[Full-Disclosure] New phishing trick?

From: Jeff Kell (jeff-kell_at_utc.edu)
Date: 01/17/05

  • Next message: Vincent Archer: "Re: [Full-Disclosure] Illegal mind control is coming to the USA, black helicopters"
    Date: Mon, 17 Jan 2005 12:36:31 -0500
    To: full-disclosure@lists.netsys.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Here's one I don't recall seeing before... very good looking eBay
    phishing notice (can supply full text if anyone wants, but I'll keep
    this to the interesting part) with the "money shot" URL consisting of
    the following link:

    | <p align="justify"><font face="Verdana" size="1">Click below to
    | continue :</font></p> <p align="left"><font face="Verdana" size="1"> <a
    |
    title="https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&amp;page=0%..."
    |
    href="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://64.28.111.71/update">
    |
    https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&amp;page=0%...></font></tr>

    The "displayed" anchor is https:// and directed at eBay (no surprise)
    but the real URL really does go to eBay to a cgi that does a redirect to
    the phishing site, with the target of the redirect appearing at the
    extreme end of the URL (might have been a little better if obfuscated by
    escaped unicoding or similar, but it's plaintext).

    eBay may have tweaked the redirecting cgi by now, but when I checked it
    last night it worked (as a general redirect, I didn't examine the
    phishing site target itself).

    Jeff
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)

    iD8DBQFB6/efot2VatFbXMERAhOUAJ4xuKIJh3IiNVKi2kvd036uNgScqQCeKPzj
    V/jt6jY+dd9P5WC1gPbaxLs=
    =gA3c
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter:
    http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Vincent Archer: "Re: [Full-Disclosure] Illegal mind control is coming to the USA, black helicopters"

    Relevant Pages

    • Re: [Full-Disclosure] New phishing trick?
      ... > Here's one I don't recall seeing before... ... > phishing notice (can supply full text if anyone wants, ... > but the real URL really does go to eBay to a cgi that does a redirect to ...
      (Full-Disclosure)
    • Ebay phishing has got more sophisticated
      ... During the course of my work I found a customer running an Ebay phishing ... We get a LOT of phishing scams on our network but they are mainly caused by ... customers running phishing ...
      (uk.people.consumers.ebay)
    • Re: WARNING
      ... >>> I just received a new phishing message disguised as a notice from Ebay ... check your Ebay account directly. ... They keep threatening to disable ...
      (rec.music.classical.recordings)
    • Re: OT--Uh...oh..have I been suckered??
      ... I don't think that those types of attacks usually involve planting malware, they are after ID & password information. ... The email I got claimed to be from an Ebay user who was going to leave me negative feedback on some product. ... I still can't believe I even started to fall for this (I pride myself on not opening email attachments and recognizing all these phishing attempts). ... When you clicked on "reply", you entered what you THOUGHT was, and what LOOKED like, the E-Bay site to send a reply. ...
      (alt.sys.pc-clone.dell)
    • Re: PayPal: Steer clear of Safari
      ... As for not falling for Phishing, good spam filters are very helpful, ... you want to look at your bank, paypal or any other of the financial ... seeming to come from Paypal and its parent eBay, ... even the banks don't send out mail saying check this or ...
      (comp.sys.mac.apps)