Advanced Paypal phish - uses faked functional address bar

[David Farber <dave () farber net>]

Begin forwarded message:

From: Stanton McCandlish <mech () well com>
Date: November 30, 2005 8:54:31 PM EST
To: David Farber <dave () farber net>
Subject: Advanced Paypal phish - uses faked functional address bar

A new phishing trick; cool, in a nefarious way:

The phisher pops a window that uses Javascript to hide your real
address toolbar, then adds a fake tool bar with a graphic and DHTML
coding, matching your browser, that looks like the original address
toolbar, with a fake but usable URL field in it, which is stocked with
the address of the legit site the phisher is masqueraded as.  So the
actual phisher site address is completely hidden, and it looks like
you're at the legit site.  Nasty.

There's the real phish at the bottom, in the quoted passage (sorry,
original headers lost, so I don't know who the initial writer was)
which you probably don't want to go to.

Immediately below is an example of how it works on a safe page:
  http://ip.securescience.net/exploits/

You have to have popup-blockers turned off for it to work.

The safe test version above only seems to fake IE6/Win address bars,
but it does so successfully in Firefox and Safari on the Mac.  I don't
think it would fool that many Mac people but the fakery is pretty
impressive with IE on WinXP, and as noted above, the live phish is
claimed to be more sophisticated in its mimickry.

> > > This is a heads up. Below you'll find a new and sophisticated  
> > > Paypal scam.
> > >
> > > It uses a google redirector to mask where it goes, but that is
> > certainly not
> > > the advanced stuff :-)
> > >
> > > The complete URL is:
> > > http://www.google.pt/url?sa=U&start=4&q=http://dns1.n- 
> > > kiso.co.jp/.checking/.
> > > www.paypal.com/index.php
> > >
> > > Which goes to:
> > > http://dns1.n-kiso.co.jp/.checking/.www.paypal.com/index.php
> > >
> > > When the link "Click here to go to our main page "
> > >
> > > It will open a javascript: "java script: Start('sysdll.Php')"
> > >
> > > When opened it will construct the fraudulent website according to  
> > > your
> > > default browser.
> > >
> > > I've tested with:
> > >
> > > - Firefox
> > > - Internet Explorer
> > > - Opera
> > >
> > > All latest versions with all relevant patches.
> > >
> > > The fake adressbar used may trick someone into thinking that they  
> > > are
> > > actually on https://www.paypal.com. Watch and observe. This is
> > indeed tricky
> > > done.
> >
> > Although - some popup blockers should block this I would think. The
> > trick is similar to http://ip.securescience.net/exploits/ so it  
> > creates
> > an address bar using a pop-up controller and you just draw the  
> > image of
> > the address bar. This is one of the first ones I've seen that has  
> > been
> > done quite a bit better than the other ones that have attempted it.
> > Their aim was off so it looked terrible.



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/