Full Disclosure mailing list archives
Re: US Bank scam
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 16 Jun 2004 13:03:14 +1200
"Hamby, Charles D." <pfcdh1 () matsu alaska edu> wrote:
This is a slick phishing scam, I have to admit. ...
It's been around for a month or more, so it may be slick, but it's not new... Back on 13 May Drew Copley from eEye posted the following to Bugtraq about it: http://www.securityfocus.com/archive/1/363326 http://www.securityfocus.com/archive/1/363350 It is listed as BID 10346 at securityfocus: http://www.securityfocus.com/bid/10346
... One thing I noticed though; I printed the various pages of the website out with IE to use as an example and I noticed that the real URL appeared at the bottom of each page as opposed to the bogus one. I thought that was interesting. Has anyone else noticed that this occurs with other phishing sites or is it just unique to this case?
For pity's sake -- did you not even look at the page sources to see how it works?? It slaps a fake URL window over roughly the screen area where the real URL is still displayed in the address bar. This is _NOT_ a case of "true" spoofing (in the sense that the browser is fooled -- note for one that the "https padlock" is not present; IE knows it is not at an https URL), so why would you think that IE might print the "spoofed" URL in printed headers/footers? The spoofing here is of the social engineering type. Clearly all those who have posted to the list so far commenting how effecitve this is are not the types to immediately notice the horrible, and to me immediately noticeable, two or three pixel offset of the faked URL window... Finally, this is the kind of problem that is relatively easily guarded against (though not entirely protected from) by running non-default configurations. To the extent you have the Address bar in IE positioned somewhere other than where the default locationj is, this "trick" becomes horribly obvious, so long as your users have the requisite clue count... (And yes, there are other ways to do this that are not so easily fooled as to show themselves by simply moving the Address bar, and these have reputedly already been used in some phishing scams -- see commentary in Drew's archived posts, linked above.) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- US Bank scam David Lederman (Jun 15)
- Re: US Bank scam Eric LeBlanc (Jun 15)
- RE: US Bank scam Scott Dodson (Jun 15)
- RE: US Bank scam Nick FitzGerald (Jun 15)
- <Possible follow-ups>
- Re: US Bank scam Hamby, Charles D. (Jun 15)
- Re: US Bank scam Nick FitzGerald (Jun 15)
- RE: US Bank scam Peter B. Harvey (Information Security) (Jun 15)
- RE: US Bank scam wszumera (Jun 15)