Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 01/23/04
- Previous message: Darkslaker: "RE: [Full-Disclosure] Security conferences"
- In reply to: Zach Forsyth: "[Full-Disclosure] Phishing scam - Obfuscated url help please"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Phishing scam - Obfuscated url help please"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Phishing scam - Obfuscated url help please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 23 Jan 2004 14:48:43 +1300
"Zach Forsyth" <Zach.Forsyth@kiandra.com> wrote:
> Just wondering if someone could help me work out where this url actually
> points.
> Or just lead me in the right direction.
> Apologies if it has wrapped as it is quiet long.
>
> http://www.netbank.commbank.com.au%6Clogin%6C@%36%31%2E%37%3=0%2E%31%37%
> 35%2E%31%33%38:%31%31%33%33/%6C%6F%67%69%6E/%69%6E%64%65%78%2E%6=8%74%6D
Assuming the "=" chars are present because it was c'n'p'ed from a raw
MIME quoted-printable encoded message, you remove them (they mean "soft
line break" in QP -- see RFC 1521, section 5.1, "Rule #5") then you
need to undo the URL encoding, leaving the URL (will wrap):
http://www.netbank.commbank.com.aulloginl@
61.70.175.138:1133/login/index.htm
The "real" URL in this is:
http://61.70.175.138:1133/login/index.htm
as the "@" is (incorrectly) interpreted by many browsers (most in terms
of absolute use) as indicating the username part of the "userinfo" part
of the generic URI scheme. Although userinfo is specifically not part
of the HTTP protocol, it is still commonly "understood" by many
browsers. Thus, the sub-string "www.netbank.commbank.com.aulloginl@",
or in its encoded form "www.netbank.commbank.com.au%6Clogin%6C@", will
be ignored by many browsers (at least it will unless the specified
server challenges the request for "/login/index.htm" with a "user
authentication required" or similar error.
> Just your average phishing spam email using IE address vulns - site is
> still live as well I believe
> :)
I couldn't get a connect from here a few minutes ago, but that could be
all sorts of things...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Darkslaker: "RE: [Full-Disclosure] Security conferences"
- In reply to: Zach Forsyth: "[Full-Disclosure] Phishing scam - Obfuscated url help please"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Phishing scam - Obfuscated url help please"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Phishing scam - Obfuscated url help please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
