SECURE SOCKETS LAYER COELACANTH: Phreak Phishing Expedition

http-equiv_at_excite.com
Date: 06/11/04

  • Next message: Benjamin Franz: "Re: COELACANTH: Phreak Phishing Expedition]" 
    Date:         Fri, 11 Jun 2004 21:00:55 -0000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    We wrap this up with a full-on ssl site spoof. It seems limited
    how far you can 'shove' the real domain out of the way, but just
    enough to make it convincing so we adapt the window to 'cover'
    it up. Interestingly [with apologies to e-gold for playing with
    their site], they have a secured connection [ignore the warning]
    which gives us our https, our little golden 'safe' padlock and
    most interestingly, all the links inside the site function and
    show the spoofed address:

    http://www.malware.com/gutted.html

    couple all that with the absurd ability to trick Internet
    Explorer into believing it is in a 'trusted zone' by inserting
    whatever gibberish you want into the fake link regardless of the
    actual domain, and you have the catch of the day.

    Big thanks to Drew Copley for whacking the sucker on the head,
    Brett Moore for correctly pointing out that it can be achieved
    without the 'redir' thing as well being able to stuff it with
    anything else you want and expedition leader: 'bitlance winter'
    who sighted it, tracked it, snagged it and reeled it in.

    End Call 

    --
http://www.malware.com
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
  • Next message: Benjamin Franz: "Re: COELACANTH: Phreak Phishing Expedition]"

    Relevant Pages