New phishing trick?

[Jeff Kell <jeff-kell () utc edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here's one I don't recall seeing before... very good looking eBay
phishing notice (can supply full text if anyone wants, but I'll keep
this to the interesting part) with the "money shot" URL consisting of
the following link:

| <p align="justify"><font face="Verdana" size="1">Click below to
| continue :</font></p> <p align="left"><font face="Verdana" size="1"> <a
|
title="https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&amp;page=0%...";
|
href="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://64.28.111.71/update";>
|
https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&amp;page=0%...</a></font></tr>

The "displayed" anchor is https:// and directed at eBay (no surprise)
but the real URL really does go to eBay to a cgi that does a redirect to
the phishing site, with the target of the redirect appearing at the
extreme end of the URL (might have been a little better if obfuscated by
escaped unicoding or similar, but it's plaintext).

eBay may have tweaked the redirecting cgi by now, but when I checked it
last night it worked (as a general redirect, I didn't examine the
phishing site target itself).

Jeff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFB6/efot2VatFbXMERAhOUAJ4xuKIJh3IiNVKi2kvd036uNgScqQCeKPzj
V/jt6jY+dd9P5WC1gPbaxLs=
=gA3c
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html