Re: [LUAU] How Does this Work?
Not directly related to the posted phishing scam but here is a link that describes other ways to obscure URL's. http://www.pc-help.org/obscure.htm
Re: [LUAU] How Does this Work?
From a more technical explaination, you can refer to rfc1738 among others, if that kind of thing excites you: http://www.faqs.org/rfcs/rfc1738.html . I can't explain that particular URL. The URL RFC explains that there are several special characters including @, :, & that aren't considered normal text. Also, %HEXHEX represents the character of that numerical value. @ is a simple, yet somewhat obvious method. When a site asks for a password, you can either wait for it to ask, or you can type http://user:[EMAIL PROTECTED] You can leave the password out if you want. If the site doesn't actually require a user/password, it will ignore it. So you can use anything you want in the username. [EMAIL PROTECTED] will take you to google, and microsoft has no effect. Domain names don't have to be used. http://216.239.57.104 will take you to www.google.com just as well. However, even non-technical people know what an IP is, so that's too obvious in some cases. IP's can be written in other forms with hex or octal and in some cases the .'s can be omitted. The & sign depends on the browser. Old versions of IE and other browsers used to read an & as "ignore everything before this", so www.microsoft.com/stuff/stuff/stuff&www.ijusthackedyou.com wouldn't get you to microsoft. The & is much less obvious than the @, but doesn't seem to work anymore, or at least not on mozilla. http usernames and passwords don't really work with '/' marks. So www.microsoft.com/[EMAIL PROTECTED] would fail or get you to an error page within microsoft. %HEXHEX makes any charater, printable or not. %00 is NULL or \0. NULL is used to terminate a string in most programming languages. If you fill char[40] with "abc\0def" and leave the other 33 chars as the default, the 'string' in that array is "abc". If you print www.microsoft.com/stuff/[EMAIL PROTECTED] shows up as www.microsoft.com/stuff in some cases. Otherwise you can print entire URL's in %xx%yy%zz format. You can easily abuse javascript for some purposes. A lot of URL's are of the form this link but some are of the form www.stuff.com. Although the second is the same as the first, and that text could be anything, people are convinced that if the link contains a url, it must point to that url. Javascript pseudo code something like: onMouseOver: statusBar.print(url) will print the url in the status bar when you point the mouse at it. This emulates the normal behavior when you point to a link in most web browsers. There are other tricks, but I don't know all of them offhand. -Eric Hattemer
Re: [LUAU] How Does this Work?
MonMotha wrote: That link doesn't work for me in mozilla (brings up an error dialog), but the use of &BVP= is probably a weirdo escape sequence that rewrites .com into some odd cctld that someone bought up. I've gotten a similar mail, but it was in HTML. Did we possibly lose something in the HTML to plaintext conversion? Double checking the email, I received text, and the address is the same. The link no longer works for me. It is interesting and ashame that someone else did not see it. When I first clicked the link, I was told that address was not available. I clicked okay, and after a dial-up kind of wait, ~15 sec, a citibank.com site appeared. I understand it is phishing, but what was deceiving is that the resulting page looked exactly like the citibank page. Maybe Vince could have done that with his phish, but to do it completely would have been illegal. I guess that I was also alarmed because I only thought that it happened with IE, but I clearly don't have a complete picture of the underlying protocols at play. --MonMotha --scott
Re: [LUAU] How Does this Work?
On Thu, Apr 29, 2004 at 12:02:41PM -1000, R. Scott Belford wrote: > Can anyone explain what is happening on a more technical level > than what I have found so far? Phishing. The URL, disguised as pointing to an apparently legitimate source, actually takes you to a site that tries to collect your personal information. Observe: http://www.hawaii.edu:[EMAIL PROTECTED]/pn/ If you think that link will actually take you to UH's homepage, I must solicit your strictest confidence in a 100% safe overseas transaction! -Vince PS. Apologies in advance for potentially setting off your spam filters.
Re: [LUAU] How Does this Work?
R. Scott Belford wrote: I recently received, correct that, SpamAssassin filtered the following email. Researching it led me to these two links, among many http://www.inertramblings.com/archives/000454.html http://www.millersmiles.co.uk/identitytheft/011104-citibank-email-scam.php and I recall hearing of an unpatched IE bug that could lead to a false url being displayed. However, using mozilla on osx I was taken to the "citibank.com" domain, and it was deceiving. I just don't bank with them. Can anyone explain what is happening on a more technical level than what I have found so far? ... To log into your account, please visit the online banking http://web.da-us.citibank.com&BVP=/cgi-bin/citifi/scripts/&M=S&US&_u=visitor ... That link doesn't work for me in mozilla (brings up an error dialog), but the use of &BVP= is probably a weirdo escape sequence that rewrites .com into some odd cctld that someone bought up. I've gotten a similar mail, but it was in HTML. Did we possibly lose something in the HTML to plaintext conversion? --MonMotha
[LUAU] How Does this Work?
I recently received, correct that, SpamAssassin filtered the following email. Researching it led me to these two links, among many http://www.inertramblings.com/archives/000454.html http://www.millersmiles.co.uk/identitytheft/011104-citibank-email-scam.php and I recall hearing of an unpatched IE bug that could lead to a false url being displayed. However, using mozilla on osx I was taken to the "citibank.com" domain, and it was deceiving. I just don't bank with them. Can anyone explain what is happening on a more technical level than what I have found so far? --scott The fake email is below: Dear Valued Customer, - Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety. - Due to technical update we recommend you to reactivate your account. Click on the link below to login and begin using your updated Citibank account. To log into your account, please visit the online banking http://web.da-us.citibank.com&BVP=/cgi-bin/citifi/scripts/&M=S&US&_u=visitor If you have questions about your online statement, please send us a Bank Mail or call us at 1-800-374-9700 We appreciate your business. It's truly our pleasure to serve you. Citibank Customer Care This email is for notification only. To contact us, please log into your account and send a Bank Mail.