FOUND: COELACANTH: Phreak Phishing Expedition

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: FOUND: COELACANTH: Phreak Phishing Expedition
From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
Date: Fri, 11 Jun 2004 01:03:47 -0000
Cc: <NTBugtraq@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: 1@xxxxxxxxxxx


>From the original discover, 'bitlance winter' one big fat 
coelacanth:

<a href="http://www.malware.com%2F redir=www.e-gold.com">test</a>

"i guess that this issue is not e-gold's BUG,
IE6 and Opera7.51 is vulnerable.

Some server's DNS allow magic number subdomainname.
the server allow ,
www.site.tld
wwwww.site.tld
wwwwwwwwwwww.site.tld
www   www.site.tld
wwwURLEncodecharcterswww.site.tld
when the server allows URLEncodecharacters 
evil attackers can fake victim users who use Opera and IE .

the attacker will make their DNS
*.evilsite.tld IN A 333.333.333.333

using this DNS,
victim's IE can shows victim
http://w.evilsite.tld
http://wwwwwwwwwwwwwwwwwww.evilsite.tld

and then,
attacker makes an evil link as 
http://www.microsoft.com [malicious falke char$]  evilsite.tld

and then, attacker set tricks
Bugtraq: Stupid Phishing Tricks (you find it)

victim user will input his userID and password.

I guess many server's DNS allow 
*.evilsite.tld IN A 333.333.333.333
because they use magicnumber SSL cert.
Attacker can use this method."

 
-- 
http://www.malware.com

Prev by Date: RE: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition]
Next by Date: [ GLSA 200406-07 ] Subversion: Remote heap overflow
Previous by thread: RE: [Fwd: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition]
Next by thread: [ GLSA 200406-07 ] Subversion: Remote heap overflow
Index(es):
- Date
- Thread