"New Universal Man-in-the-Middle Phishing Kit" ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
"New Universal Man-in-the-Middle Phishing Kit" ? mak 01-17-2007
Posted by mak on January 18, 2007, 2:48 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Barry Margolin wrote:
>
>> ...snip...
>> how does an URL communicate with anything?
>
> They mean "the server accessed via the URL".
that's what i thought,

>> and why wouldn't my browser complain about an invalid certificate for my
>> banks site?
>
> You're not going to your bank's site, your going to the phisher's site
> because you clicked on the fraudulent URL he sent you. The phisher has
> a valid certificate for his own site, of course, so there's nothing for
> your browser to complain about (it has no way of knowing where you
> *think* you're going).
>

ok,
but then I will see the bogus URL
as in:

http://www.mybank.com.onlineid3979954057.rwrth.ws/customer.htm

in my browser, right?

M

Posted by Sebastian Gottschalk on January 18, 2007, 3:34 am
If you were  Registered and logged in, you could reply and use other advanced thread options
mak wrote:

> ok,
> but then I will see the bogus URL
> as in:
>
> http://www.mybank.com.onlineid3979954057.rwrth.ws/customer.htm
>
> in my browser, right?

Not if you're not paying attention to the length/scrolling or URL
parameters. You'd just see:

https://www.mybank.com:SID=kedvzroibnuwqzqnxtonrcwxobriltenoiqutrxniuqwtbr...@onlineid3979954057.rwrth.ws/customer.htm

whereas at the ..., your adress bar is filled. Firefox 2.0 and Mozilla
Seamonkey implement a check to warn you whenever such an invalid (but
broadly utilized) user@pass:site URL in encountered.

And if you're abusing MSIE as a webbrowser, the malicious website won't
need any such tricks. Not just that an unpatched vulnerability is known
which allows to fake the content in the address bar, there is a documented
way to turn off the address bar (yes, even in IE7!), thus you can replace
it with your own. Officially this would lead to the real domain
(onlineid3979954057.rwrth.ws) being prepended to the title bar, yet again
this can also be easily circumvented.

Thus, even that might be non-trivial.

Posted by Barry Margolin on January 18, 2007, 8:54 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Barry Margolin wrote:
> >
> >> ...snip...
> >> how does an URL communicate with anything?
> >
> > They mean "the server accessed via the URL".
> that's what i thought,
>
> >> and why wouldn't my browser complain about an invalid certificate for my
> >> banks site?
> >
> > You're not going to your bank's site, your going to the phisher's site
> > because you clicked on the fraudulent URL he sent you. The phisher has
> > a valid certificate for his own site, of course, so there's nothing for
> > your browser to complain about (it has no way of knowing where you
> > *think* you're going).
> >
>
> ok,
> but then I will see the bogus URL
> as in:
>
> http://www.mybank.com.onlineid3979954057.rwrth.ws/customer.htm
>
> in my browser, right?

Maybe. But that's true of traditional phishing sites, it's nothing new
in this case. The MitM attack simply adds the ability of the site to
display things on the page that supposedly only the real site can
display (such as your last ATM transaction).

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Posted by Anne & Lynn Wheeler on January 18, 2007, 9:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Maybe. But that's true of traditional phishing sites, it's nothing new
> in this case. The MitM attack simply adds the ability of the site to
> display things on the page that supposedly only the real site can
> display (such as your last ATM transaction).

or supposedly the latest online banking countermeasures for fraudulent
website (phishing) imposters ... recent discussion in another n.g.
http://www.garlic.com/~lynn/2007b.html#53 Forbidding Special characters in
passwords
http://www.garlic.com/~lynn/2007b.html#54 Forbidding Special characters in
passwords
http://www.garlic.com/~lynn/2007b.html#60 Securing financial transactions a high
priority for 2007

Similar ThreadsPosted
phishing with google ? September 25, 2006, 2:38 am
Very organized phishing, DNS October 19, 2006, 10:39 pm
Phishing for Godaddy Password. May 5, 2005, 10:16 pm
And just when we thought the IRS Phishing Scams were over ........ July 1, 2006, 12:33 pm
How to understand this "phishing" mail? March 15, 2007, 8:45 pm
Phishing versus phlishing May 8, 2007, 5:47 am
Yahoo mail -- Virus? Phishing? December 16, 2004, 9:49 pm
Wells Fargo Phishing Scam January 22, 2006, 10:22 pm
IRS/Websense Update Phishing Alerts March 23, 2006, 10:20 am
critique of email from a phishing scammer May 19, 2006, 2:15 pm

The site map in XML format XML site map

Contact Us | Privacy Policy