RE: strange domain name in phishing email

["Arley Barros Leal" <arley.leal () sonae com>]

Hmmm...isn't that a base-10 representation? One may use the IP base-10 for phishing, one classic example would be:

        <a href="http://www.vatican.com@3634596099/";>www.vatican.com</a>

You may also use the base-10 representation for ping, nslookup and so on...it works for me at least...

For some sites I was indeed able to bypass a (thousand-dollars) content filtering engine using this hack..

Cheers,
Arley Silveira.
Sénior Systems Engineer
Cisco VPN/Firewall Specialist, CCNA, MCSE Security, 
MCSA, MCP+I, Security+, iNET+, OCP, CIWA


-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Juha-Matti Laurio
Sent: quinta-feira, 16 de Março de 2006 Arley @ 16:03
To: Michael Holstein; full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] strange domain name in phishing email

It seems that this case has the name Dotless IP Address Security Issue and KB article #168617 
http://support.microsoft.com/?kbid=168617
describes it even in IE4.
Correct if I'm wrong.

- Juha-Matti


> IIRC, Microsoft changed that as one of the security updates to IE. For 
> a time, it was a popular phishing trick. I also remember there was a 
> way to do that (or something similar) to bypass the security zones in 
> IE and make it think it was a trusted site, but can't find that reference at hand.
>
> The "rest" of windows will still do it though. Try "ping 2887060730" 
> or "telnet 2887060730 80".
>
> ~Mike.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Attachment: smime.p7s
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/