Full Disclosure mailing list archives
Re: Phishing scam - Obfuscated url help please
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 23 Jan 2004 14:48:43 +1300
"Zach Forsyth" <Zach.Forsyth () kiandra com> wrote:
Just wondering if someone could help me work out where this url actually points. Or just lead me in the right direction. Apologies if it has wrapped as it is quiet long. http://www.netbank.commbank.com.au%6Clogin%6C@%36%31%2E%37%3=0%2E%31%37% 35%2E%31%33%38:%31%31%33%33/%6C%6F%67%69%6E/%69%6E%64%65%78%2E%6=8%74%6D
Assuming the "=" chars are present because it was c'n'p'ed from a raw MIME quoted-printable encoded message, you remove them (they mean "soft line break" in QP -- see RFC 1521, section 5.1, "Rule #5") then you need to undo the URL encoding, leaving the URL (will wrap): http://www.netbank.commbank.com.aulloginl@ 61.70.175.138:1133/login/index.htm The "real" URL in this is: http://61.70.175.138:1133/login/index.htm as the "@" is (incorrectly) interpreted by many browsers (most in terms of absolute use) as indicating the username part of the "userinfo" part of the generic URI scheme. Although userinfo is specifically not part of the HTTP protocol, it is still commonly "understood" by many browsers. Thus, the sub-string "www.netbank.commbank.com.aulloginl@", or in its encoded form "www.netbank.commbank.com.au%6Clogin%6C@", will be ignored by many browsers (at least it will unless the specified server challenges the request for "/login/index.htm" with a "user authentication required" or similar error.
Just your average phishing spam email using IE address vulns - site is still live as well I believe :)
I couldn't get a connect from here a few minutes ago, but that could be all sorts of things... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Phishing scam - Obfuscated url help please Zach Forsyth (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 22)
- Re: Phishing scam - Obfuscated url help please Valdis . Kletnieks (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - Obfuscated url help please Valdis . Kletnieks (Jan 22)
- Re: Phishing scam - Obfuscated url help please Matthias Benkmann (Jan 23)
- Re: Phishing scam - Obfuscated url help please Gadi Evron (Jan 23)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 23)
- Re: Phishing scam - Obfuscated url help please Gadi Evron (Jan 23)
- Re: Phishing scam - yet another Paypal phishing scam! Tobias Weisserth (Jan 24)
- Re: Phishing scam - yet another Paypal phishing scam! Valdis . Kletnieks (Jan 24)
- RE: Phishing scam - yet another Paypal phishingscam! Bill Royds (Jan 24)
- RE: Phishing scam - yet another Paypal phishingscam! Tobias Weisserth (Jan 25)
- <Possible follow-ups>
- RE: Phishing scam - Obfuscated url help please Leif Sawyer (Jan 22)
- Re: Phishing scam - Obfuscated url help please Nick FitzGerald (Jan 22)