Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Paypal Phishing Again
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 5 May 2005 09:25:49 -0500

Hey Nick,

I have been seeing a lot of e-mail from random address with a body like
the following

-----------------------------
"Hey, I tried to send a message to this address but it was bocked. Is
there a e-mail file size limit?"

Oman 
-----------------------------

Looks like DHAs, pretending to be more real, then the normal one word
body and one word title.

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk 
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
Of Nick FitzGerald
Sent: Thursday, May 05, 2005 3:14 AM
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Paypal Phishing Again

Jason Weisberger wrote:

Wasn't sure if anybody spotted this one, ...

Well, given that its three weeks old AND that the login form 
this scam points is at a now-closed Netfirms account, I'd 
suggest that someone (or more likely, many someones) has not 
only spotted it, but done something more useful about it than 
posting a three-week-late "heads up" to Full-Disclosure.

About the only thing of any interest in this whole example is 
that the open-redirectors at:

   http://rds.yahoo.com/*<URL>

and:

   http://www.google.<TLD>/url?<stuff>

-- both of which are cunningly used in the HTML form 
submission that happens when a victim clicks the "button" in 
the HTML Email that apparently will take them to the PayPal 
login page at:

   https://www.paypal.com/cgi-bin/webscr?cmd=_update

<<snip>>
    <table width=3D"50%" cellpadding=3D"4" 
cellspacing=3D"0" border=3D"0" 
bgc= olor=3D"#FFFFFF" align=3D"center">
                    <FORM target=3D"_blank"  
ACTION=3Dhttp://rds.yaho&#010;o.com/*http://ww=
w&#009;.google.com/url  METHOD=3Dget>
<INPUT TYPE=3DHIDDEN NAME=3Dq 
VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
r038.netfirms.com/login/>
<input type=3Dsubmit style=3D"color:#000080; border:solid 0px; 
background:= #white;" 
value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
</form><br>
</td>
            </tr>
    </table>

-- are both still fully functional and still being abused by 
phishers making their obfuscated URLs look "official" or 
"kosher" or whatever by leveraging the good name and 
reputation of "respected" web presences such as Yahoo! and Google.  

You'd have thought that Yahoo! and Google would being fixing 
those ASAP, but apparently there's some dosh at stake, so 
stupid, sucky, 
security-ignorant-to-the-detriment-of-the-rest-of-us design 
persists well past when it should have...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault