Full Disclosure mailing list archives
Re: New phishing trick?
From: Steve Kudlak <stevex11 () sbcglobal net>
Date: Fri, 21 Jan 2005 08:12:43 -0800
Jeff Kell wrote:
Yeah I got this one. Seeing as I have never had a dealing with ebay there was no way any account I had with them was nor about to try to correct anything. I did as of late get some strange phone calls from a number of companies claiming I was in arrears on all sorts of things. Only one valid, something had got mailed late. But I thought phising only worked by email when the person up to the nasty trick could do it and dissappear, but that it didn't work by phone, because I assume one has to have some bona fides with some bank or clearing house-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here's one I don't recall seeing before... very good looking eBay phishing notice (can supply full text if anyone wants, but I'll keep this to the interesting part) with the "money shot" URL consisting of the following link: | <p align="justify"><font face="Verdana" size="1">Click below to | continue :</font></p> <p align="left"><font face="Verdana" size="1"> <a |title="https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&page=0%...";|href="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://64.28.111.71/update";>|https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&page=0%...</a></font></tr>The "displayed" anchor is https:// and directed at eBay (no surprise) but the real URL really does go to eBay to a cgi that does a redirect to the phishing site, with the target of the redirect appearing at the extreme end of the URL (might have been a little better if obfuscated by escaped unicoding or similar, but it's plaintext). eBay may have tweaked the redirecting cgi by now, but when I checked it last night it worked (as a general redirect, I didn't examine the phishing site target itself). Jeff -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFB6/efot2VatFbXMERAhOUAJ4xuKIJh3IiNVKi2kvd036uNgScqQCeKPzj V/jt6jY+dd9P5WC1gPbaxLs= =gA3c -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
to do this.. Have Fun, Sends Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New phishing trick? Jeff Kell (Jan 17)
- Re: New phishing trick? Steve Kudlak (Jan 21)