Re: [Full-Disclosure] New phishing trick?

From: Steve Kudlak (stevex11_at_sbcglobal.net)
Date: 01/21/05

  • Next message: Carlos Ulver: "[Full-Disclosure] Netscape Overflow."
    Date: Fri, 21 Jan 2005 08:12:43 -0800
    To: Jeff Kell <jeff-kell@utc.edu>
    
    

    Jeff Kell wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Here's one I don't recall seeing before... very good looking eBay
    > phishing notice (can supply full text if anyone wants, but I'll keep
    > this to the interesting part) with the "money shot" URL consisting of
    > the following link:
    >
    > | <p align="justify"><font face="Verdana" size="1">Click below to
    > | continue :</font></p> <p align="left"><font face="Verdana" size="1"> <a
    > |
    > title="https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&amp;page=0%..."
    >
    > |
    > href="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://64.28.111.71/update">
    >
    > |
    > https://arribada.ebay.com/saw-cgi/eBayISAPI.dll?PlaceCCInfo&amp;page=0%...></font></tr>
    >
    >
    > The "displayed" anchor is https:// and directed at eBay (no surprise)
    > but the real URL really does go to eBay to a cgi that does a redirect to
    > the phishing site, with the target of the redirect appearing at the
    > extreme end of the URL (might have been a little better if obfuscated by
    > escaped unicoding or similar, but it's plaintext).
    >
    > eBay may have tweaked the redirecting cgi by now, but when I checked it
    > last night it worked (as a general redirect, I didn't examine the
    > phishing site target itself).
    >
    > Jeff
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.4.0 (MingW32)
    >
    > iD8DBQFB6/efot2VatFbXMERAhOUAJ4xuKIJh3IiNVKi2kvd036uNgScqQCeKPzj
    > V/jt6jY+dd9P5WC1gPbaxLs=
    > =gA3c
    > -----END PGP SIGNATURE-----
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter:
    http://lists.netsys.com/full-disclosure-charter.html
    >
    Yeah I got this one. Seeing as I have never had a dealing with ebay
    there was no way any
    account I had with them was nor about to try to correct anything. I did
    as of late get some
    strange phone calls from a number of companies claiming I was in arrears
    on all sorts of things.
    Only one valid, something had got mailed late. But I thought phising
    only worked by email
    when the person up to the nasty trick could do it and dissappear, but
    that it didn't work by
    phone, because I assume one has to have some bona fides with some bank
    or clearing house
    to do this..

    Have Fun,
    Sends Steve

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Carlos Ulver: "[Full-Disclosure] Netscape Overflow."