Full Disclosure mailing list archives

Re: US Bank scam

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 16 Jun 2004 13:03:14 +1200

"Hamby, Charles D." <pfcdh1 () matsu alaska edu> wrote:

This is a slick phishing scam, I have to admit.  ...


It's been around for a month or more, so it may be slick, but it's not 
new...  Back on 13 May Drew Copley from eEye posted the following to 
Bugtraq about it:

   http://www.securityfocus.com/archive/1/363326

   http://www.securityfocus.com/archive/1/363350

It is listed as BID 10346 at securityfocus:

   http://www.securityfocus.com/bid/10346

...  One thing I noticed
though; 
I printed the various pages of the website out with IE to use as an
example and I noticed that the real URL appeared at the bottom of each
page as opposed to the bogus one.  I thought that was interesting.  Has
anyone else 
noticed that this occurs with other phishing sites or is it just unique
to this case?


For pity's sake -- did you not even look at the page sources to see how 
it works??

It slaps a fake URL window over roughly the screen area where the real 
URL is still displayed in the address bar.  This is _NOT_ a case of 
"true" spoofing (in the sense that the browser is fooled -- note for 
one that the "https padlock" is not present; IE knows it is not at an 
https URL), so why would you think that IE might print the "spoofed" 
URL in printed headers/footers?

The spoofing here is of the social engineering type.  Clearly all those 
who have posted to the list so far commenting how effecitve this is are 
not the types to immediately notice the horrible, and to me immediately 
noticeable, two or three pixel offset of the faked URL window...

Finally, this is the kind of problem that is relatively easily guarded 
against (though not entirely protected from) by running non-default 
configurations.  To the extent you have the Address bar in IE 
positioned somewhere other than where the default locationj is, this 
"trick" becomes horribly obvious, so long as your users have the 
requisite clue count...

(And yes, there are other ways to do this that are not so easily fooled 
as to show themselves by simply moving the Address bar, and these have 
reputedly already been used in some phishing scams -- see commentary in 
Drew's archived posts, linked above.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

US Bank scam David Lederman (Jun 15)
- Re: US Bank scam Eric LeBlanc (Jun 15)
- RE: US Bank scam Scott Dodson (Jun 15)
  - RE: US Bank scam Nick FitzGerald (Jun 15)
- <Possible follow-ups>
- Re: US Bank scam Hamby, Charles D. (Jun 15)
  - Re: US Bank scam Nick FitzGerald (Jun 15)
- RE: US Bank scam Peter B. Harvey (Information Security) (Jun 15)
- RE: US Bank scam wszumera (Jun 15)