hacking security forum

Re: [Full-Disclosure] US Bank scam

From: Nick FitzGerald <nick@virus-l.demon.co.uk>
Date: Tue Jun 15 2004 - 21:03:14 EDT

"Hamby, Charles D." <pfcdh1@matsu.alaska.edu> wrote:

> This is a slick phishing scam, I have to admit. ...

It's been around for a month or more, so it may be slick, but it's not
new... Back on 13 May Drew Copley from eEye posted the following to
Bugtraq about it:

   http://www.securityfocus.com/archive/1/363326

   http://www.securityfocus.com/archive/1/363350

It is listed as BID 10346 at securityfocus:

   http://www.securityfocus.com/bid/10346

> ... One thing I noticed
> though;
> I printed the various pages of the website out with IE to use as an
> example and I noticed that the real URL appeared at the bottom of each
> page as opposed to the bogus one. I thought that was interesting. Has
> anyone else
> noticed that this occurs with other phishing sites or is it just unique
> to this case?

For pity's sake -- did you not even look at the page sources to see how
it works??

It slaps a fake URL window over roughly the screen area where the real
URL is still displayed in the address bar. This is _NOT_ a case of
"true" spoofing (in the sense that the browser is fooled -- note for
one that the "https padlock" is not present; IE knows it is not at an
https URL), so why would you think that IE might print the "spoofed"
URL in printed headers/footers?

The spoofing here is of the social engineering type. Clearly all those
who have posted to the list so far commenting how effecitve this is are
not the types to immediately notice the horrible, and to me immediately
noticeable, two or three pixel offset of the faked URL window...

Finally, this is the kind of problem that is relatively easily guarded
against (though not entirely protected from) by running non-default
configurations. To the extent you have the Address bar in IE
positioned somewhere other than where the default locationj is, this
"trick" becomes horribly obvious, so long as your users have the
requisite clue count...

(And yes, there are other ways to do this that are not so easily fooled
as to show themselves by simply moving the Address bar, and these have
reputedly already been used in some phishing scams -- see commentary in
Drew's archived posts, linked above.) 

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Tue Jun 15 21:26:57 2004

This archive was generated by hypermail 2.1.8 : Tue Jun 15 2004 - 22:03:48 EDT

Custom Search