Re: Phishing attack. Basic encoding

[Brian Johnson <brian.l.johnson () gmail com>]

I was forwarded a very similiar message late last week.

When I loaded the page in IE it brought up the homepage of the domain
being phished and and a pop up window with a captcha image.  Some more
analysis of the page showed that the image was being pulled from a
Russian email site while the rest of the pop up from a host in
Germany.

I was unable to locate any exploit code and it never asked me for
actual credentials so it is my belief this is an attempt to get people
to decode captcha images so that some phishers/spammers can create
email accounts.

On 11/13/05, Peter Harvey <peter.harvey () gmail com> wrote:
> I have had a number of reports of messages targetting users on domains
> for their credentials.
> The interesting part of this message is the very basic but effective
> encoding of the message. It appears that there are a couple of
> characters that instruct the mail program to display the characters in
> the reverse order.
>
> An example is attached. This appears to be random in the characters
> reversed based on a number of examples forwarded. I would say this is
> a simple yet effective way of bypassing signature based filters.
>
> They also appear to be bouncing through Google to the compromised
> website for phishing credentials. I am guessing it is phishing as the
> websites that I have seen were unavailable at the time.
>
> --
> Peter
> --
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/