Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Paypal Phishing Again
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 06 May 2005 00:43:39 +1200

Jeremy Heslop wrote:

:) Like some others have pointed out on this list (or Bugtraq) they are
priming the pump so to speak by sending out alot of legit looking Paypal
emails so that people get used to them coming. Then they will start
sending more emails with redirected/phished links contained instead of
the real ones.  Just my "not worth much" 2 cents.


You didn't look too closely at that one did you?

When rendered in an HTML-capable MUA, the message has a link or button 
that looks as if it takes you to the (once) "legitimate" Paypal login 
page at:


In reality, clicking that link led to a now long-closed page (this 
particular phish was spammed nearly three weeks ago) hosted at 
netfirms.com via a triple redirection (Yahoo! to Google to Yahoo! to 
netfirms) cleverly constructed with HTML form submission logic so that 
the full URL is not actually present in one piece in the HTML code.  
(It also uses some further obfuscation of parts of the URL by inserting 
entity-encoded HTML white-space characters.)

So, your take that this was a "non-malicious" phishing precursor is 
quite wrong.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]