Re: Social Engineering Website (URL obfuscation/hiding)

From: Martin Mačok (
Date: 01/10/04

  • Next message: n30: "Auditing / Logging"
    Date: Sat, 10 Jan 2004 08:59:16 +0100

    On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:

    > As a last note, we'd need to get people to go there. Making it look
    > legit would be good. (i.e. use the %00 IE exploit to make the URL
    > look like it's internal and make the site look like their own) Any
    > techniques or message styles you've used and had success with?

     - send the trojan code in an email attachment with a good old
       something.JPG.scr trick (if you can go to them, they don't have to
       go to you)
       - some content filters disallow .scr, so try .lnk also
     - send a link to the trojan file, in typical MS Outlook environment,
       they just have to click on it and select "Open"
       - use unique URL/file for each target (so you can track downloads
         and email forwards)

    URL obfuscation/hiding:

            <script language="JavaScript">
            function changehref()
               document.all("obj").href = "" ;
               return 1 ;


            <a href="" id="obj"

    Similar trick:

            <a href=""
            onmouseover="window.status=(''); return

    Some more recent SCAM trick:


    Other MS IE trick (browser believes it's a HTML instead of EXE):

    As you mention, MS IE's (and possibly some other browser's) %00 trick:
            README.TXT%00PROG.EXE in Content-disposition:
            (there are many different tricks with %00)

    See also:

             Martin Mačok       

  • Next message: n30: "Auditing / Logging"