[thelist] phishing and urls

Jeff Howden jeff at jeffhowden.com
Fri Sep 9 12:28:57 CDT 2005


Laura,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Lightning
> 
> What scared me particularly on this phish was this - I 
> clicked on the link (I often check to see where a
> phisher wants to take me, and the url given was
> definately an amazon.com address! [...]
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

I find that extremely difficult to believe, unless the link started out as
an Amazon.com link and ended up being a redirect somewhere else.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> [...] (Many phishers will lead you to a misspelled
> address, or an address with an alien header such as
> www.amazzon.com or www.verification.amazon.com.) [...]
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

The former is certainly not an Amazon.com domain.  However, the latter is a
valid subdomain syntax for an Amazon.com domain.  In order to actually put a
site at that domain, you'd have to have control of Amazon.com's DNS.

Now, if it was switched around to something like
www.amazon.verification.com, then that'd be a non-Amazon.com domain.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> [...] But, no, this really was the amazon site. The
> email also attempted to put amazon.com cookies on my
> harddrive.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

That could be caused by either a link using an Amazon.com redirect or by way
of calling an Amazon.com image into the body of the HTML email.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> [...] and found my email program no longer worked. 
> So... did this phisher ALSO put a virus, or change a
> setting on my email?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

Email settings (with proper security settings applied) can't be changed via
an email.  The same would be true of a virus.  It's very likely that the two
are a coincidence.  Perhaps a more thorough description of "no longer
worked" could bring that to light.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> [...] They sent back a letter saying that phishers CAN
> take you to one site while displaying that you are at
> another url!!
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

That's the first I've ever heard of that being possible and from my
experience is a completely bogus claim.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> 1. HOW can a page make the url be different from the url
>    you are visiting?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

The *only* way is by way of frames or iframes.  However, to do that, you
must have control of the domain that you wish to have displayed in the
address bar of the browser.  And, technically, you're not making the URL
different from the URL you are visiting.  You're only masking it.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> 2. How can an email use cookies?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

Call an external object (image, flash, stylesheet, etc.) from a server that
sets cookies for all requested objects.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> 3. I was taught that a site can only create and read
>    cookies that match the domain name they come from.
>    Can someone please set me straight on the facts
     about cookies?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

http://www.cookiecentral.com/faq/#2.9

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> 4. I thought you would be safe from viruses and
>    unautthorized changes to your system if you don't
>    click on any attachments. How does an email transfer
>    a virus or a command if you don't click on an
>    attachment? What are the new rules for keeping your
>    computer safe?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

Attachments haven't been the only infection vector in email for a *long*
time.  However, provided you have your security zone set to restricted and
have scripting turned off for that zone as well as have all the latest
patches and updates, you don't have anything to worry about.  Regardless,
I'd recommend installing antivirus software and keeping it up-to-date.

 [>] Jeff Howden
     jeff at jeffhowden.com
     http://jeffhowden.com/



More information about the thelist mailing list