WebApp Sec mailing list archives
RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability
From: "dpw" <dainw () fsr com>
Date: Wed, 11 Jan 2006 12:06:40 -0800
I am surely missing something here. This seems like a pretty involved phish, but the initial hook doesn't seem to be baited very well. Why would anyone think a link that goes to Google would be a legitimate way to go to PayPal? Why would this be different than leveraging any redirect system? Why is this noteworthy? Now, if PayPal had some sort of reusable 404 redirection mechanism, at least the initial link would appear to go to Paypal, but it sure seems to me that going to Google first is pointless. Maybe the phisher is tracking the effectiveness of the lure by watching the referrer? Dain White Senior Developer / Webmaster First Step Internet - www.fsr.com 208-882-8869 ext. 440 -----Original Message----- From: RSnake [mailto:rsnake () shocking com] Sent: Wednesday, January 11, 2006 9:58 AM To: Watchfire Research Cc: Ofer Shezaf; websecurity () webappsec org; zx () castlecops com; webappsec () securityfocus com Subject: RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability Google has a number of redirection holes just like the one mentioned in that article, presumably to track user behavior for more targeted ads. In a cursory check I found four of them (these all simply redirect to CNN): http://froogle.google.com/froogle_url?q=http://www.cnn.com http://www.google.com/url?sa=l&q=http://www.cnn.com/&ai=BsbPer84UQ7D7B73WsAG z6_3bAougzgu3ld23AeualQaA8lcQARgBIPJOKAhIkjlQjrnN4Pj_____AcgBAQ&num=1 http://catalogs.google.com/url?sa=H&title=PC+Connection&subtitle=&q=http://w ww.cnn.com http://images.google.com/imgres?imgurl=.&imgrefurl=http://www.cnn.com Although in my mind the only thing that makes this worse than any other redirection attack is that it's Google, and people trust Google for some reason. On Wed, 11 Jan 2006, Watchfire Research wrote:
Hello, As already stated by Stelian Ene in a posting to bugtraq/webappsec (@securityfocus.com), the PayPal phishing scam presented below exploit a well-known redirection phishing trick via Google's redirection script. It is important to mention that unlike what stated in http://castlecops.com/article-6460-nested-0-0.html, the attack is not based on the Cross-Site Scripting vulnerability which was recently detected and published by Watchfire in Google's website (http://www.securiteam.com/securitynews/6Z00L0AEUE.html). Best regards, Yair Amit Security team Watchfire (Israel) Ltd. -----Original Message----- From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] Sent: Wednesday, January 11, 2006 2:18 PM To: websecurity () webappsec org Cc: zx () castlecops com Subject: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability Since Paul missed our list, I'm forwarding his very interesting e-mail regarding a Google XSS vulnerability exploited for phishing. ~ Ofer -----Original Message----- From: Paul Laudanski [mailto:zx () castlecops com] Sent: Wednesday, January 11, 2006 7:52 AM To: bugtraq () securityfocus com; vuln () secunia com; webappsec () securityfocus com Cc: reportphishing () antiphishing org Subject: PayPal Phishing Site Exploits Google XSS Vulnerability There is a new PayPal phishing site that is crafty and cunning in attempting to hide its true address from the surfer. Unsuspecting users might fall for this devious trickery. It is thru a Google XSS attack that the phishing site uses to begin its lure and deception of the surfer. Read full details and watch the entire captured video of this scam here: http://castlecops.com/a6460-PayPal_Phishing_Site_Exploits_Google_XSS_Vul nerability.html ( short: http://castlecops.com/article-6460-nested-0-0.html ) -- Paul Laudanski, Microsoft MVP Windows-Security [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com ------------------------------------------------------------------------ - This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh ------------------------------------------------------------------------ -- --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/ --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
-R http://ha.ckers.org/xss.html --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/ ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability RSnake (Jan 11)
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability dpw (Jan 11)
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability Paul Laudanski (Jan 11)
- Re: Referer/302 behavior [WEB SECURITY] Web Hacking... PayPal Phishing ... Google redirect Peter Watkins (Jan 31)
- RE: [WEB SECURITY] Web Hacking Incident: PayPal Phishing Site Exploits Google XSS Vulnerability dpw (Jan 11)