Re: phishing sites examples "source code"

[Nick FitzGerald <nick () virus-l demon co uk>]

Juergen Fiedler to Andres Riancho:

> >        For a research i'm doing I need a somehow "big"(around 100 would be
> >    nice...) amount of phishing sites html code .  ....

What kind of research?

Where?  Under whose/what's guidance?

Seems unlikley to me that you would have both a genuine "need" for such 
stuff _AND NOT_ the ready means of obtaining it...

> > ...  I have googled for them but
> >    I only get a lot of screenshots of those sites, not the actual code.
> >    Anyone has an idea of where I could get those sites html ?
>
> Keep in mind that the HTML is most likely directly lifted from the
> site that the phishers are spoofing - the only thing that changes is
> the action for the login form; you can't readily get to the source
> code for the form action because it is done in some sort of server
> side scripting (CGI, PHP, ASP, whatever...) that can't readily be
> viewed from the client side.

Yep, except for the occasional phish where they simply use some 
stupidly "vulnerable" mail script which takes all its "instructions" as 
parameters to the script URL, or the phishers are such noobs/lusers 
that they rolled their own similar script, and then everything you 
really "need" is probably in the HTML.

Such sites though are increasingly rare, I think, though there was 
something of an "outbreak" of this technique late last year, it seems 
to faded into near total oblivion again...

> That said, I have run into one or two phishers who compromise a site
> (or create a throwaway site themselves), upload their scripts in a
> tarball, install them - and then leave the tarball around for
> posterity to analyze. I kid you not.

I'm sure there are a deal more than "one or two" such sites, but 
because you cannot see the existence of those files without having more 
privileged access (either direct or indirect through some hosting amin 
firing copies your way) you can't know they are there.

Less common, but still far from unheard of, is a similar situation 
where the compromised (or ill-configured) server has directory indexing 
enabled, and you can simply discover the existence of such files 
through using a little address-bar editing fu.  I probably see 
something like 5-10 such sites a week and I seldom have time to look so 
closely at all the (likely) phish I receive in a day.

> Unfortunately, the only good way to get to that source code is by
> asking the administrator of a compromised site whether they found
> anything that they would be willing to share; ...

Of course, that applies equally whether the perp left a copy of the 
nicely archived contents or not...

> ... going in and poking
> around yourself may put you into a legal position that you'd rather
> not be in.

...and even index-trawling as suggested above and/or guessing "obvious" 
non-public URLs has been deeemed dubious through outright illegal in at 
least some jurisdictions.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/