WebApp Sec mailing list archives

Re: Phishing

From: "E.Kellinis" <me () cipher org uk>
Date: Sat, 15 May 2004 04:47:52 +0100

Phising is interesting, 
some applications allow you to do other tricks as well , 

if you have this in a webpage
[a href="https://rehpic:www.cnn.com"]CNN[/a]
Mozilla(firefox 8.0) instead of throwing an error 
it will through you into the "I am Feeling lucky" result of google
which is my website in this case

so guess what ...

You wait until google adds you into the database 
You find some specific keywords for your website 
(which you make to look innocent ) 
and then you can totaly fake the destination URL

if you have "cnnSSL" somewhere in your website
you can make the url look very real (you can use https as well)
https://SSL:www.cnn.com

manos

=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================

Current thread:

RE: Phishing Sarah Elan (May 12)
- RE: Phishing Shivangi Nadkarni (May 12)
  - RE: Phishing Zoso (May 13)
- <Possible follow-ups>
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
  - Re: Phishing Rogan Dawes (May 13)
  - RE: Phishing Adam Lydick (May 14)
    - Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
  - RE: Phishing Adam Lydick (May 15)
- RE: Phishing Damon McMahon (May 15)