Full Disclosure mailing list archives
New phishing trick?
From: Jeff Kell <jeff-kell () utc edu>
Date: Mon, 17 Jan 2005 12:36:31 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's one I don't recall seeing before... very good looking eBay phishing notice (can supply full text if anyone wants, but I'll keep this to the interesting part) with the "money shot" URL consisting of the following link: | <p align="justify"><font face="Verdana" size="1">Click below to | continue :</font></p> <p align="left"><font face="Verdana" size="1"> <a | title="https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&page=0%..." | href="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://64.28.111.71/update"> | https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&page=0%...</a></font></tr> The "displayed" anchor is https:// and directed at eBay (no surprise) but the real URL really does go to eBay to a cgi that does a redirect to the phishing site, with the target of the redirect appearing at the extreme end of the URL (might have been a little better if obfuscated by escaped unicoding or similar, but it's plaintext). eBay may have tweaked the redirecting cgi by now, but when I checked it last night it worked (as a general redirect, I didn't examine the phishing site target itself). Jeff -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFB6/efot2VatFbXMERAhOUAJ4xuKIJh3IiNVKi2kvd036uNgScqQCeKPzj V/jt6jY+dd9P5WC1gPbaxLs= =gA3c -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New phishing trick? Jeff Kell (Jan 17)
- Re: New phishing trick? Steve Kudlak (Jan 21)