mailing list archives
Re: Paypal Phishing Again
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 05 May 2005 20:14:03 +1200
Jason Weisberger wrote:
Wasn't sure if anybody spotted this one, ...
Well, given that its three weeks old AND that the login form this scam
points is at a now-closed Netfirms account, I'd suggest that someone
(or more likely, many someones) has not only spotted it, but done
something more useful about it than posting a three-week-late "heads
up" to Full-Disclosure.
About the only thing of any interest in this whole example is that the
-- both of which are cunningly used in the HTML form submission that
happens when a victim clicks the "button" in the HTML Email that
apparently will take them to the PayPal login page at:
<table width=3D"50%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
<FORM target=3D"_blank" ACTION=3Dhttp://rds.yaho
w	.google.com/url METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
<input type=3Dsubmit style=3D"color:#000080; border:solid 0px; background:=
-- are both still fully functional and still being abused by phishers
making their obfuscated URLs look "official" or "kosher" or whatever by
leveraging the good name and reputation of "respected" web presences
such as Yahoo! and Google.
You'd have thought that Yahoo! and Google would being fixing those
ASAP, but apparently there's some dosh at stake, so stupid, sucky,
security-ignorant-to-the-detriment-of-the-rest-of-us design persists
well past when it should have...
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/