WebApp Sec mailing list archives
RE: Phishing
From: Adam Lydick <lydickaw () ruffledpenguin org>
Date: Thu, 13 May 2004 21:55:17 -0700
On Wed, 2004-05-12 at 17:26 +0100, Griffiths, Ian wrote:
Some good ideas there Rogan. I to feel educating users is a large part of this but how far can you go? Consider this (ficticious) URL: https://secure.bank.com:/logon/12345 () nefarious fraud net/ Fairly easy to set up, completely compliant with protocol, starting with the right thing, looks genuine to the untrained eye and yet completely unscrupulous. I've actually seen something similar in the wild and I'm completely sure it works, spotting this takes more than a passing exposure to knowledge of URL composition. Ian
<chop previous message> I belive that is *not* a valid URL. It happens to work in many browsers, but it should not (for making social engineering more difficult and RFC compliance). Check out the bugtraq archives for some more detailed discussion about this issue. (The jist of it is -- while the generic description of URLs in an earlier RFC allows for "user@", the use of it is on a protocol-by-protocol basis and HTTP urls do not permit its use.) Adam Lydick
Current thread:
- RE: Phishing Sarah Elan (May 12)
- RE: Phishing Shivangi Nadkarni (May 12)
- RE: Phishing Zoso (May 13)
- <Possible follow-ups>
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
- Re: Phishing Rogan Dawes (May 13)
- RE: Phishing Adam Lydick (May 14)
- Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
- RE: Phishing Adam Lydick (May 15)
- RE: Phishing Damon McMahon (May 15)
- RE: Phishing Shivangi Nadkarni (May 12)