Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Paypal Phishing Again
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 05 May 2005 20:14:03 +1200

Jason Weisberger wrote:

Wasn't sure if anybody spotted this one, ...

Well, given that its three weeks old AND that the login form this scam 
points is at a now-closed Netfirms account, I'd suggest that someone 
(or more likely, many someones) has not only spotted it, but done 
something more useful about it than posting a three-week-late "heads 
up" to Full-Disclosure.

About the only thing of any interest in this whole example is that the 
open-redirectors at:

   http://rds.yahoo.com/*<URL>

and:

   http://www.google.<TLD>/url?<stuff>

-- both of which are cunningly used in the HTML form submission that 
happens when a victim clicks the "button" in the HTML Email that 
apparently will take them to the PayPal login page at:

   https://www.paypal.com/cgi-bin/webscr?cmd=_update

<<snip>>
      <table width=3D"50%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
olor=3D"#FFFFFF" align=3D"center">
                      <FORM target=3D"_blank"  ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
w&#009;.google.com/url  METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
r038.netfirms.com/login/>
<input type=3Dsubmit style=3D"color:#000080; border:solid 0px; background:=
#white;" value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
</form><br>
</td>
              </tr>
      </table>

-- are both still fully functional and still being abused by phishers 
making their obfuscated URLs look "official" or "kosher" or whatever by 
leveraging the good name and reputation of "respected" web presences 
such as Yahoo! and Google.  

You'd have thought that Yahoo! and Google would being fixing those 
ASAP, but apparently there's some dosh at stake, so stupid, sucky, 
security-ignorant-to-the-detriment-of-the-rest-of-us design persists 
well past when it should have...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]