FOUND: COELACANTH: Phreak Phishing Expedition

• Previous message: http-equiv_at_excite.com: "Notes: COELACANTH: Phreak Phishing Expedition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 11 Jun 2004 01:03:47 -0000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

From the original discover, 'bitlance winter' one big fat
coelacanth:

<a href="http://www.malware.com%2F redir=www.e-gold.com">test</a>

"i guess that this issue is not e-gold's BUG,
IE6 and Opera7.51 is vulnerable.

Some server's DNS allow magic number subdomainname.
the server allow ,
www.site.tld
wwwww.site.tld
wwwwwwwwwwww.site.tld
www www.site.tld
wwwURLEncodecharcterswww.site.tld
when the server allows URLEncodecharacters
evil attackers can fake victim users who use Opera and IE .

the attacker will make their DNS
*.evilsite.tld IN A 333.333.333.333

using this DNS,
victim's IE can shows victim
http://w.evilsite.tld
http://wwwwwwwwwwwwwwwwwww.evilsite.tld

and then,
attacker makes an evil link as
http://www.microsoft.com [malicious falke char$] evilsite.tld

and then, attacker set tricks
Bugtraq: Stupid Phishing Tricks (you find it)

victim user will input his userID and password.

I guess many server's DNS allow
*.evilsite.tld IN A 333.333.333.333
because they use magicnumber SSL cert.
Attacker can use this method."

--
http://www.malware.com
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: http-equiv_at_excite.com: "Notes: COELACANTH: Phreak Phishing Expedition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]