From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf
Of Nick FitzGerald
Sent: Thursday, May 05, 2005 3:14 AM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Paypal Phishing Again
Jason Weisberger wrote:
Wasn't sure if anybody spotted this one, ...
Well, given that its three weeks old AND that the login form
this scam points is at a now-closed Netfirms account, I'd
suggest that someone (or more likely, many someones) has not
only spotted it, but done something more useful about it than
posting a three-week-late "heads up" to Full-Disclosure.
About the only thing of any interest in this whole example is
that the open-redirectors at:
-- both of which are cunningly used in the HTML form
submission that happens when a victim clicks the "button" in
the HTML Email that apparently will take them to the PayPal
login page at:
<table width=3D"50%" cellpadding=3D"4"
bgc= olor=3D"#FFFFFF" align=3D"center">
w	.google.com/url METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq
<input type=3Dsubmit style=3D"color:#000080; border:solid 0px;
-- are both still fully functional and still being abused by
phishers making their obfuscated URLs look "official" or
"kosher" or whatever by leveraging the good name and
reputation of "respected" web presences such as Yahoo! and Google.
You'd have thought that Yahoo! and Google would being fixing
those ASAP, but apparently there's some dosh at stake, so
persists well past when it should have...
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/