RE: Paypal Phishing Again

["Todd Towles" <toddtowles () brookshires com>]

Hey Nick,

I have been seeing a lot of e-mail from random address with a body like
the following

-----------------------------
"Hey, I tried to send a message to this address but it was bocked. Is
there a e-mail file size limit?"

Oman 
-----------------------------

Looks like DHAs, pretending to be more real, then the normal one word
body and one word title.

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk 
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
> Of Nick FitzGerald
> Sent: Thursday, May 05, 2005 3:14 AM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Paypal Phishing Again
>
> Jason Weisberger wrote:
>
> > Wasn't sure if anybody spotted this one, ...
>
> Well, given that its three weeks old AND that the login form 
> this scam points is at a now-closed Netfirms account, I'd 
> suggest that someone (or more likely, many someones) has not 
> only spotted it, but done something more useful about it than 
> posting a three-week-late "heads up" to Full-Disclosure.
>
> About the only thing of any interest in this whole example is 
> that the open-redirectors at:
>
>    http://rds.yahoo.com/*<URL>
>
> and:
>
>    http://www.google.<TLD>/url?<stuff>
>
> -- both of which are cunningly used in the HTML form 
> submission that happens when a victim clicks the "button" in 
> the HTML Email that apparently will take them to the PayPal 
> login page at:
>
>    https://www.paypal.com/cgi-bin/webscr?cmd=_update
>
> <<snip>>
> >     <table width=3D"50%" cellpadding=3D"4" 
> cellspacing=3D"0" border=3D"0" 
> > bgc= olor=3D"#FFFFFF" align=3D"center">
> >                     <FORM target=3D"_blank"  
> > ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
> > w&#009;.google.com/url  METHOD=3Dget>
> > <INPUT TYPE=3DHIDDEN NAME=3Dq 
> > VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
> > r038.netfirms.com/login/>
> > <input type=3Dsubmit style=3D"color:#000080; border:solid 0px; 
> > background:= #white;" 
> > value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
> > </form><br>
> > </td>
> >             </tr>
> >     </table>
>
> -- are both still fully functional and still being abused by 
> phishers making their obfuscated URLs look "official" or 
> "kosher" or whatever by leveraging the good name and 
> reputation of "respected" web presences such as Yahoo! and Google.  
>
> You'd have thought that Yahoo! and Google would being fixing 
> those ASAP, but apparently there's some dosh at stake, so 
> stupid, sucky, 
> security-ignorant-to-the-detriment-of-the-rest-of-us design 
> persists well past when it should have...
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/