[thelist] phishing and urls

VOLKAN ÖZÇELİK volkan.ozcelik at gmail.com
Mon Sep 12 02:03:26 CDT 2005


The URL in the address bar and even SSL certificate may be spoofed by
creating pseudo layers using "createpopup" method.

This method allows you to position a layer *anywhere on the screen*
(even outside the browsers viewport).

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/reference/methods/createpopup.asp

This enables one to position a layer just on top of the addressbar and
make the URL *seem* as if it is from "amazon.com".

The article says that XP SP2 adds some restrictions to the method.

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/overview/window_restric.asp

<quote>
 Malicious coders have used these script-opened windows and the
script-driven window positioning to mislead and deceive users. The
Window Restrictions security feature in Internet Explorer 6 for
Microsoft Windows XP Service Pack 2 (SP2) now restricts the opening
and placement of windows by script to prevent malicious coders from
misleading users.
</quote>

This is a security vulnerability only for IE. And if you don't have
SP2, it applies to you as well.

That's why one should handle micro**** internet exploder with care.

Cheers,
Volkan.




On 9/10/05, Robert Vreeland <vreeland at studioframework.com> wrote:
> A lot of virus / trojans modify your local dns host file; which means while
> the url may say amazon.com the ip address is completely different. Also, I
> would recommend against every clicking on a link in a html email from an
> un-trusted source as it may launch a stub program, same as going to what you
> now is a bogus site.
> 
> Robert Vreeland
> 
> -----Original Message-----
> From: thelist-bounces at lists.evolt.org
> [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Lightning
> Sent: Friday, September 09, 2005 12:19 PM
> To: thelist at lists.evolt.org
> Subject: [thelist] phishing and urls
> 
> This morning I got a phishing email supposedly from amazon.com.
> 
> I knew it was phishing, of course, because it had that famous line "your
> account will close within 24 hours unless you click on his link and verify
> your information".
> 
> What scared me particularly on this phish was this - I clicked on the link
> (I often check to see where a phisher wants to take me, and the url given
> was definately an amazon.com address! (Many phishers will lead you to a
> misspelled address, or an address with an alien header such as
> www.amazzon.com or www.verification.amazon.com.) But, no, this really was
> the amazon site. The email also attempted to put amazon.com cookies on my
> harddrive.
> 
> What scared me even more was I then wrote a letter to amazon alerting them
> of the email, and found my email program no longer worked. So... did this
> phisher ALSO put a virus, or change a setting on my email?
> 
> I immediately restored my computer to an earlier point. My email is working
> fine now, and the letter went off to amazon. They sent back a letter saying
> that phishers CAN take you to one site while displaying that you are at
> another url!!
> 
> ok, the above is the story. Below are my questions:
> 
> 1. HOW can a page make the url be different from the url you are visiting?
> 2. How can an email use cookies?
> 3. I was taught that a site can only create and read cookies that match the
> domain name they come from. Can someone please set me straight on the facts
> about cookies?
> 4. I thought you would be safe from viruses and unautthorized changes to
> your system if you don't click on any attachments. How does an email
> transfer a virus or a command if you don't click on an attachment? What are
> the new rules for keeping your computer safe?
> 
> thanks for any explaination, or links to appropriate explainattions.
> 
> Laura
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester and archives
> of thelist go to: http://lists.evolt.org Workers of the Web, evolt !
> 
> --
> 
> * * Please support the community that supports you.  * *
> http://evolt.org/help_support_evolt/
> 
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>


More information about the thelist mailing list