[IP] Advanced Paypal phish - uses faked functional address bar

To: ip@xxxxxxxxxxxxxx
Subject: [IP] Advanced Paypal phish - uses faked functional address bar
From: David Farber <dave@xxxxxxxxxx>
Date: Thu, 1 Dec 2005 05:20:05 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <p06230973bfb405cd1e88@[192.168.1.120]>
Reply-to: dave@xxxxxxxxxx

Begin forwarded message:

From: Stanton McCandlish <mech@xxxxxxxx>
Date: November 30, 2005 8:54:31 PM EST
To: David Farber <dave@xxxxxxxxxx>
Subject: Advanced Paypal phish - uses faked functional address bar

A new phishing trick; cool, in a nefarious way:

The phisher pops a window that uses Javascript to hide your real
address toolbar, then adds a fake tool bar with a graphic and DHTML
coding, matching your browser, that looks like the original address
toolbar, with a fake but usable URL field in it, which is stocked with
the address of the legit site the phisher is masqueraded as.  So the
actual phisher site address is completely hidden, and it looks like
you're at the legit site.  Nasty.

There's the real phish at the bottom, in the quoted passage (sorry,
original headers lost, so I don't know who the initial writer was)
which you probably don't want to go to.

Immediately below is an example of how it works on a safe page:
  http://ip.securescience.net/exploits/

You have to have popup-blockers turned off for it to work.

The safe test version above only seems to fake IE6/Win address bars,
but it does so successfully in Firefox and Safari on the Mac.  I don't
think it would fool that many Mac people but the fakery is pretty
impressive with IE on WinXP, and as noted above, the live phish is
claimed to be more sophisticated in its mimickry.

This is a heads up. Below you'll find a new and sophisticatedPaypal scam.
It uses a google redirector to mask where it goes, but that is
certainly not
the advanced stuff :-)

The complete URL is:
http://www.google.pt/url?sa=U&start=4&q=http://dns1.n-kiso.co.jp/.checking/.
www.paypal.com/index.php

Which goes to:
http://dns1.n-kiso.co.jp/.checking/.www.paypal.com/index.php

When the link "Click here to go to our main page "

It will open a javascript: "java script: Start('sysdll.Php')"
When opened it will construct the fraudulent website according toyour
default browser.

I've tested with:

- Firefox
- Internet Explorer
- Opera

All latest versions with all relevant patches.
The fake adressbar used may trick someone into thinking that theyare
actually on https://www.paypal.com. Watch and observe. This is
indeed tricky
done.
Although - some popup blockers should block this I would think. The
trick is similar to http://ip.securescience.net/exploits/ so itcreatesan address bar using a pop-up controller and you just draw theimage ofthe address bar. This is one of the first ones I've seen that hasbeen
done quite a bit better than the other ones that have attempted it.
Their aim was off so it looked terrible.




-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] EFF says DMCA Rulemaking Process Is Broken, Write Congress
Next by Date: [IP] Firms haggle over video on demand
Previous by thread: [IP] EFF says DMCA Rulemaking Process Is Broken, Write Congress
Next by thread: [IP] Firms haggle over video on demand
Index(es):
- Date
- Thread