|
Posted by mak on September 25, 2006, 2:38 am
If you were Registered and logged in, you could reply and use other advanced thread options
hi,
got a phishing mail today, very easy to recognize,
but the link that you are supposed to click and "renew your paypal account,
because it expired "
is the following:
http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1037997238:9999/webscrr/index.php"
so 2 questions:
what happens when people click the link as far as google "pagead"
why can a browser read http://1037997238:9999 or how do you convert that into an
ipaddress?
cheers,
M
|
|
Posted by Sebastian Gottschalk on September 25, 2006, 2:49 am
If you were Registered and logged in, you could reply and use other advanced thread options
mak wrote:
> hi, got a phishing mail today, very easy to recognize, but the link that
> you are supposed to click and "renew your paypal account, because it
> expired " is the following:
>
>
<http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1037997238:9999/webscrr/index.php>
>
>
> so 2 questions: what happens when people click the link as far as google
> "pagead"
The website is opened?
> why can a browser read http://1037997238:9999
Because many webbbrowser utilize standardized string conversion functions
from LibC, which also process some unwanted formats. Yes, this is a
problem.
->
<http://0x43.0x9e.0x87.0xa9/images/macromedia/Configuration/WebServices/index.html>
> or how do you convert that into an ipaddress?
It's the decimal expression of an unsigned 32 bit integer. IP (v4)
addresses are 32 bit fields. Trivial.
|
|
Posted by mak on September 25, 2006, 3:59 am
If you were Registered and logged in, you could reply and use other advanced thread options
> mak wrote:
>
>> hi, got a phishing mail today, very easy to recognize, but the link that
>> you are supposed to click and "renew your paypal account, because it
>> expired " is the following:
>>
>>
<http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1037997238:9999/webscrr/index.php>
>>
>>
>> so 2 questions: what happens when people click the link as far as google
>> "pagead"
>
> The website is opened?
yes, but obviously there is some sort of redirect, what is this "pagead"
business?
why would the spammer not just use the
"http://1037997238:9999/webscrr/index.php" link ?
?
mak
>> why can a browser read http://1037997238:9999
>
> Because many webbbrowser utilize standardized string conversion functions
> from LibC, which also process some unwanted formats. Yes, this is a
> problem.
>
> ->
>
>
<http://0x43.0x9e.0x87.0xa9/images/macromedia/Configuration/WebServices/index.html>
>
>> or how do you convert that into an ipaddress?
>
> It's the decimal expression of an unsigned 32 bit integer. IP (v4)
> addresses are 32 bit fields. Trivial.
|
|
Posted by Sebastian Gottschalk on September 25, 2006, 4:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
> yes, but obviously there is some sort of redirect, what is this "pagead"
business?
The website advertisement business from Google Inc.? What else?
> why would the spammer not just use the
"http://1037997238:9999/webscrr/index.php" link ?
1. to obfuscate the real link target
2. to possibly spoof the browser's address bar for a short time, depending
on slow GUI reaction
|
|
Posted by Barry Margolin on September 26, 2006, 12:53 am
If you were Registered and logged in, you could reply and use other advanced thread options
> mak wrote:
>
> > yes, but obviously there is some sort of redirect, what is this "pagead"
> > business?
>
> The website advertisement business from Google Inc.? What else?
>
> > why would the spammer not just use the
> > "http://1037997238:9999/webscrr/index.php" link ?
>
> 1. to obfuscate the real link target
> 2. to possibly spoof the browser's address bar for a short time, depending
> on slow GUI reaction
Or when the user hovers his mouse over the link in the mail, he'll see a
Google URL. Since he uses Google all the time, he trusts them, and
won't be suspicious of the link.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
|
| Similar Threads | Posted | | Google Closes Security Holes in Google Base Security | November 21, 2005, 5:37 pm |
| Very organized phishing, DNS | October 19, 2006, 10:39 pm |
| Top in Google | November 22, 2005, 10:41 am |
| Phishing for Godaddy Password. | May 5, 2005, 10:16 pm |
| And just when we thought the IRS Phishing Scams were over ........ | July 1, 2006, 12:33 pm |
| "New Universal Man-in-the-Middle Phishing Kit" ? | January 17, 2007, 6:58 am |
| How to understand this "phishing" mail? | March 15, 2007, 8:45 pm |
| Phishing versus phlishing | May 8, 2007, 5:47 am |
| Yahoo mail -- Virus? Phishing? | December 16, 2004, 9:49 pm |
| Wells Fargo Phishing Scam | January 22, 2006, 10:22 pm |
|
XML site map