--- "Schmehl, Paul L" <[EMAIL PROTECTED]> wrote: > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > Behalf Of > > S G Masood > > Sent: Wednesday, December 10, 2003 12:01 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [Full-Disclosure] Re: Internet > Explorer URL > > parsing vulnerability > > > > Hey, to be very honest, if this was 0day and the > spoof was > > well constructed, even you and me would probably > fall for it. ;D > > > Really? I kind of doubt it, since I would never > click on a link in an > email message that had anything to do with financial > matters. I doubt > that you would either - 0day or not.
I was not talking about spoofs of banking or financial sites alone. There is a whole range of subtle social engineering goals that you could accomplish with such a spoof. For instance, the headline "Gnu Members Combine Resources to Buy Out Microsoft" would look pretty on http://Microsoft.com... :) Subtlety is the key here. Infact, you dont necessarily have "to click on a link in an email message". There are a whole lot of other ways to feed the URL to the victim which are even more covert. -- Masood __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html