Full Disclosure mailing list archives

FOUND: COELACANTH: Phreak Phishing Expedition

From: "http-equiv () excite com" <1 () malware com>
Date: Fri, 11 Jun 2004 01:03:05 -0000

From the original discover, 'bitlance winter' one big fat

coelacanth:

<a href="http://www.malware.com%2F redir=www.e-gold.com">test</a>

"i guess that this issue is not e-gold's BUG,
IE6 and Opera7.51 is vulnerable.

Some server's DNS allow magic number subdomainname.
the server allow ,
www.site.tld
wwwww.site.tld
wwwwwwwwwwww.site.tld
www   www.site.tld
wwwURLEncodecharcterswww.site.tld
when the server allows URLEncodecharacters 
evil attackers can fake victim users who use Opera and IE .

the attacker will make their DNS
*.evilsite.tld IN A 333.333.333.333

using this DNS,
victim's IE can shows victim
http://w.evilsite.tld
http://wwwwwwwwwwwwwwwwwww.evilsite.tld

and then,
attacker makes an evil link as 
http://www.microsoft.com [malicious falke char$]  evilsite.tld

and then, attacker set tricks
Bugtraq: Stupid Phishing Tricks (you find it)

victim user will input his userID and password.

I guess many server's DNS allow 
*.evilsite.tld IN A 333.333.333.333
because they use magicnumber SSL cert.
Attacker can use this method."

 
-- 
http://www.malware.com













_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

FOUND: COELACANTH: Phreak Phishing Expedition http-equiv () excite com (Jun 10)
- Re: FOUND: COELACANTH: Phreak Phishing Expedition Juergen Schmidt (Jun 14)