Full Disclosure mailing list archives
Re: Paypal Phishing Again
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 06 May 2005 00:43:39 +1200
Jeremy Heslop wrote: <<snip>>
:) Like some others have pointed out on this list (or Bugtraq) they are priming the pump so to speak by sending out alot of legit looking Paypal emails so that people get used to them coming. Then they will start sending more emails with redirected/phished links contained instead of the real ones. Just my "not worth much" 2 cents.
Huh??? You didn't look too closely at that one did you? When rendered in an HTML-capable MUA, the message has a link or button that looks as if it takes you to the (once) "legitimate" Paypal login page at: https://www.paypal.com/cgi-bin/webscr?cmd=_update In reality, clicking that link led to a now long-closed page (this particular phish was spammed nearly three weeks ago) hosted at netfirms.com via a triple redirection (Yahoo! to Google to Yahoo! to netfirms) cleverly constructed with HTML form submission logic so that the full URL is not actually present in one piece in the HTML code. (It also uses some further obfuscation of parts of the URL by inserting entity-encoded HTML white-space characters.) So, your take that this was a "non-malicious" phishing precursor is quite wrong. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3267092 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Paypal Phishing Again Jason Weisberger (May 04)
- Re: Paypal Phishing Again Nick FitzGerald (May 05)
- Re: Paypal Phishing Again Jeremy Heslop (May 05)
- Re: Paypal Phishing Again Nick FitzGerald (May 05)
- Re: Paypal Phishing Again Valdis . Kletnieks (May 05)
- Re: Paypal Phishing Again Nick FitzGerald (May 05)
- Re: Paypal Phishing Again Mike Mohr (May 07)
- <Possible follow-ups>
- RE: Paypal Phishing Again Todd Towles (May 05)
- RE: Paypal Phishing Again Todd Towles (May 05)