mailing list archives
Re: phishing sites examples "source code"
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 20 Feb 2007 10:05:17 +1300
Juergen Fiedler to Andres Riancho:
For a research i'm doing I need a somehow "big"(around 100 would be
nice...) amount of phishing sites html code . ....
What kind of research?
Where? Under whose/what's guidance?
Seems unlikley to me that you would have both a genuine "need" for such
stuff _AND NOT_ the ready means of obtaining it...
... I have googled for them but
I only get a lot of screenshots of those sites, not the actual code.
Anyone has an idea of where I could get those sites html ?
Keep in mind that the HTML is most likely directly lifted from the
site that the phishers are spoofing - the only thing that changes is
the action for the login form; you can't readily get to the source
code for the form action because it is done in some sort of server
side scripting (CGI, PHP, ASP, whatever...) that can't readily be
viewed from the client side.
Yep, except for the occasional phish where they simply use some
stupidly "vulnerable" mail script which takes all its "instructions" as
parameters to the script URL, or the phishers are such noobs/lusers
that they rolled their own similar script, and then everything you
really "need" is probably in the HTML.
Such sites though are increasingly rare, I think, though there was
something of an "outbreak" of this technique late last year, it seems
to faded into near total oblivion again...
That said, I have run into one or two phishers who compromise a site
(or create a throwaway site themselves), upload their scripts in a
tarball, install them - and then leave the tarball around for
posterity to analyze. I kid you not.
I'm sure there are a deal more than "one or two" such sites, but
because you cannot see the existence of those files without having more
privileged access (either direct or indirect through some hosting amin
firing copies your way) you can't know they are there.
Less common, but still far from unheard of, is a similar situation
where the compromised (or ill-configured) server has directory indexing
enabled, and you can simply discover the existence of such files
through using a little address-bar editing fu. I probably see
something like 5-10 such sites a week and I seldom have time to look so
closely at all the (likely) phish I receive in a day.
Unfortunately, the only good way to get to that source code is by
asking the administrator of a compromised site whether they found
anything that they would be willing to share; ...
Of course, that applies equally whether the perp left a copy of the
nicely archived contents or not...
... going in and poking
around yourself may put you into a legal position that you'd rather
not be in.
...and even index-trawling as suggested above and/or guessing "obvious"
non-public URLs has been deeemed dubious through outright illegal in at
least some jurisdictions.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/