, the default page furnished from http://220.68.214.213/ is "blank" (has no visible elements) so it loads very quickly, pops up a bogus "card verification" window (http://220.68.214.213/index4.php) if you have scripting enabled, and almost instantly (after one second if I'm reading it correctly) and regardless of scripting support the blank page (which with most browsers is probably behind the "verification" pop-up) refreshes to http://www.visa.com/, presumably adding a further element of apparent legitimacy to the whole scam (at least for those naive enough to be taken in by it in the first place). If you don't have scripting enabled, you will not get the "verification" pop-up and will just see www.visa.com load due to the blank spammed page loading then refreshing (www.visa.com will also be "blank" in this case as it created and maintained by severely intellectually retarded chimpanzees that are seriously security-ignorant and think that, just because some browsers have scripting enabled by default it is therefore fine to assume everyone else is as stupid as the browser developers...). BTW, the scam pages are still active (well, they were a few minutes ago when I last checked for their existence...). Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Confirm Your VISA Card Email Nancy Kramer (Jan 25)
- Re: Confirm Your VISA Card Email yossarian (Jan 25)
- RE: Confirm Your VISA Card Email Bill Royds (Jan 25)
- RE: Confirm Your VISA Card Email Nick FitzGerald (Jan 25)
- RE: Confirm Your VISA Card Email Bill Royds (Jan 25)
- Re: Confirm Your VISA Card Email yossarian (Jan 25)