Re: Referer/302 behavior [WEB SECURITY] Web Hacking... PayPal Phishing ... Google redirect

[Peter Watkins <peterw () tux org>]

dpw wrote:
> I am surely missing something here. This seems like a pretty involved phish,
> but the initial hook doesn't seem to be baited very well. 
>
> Why would anyone think a link that goes to Google would be a legitimate way
> to go to PayPal? Why would this be different than leveraging any redirect
> system? Why is this noteworthy?

It would be (more) noteworthy if there were evidence to suggest that
users are falling for it. Is there any?

> Now, if PayPal had some sort of reusable 404 redirection mechanism, at least

You mean 301/302, right?

> the initial link would appear to go to Paypal, but it sure seems to me that
> going to Google first is pointless. Maybe the phisher is tracking the
> effectiveness of the lure by watching the referrer?

Tracking how? If you have
   http://link.example.org/
offer a hyperlink (<A HREF="...">) to
   http://redir.example.org/?q=http://attack.example.org/
which issues a 302 redirect to
   http://attack.example.org/
then most browsers' request for http://attack.example.org/ will have a
Referer request header of http://link.example.org/. Put several layers
of 302 redirects between http://link.example.org/ and
http://attack.example.org/ and the Referer for the
http://attack.example.org/ request will still be
http://link.example.org/ -- browsers will send the last URL that did
*not* issue a 302 (or 301? I don't use 301 much) redirect.

If http://redir.example.org/?q=http://attack.example.org/ redirects the
browser to http://attack.example.org/ by means of a "client-pull" META
http-equiv refresh tag, typically the request to
http://attack.example.org/ will not include a Referer header at all.
This client-pull trick (and Javascript facsimiles) are often used by
apps like webmail systems that wish to "anonymize" the referring URL.

-Peter

> -----Original Message-----
> From: RSnake [mailto:rsnake () shocking com] 
> Sent: Wednesday, January 11, 2006 9:58 AM
> To: Watchfire Research
> Cc: Ofer Shezaf; websecurity () webappsec org; zx () castlecops com;
> webappsec () securityfocus com
> Subject: RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site
> Exploits Google XSS Vulnerability

>       Google has a number of redirection holes just like the one
> mentioned in that article, presumably to track user behavior for more
> targeted ads.  In a cursory check I found four of them (these all simply
> redirect to CNN):
>
> http://froogle.google.com/froogle_url?q=http://www.cnn.com

> On Wed, 11 Jan 2006, Watchfire Research wrote:

> > As already stated by Stelian Ene in a posting to bugtraq/webappsec
> > (@securityfocus.com), the PayPal phishing scam presented below exploit a
> > well-known redirection phishing trick via Google's redirection script.
> >
> > It is important to mention that unlike what stated in
> > http://castlecops.com/article-6460-nested-0-0.html, the attack is not
> > based on the Cross-Site Scripting vulnerability which was recently
> > detected and published by Watchfire in Google's website
> > (http://www.securiteam.com/securitynews/6Z00L0AEUE.html).

[lots snipped]

> > http://castlecops.com/a6460-PayPal_Phishing_Site_Exploits_Google_XSS_Vulnerability.html



-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------