Advanced Paypal phish - uses faked functional address bar
mech at well.com
Wed Nov 30 08:54:31 PST 2005
A new phishing trick; cool, in a nefarious way:
address toolbar, then adds a fake tool bar with a graphic and DHTML
coding, matching your browser, that looks like the original address
toolbar, with a fake but usable URL field in it, which is stocked with
the address of the legit site the phisher is masqueraded as. So the
actual phisher site address is completely hidden, and it looks like
you're at the legit site. Nasty.
There's the real phish at the bottom, in the quoted passage (sorry,
original headers lost, so I don't know who the initial writer was)
which you probably don't want to go to.
Immediately below is an example of how it works on a safe page:
You have to have popup-blockers turned off for it to work.
The safe test version above only seems to fake IE6/Win address bars,
but it does so successfully in Firefox and Safari on the Mac. I don't
think it would fool that many Mac people but the fakery is pretty
impressive with IE on WinXP, and as noted above, the live phish is
claimed to be more sophisticated in its mimickry.
>>>This is a heads up. Below you'll find a new and sophisticated
>>>It uses a google redirector to mask where it goes, but that is
>>>the advanced stuff :-)
>>>The complete URL is:
>>>Which goes to:
>>>When the link "Click here to go to our main page "
>>>When opened it will construct the fraudulent website according to
>>>I've tested with:
>>>- Internet Explorer
>>>All latest versions with all relevant patches.
>>>The fake adressbar used may trick someone into thinking that they
>>>actually on https://www.paypal.com. Watch and observe. This is
>>Although - some popup blockers should block this I would think. The
>>trick is similar to http://ip.securescience.net/exploits/ so it
>>an address bar using a pop-up controller and you just draw the
>>the address bar. This is one of the first ones I've seen that has
>>done quite a bit better than the other ones that have attempted it.
>>Their aim was off so it looked terrible.
You are subscribed as eugen at leitl.org
To manage your subscription, go to
Archives at: http://www.interesting-people.org/archives/interesting-people/
----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a>
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
More information about the cypherpunks-legacy