Full Disclosure mailing list archives
Re: Paypal Phishing Again
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 05 May 2005 20:14:03 +1200
Jason Weisberger wrote:
Wasn't sure if anybody spotted this one, ...
Well, given that its three weeks old AND that the login form this scam points is at a now-closed Netfirms account, I'd suggest that someone (or more likely, many someones) has not only spotted it, but done something more useful about it than posting a three-week-late "heads up" to Full-Disclosure. About the only thing of any interest in this whole example is that the open-redirectors at: http://rds.yahoo.com/*<URL> and: http://www.google.<TLD>/url?<stuff> -- both of which are cunningly used in the HTML form submission that happens when a victim clicks the "button" in the HTML Email that apparently will take them to the PayPal login page at: https://www.paypal.com/cgi-bin/webscr?cmd=_update <<snip>>
<table width=3D"50%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc= olor=3D"#FFFFFF" align=3D"center"> <FORM target=3D"_blank" ACTION=3Dhttp://rds.yaho
o.com/*http://ww= w	.google.com/url METHOD=3Dget> <INPUT TYPE=3DHIDDEN NAME=3Dq VALUE=3Dhttp://rds.yahoo.com/*http://transfe= r038.netfirms.com/login/> <input type=3Dsubmit style=3D"color:#000080; border:solid 0px; background:= #white;" value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update> </form><br> </td> </tr> </table>
-- are both still fully functional and still being abused by phishers making their obfuscated URLs look "official" or "kosher" or whatever by leveraging the good name and reputation of "respected" web presences such as Yahoo! and Google. You'd have thought that Yahoo! and Google would being fixing those ASAP, but apparently there's some dosh at stake, so stupid, sucky, security-ignorant-to-the-detriment-of-the-rest-of-us design persists well past when it should have... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Paypal Phishing Again Jason Weisberger (May 04)
- Re: Paypal Phishing Again Nick FitzGerald (May 05)
- Re: Paypal Phishing Again Jeremy Heslop (May 05)
- Re: Paypal Phishing Again Nick FitzGerald (May 05)
- Re: Paypal Phishing Again Valdis . Kletnieks (May 05)
- Re: Paypal Phishing Again Nick FitzGerald (May 05)
- Re: Paypal Phishing Again Mike Mohr (May 07)
- <Possible follow-ups>
- RE: Paypal Phishing Again Todd Towles (May 05)
- RE: Paypal Phishing Again Todd Towles (May 05)