Interesting People mailing list archives
Advanced Paypal phish - uses faked functional address bar
From: David Farber <dave () farber net>
Date: Thu, 1 Dec 2005 05:20:05 -0500
Begin forwarded message: From: Stanton McCandlish <mech () well com> Date: November 30, 2005 8:54:31 PM EST To: David Farber <dave () farber net> Subject: Advanced Paypal phish - uses faked functional address bar A new phishing trick; cool, in a nefarious way: The phisher pops a window that uses Javascript to hide your real address toolbar, then adds a fake tool bar with a graphic and DHTML coding, matching your browser, that looks like the original address toolbar, with a fake but usable URL field in it, which is stocked with the address of the legit site the phisher is masqueraded as. So the actual phisher site address is completely hidden, and it looks like you're at the legit site. Nasty. There's the real phish at the bottom, in the quoted passage (sorry, original headers lost, so I don't know who the initial writer was) which you probably don't want to go to. Immediately below is an example of how it works on a safe page: http://ip.securescience.net/exploits/ You have to have popup-blockers turned off for it to work. The safe test version above only seems to fake IE6/Win address bars, but it does so successfully in Firefox and Safari on the Mac. I don't think it would fool that many Mac people but the fakery is pretty impressive with IE on WinXP, and as noted above, the live phish is claimed to be more sophisticated in its mimickry.
This is a heads up. Below you'll find a new and sophisticated Paypal scam.It uses a google redirector to mask where it goes, but that iscertainly notthe advanced stuff :-) The complete URL is:http://www.google.pt/url?sa=U&start=4&q=http://dns1.n- kiso.co.jp/.checking/.www.paypal.com/index.php Which goes to: http://dns1.n-kiso.co.jp/.checking/.www.paypal.com/index.php When the link "Click here to go to our main page " It will open a javascript: "java script: Start('sysdll.Php')"When opened it will construct the fraudulent website according to yourdefault browser. I've tested with: - Firefox - Internet Explorer - Opera All latest versions with all relevant patches.The fake adressbar used may trick someone into thinking that they areactually on https://www.paypal.com. Watch and observe. This isindeed trickydone.Although - some popup blockers should block this I would think. Thetrick is similar to http://ip.securescience.net/exploits/ so it creates an address bar using a pop-up controller and you just draw the image of the address bar. This is one of the first ones I've seen that has beendone quite a bit better than the other ones that have attempted it. Their aim was off so it looked terrible.
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Advanced Paypal phish - uses faked functional address bar David Farber (Dec 01)