mailing list archives
From: toppsoft <toppsoft () yahoo com>
Date: Wed, 12 Apr 2006 08:31:25 -0400
Most of the phishing emails I get for eBay are pretty obvious. Besides
the typos and poor english, they usually link directly to arcane
websites. Today I got one that took me to a listing on eBay which
contained a login intercept. The script presents a reasonable looking
signin form, obfuscates your login and the destination url using rot-24
and sends it on to http://proxy.cheersfilms.com.tw/426006317/66728472
before submitting it to ebay.
I only find it noteworthy because I couldn't find any public information
about xss flaws or other bugs allowing js injection into ebay auction
listings and a slightly more sophisticated attack would be pretty hard
If you want to see the script, it's still up at
To see the fake signin page, you can link to http://tinyurl.com/r8ecv
which takes you to
(remove white space to link)
aiu is the URL which captures your login (rot-24)
Sucks to be coloradopackrat today.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/