IE URL Security issue maybe?

IE URL Security issue maybe?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
IE URL Security issue maybe? jdsmith 10-05-2005
Posted by jdsmith on October 5, 2005, 9:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
This is the first time I have ever seen this, so I thought I would poll the
group for your thoughts, insight, opinions.

Recieved some SPAM today with the following URL:
http://www.wellsfargo.com.\lobcns.us/signon/?chrt=nf-one&client=tribalsimba@hotmail.com

At first glance it seems legit, until you notice the .\lobcns.us after the
"legit" webhost www.wellsfargo.com. Apparently IE recognized
www.wellsfargo.com as a subdomain with a host record at the lobcns.us
domain. The part that threw me was the .\ being 'valid' totally disguising
that lobcns.us is part of the FQDN.

Any thoughts?

Thanks,
Jeff



Posted by Malke on October 5, 2005, 9:13 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
jdsmith wrote:

> This is the first time I have ever seen this, so I thought I would
> poll the group for your thoughts, insight, opinions.
>
> Recieved some SPAM today with the following URL:
> http://www.wellsfargo.com
\lobcns.us/signon/?chrt=nf-one&client=tribalsimba@hotmail.com
>
> At first glance it seems legit, until you notice the .\lobcns.us after
> the
> "legit" webhost www.wellsfargo.com. Apparently IE recognized
> www.wellsfargo.com as a subdomain with a host record at the lobcns.us
> domain. The part that threw me was the .\ being 'valid' totally
> disguising that lobcns.us is part of the FQDN.
>

Pretty common phishing attempt. Here's a website explaining phishing.
http://www.antiphishing.org/

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by Roger Abell [MVP] on October 6, 2005, 4:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Yes, isn't that interesting as a disguising attempt.

I would take this as a bug in IE.

Opera takes the url as being at www.wellsfargo.com.

IE however evidently it is not being sensitive to the uri moniker.
Use of .\ in a file:// url may be the origin of this, but it should
not be applied and no-op parsed out for http/https/ftp etc where
the following string has form of a DNS host FQDN
This is since the DNS spec does define _any_ character as valid
(save . which is used to separate name labels) for use in name
labels, and so removing the .\ in parsing the url is in theory
changing what should be an allowed DNS name (i.e. a . followed
by label that starts with \)

You are right about the host name being defined

Non-authoritative answer:
ns903.dizinc.com internet address = 72.29.83.37

dizinc.com nameserver = dns178.dizinc.com
dizinc.com nameserver = dns179.dizinc.com
dns178.dizinc.com internet address = 66.195.19.49
dns179.dizinc.com internet address = 66.195.19.50
> server 72.29.83.37
Default Server: 72-29-83-37.dimenoc.com
Address: 72.29.83.37

> www.wellsfargo.com.lobcns.us.
Server: 72-29-83-37.dimenoc.com
Address: 72.29.83.37

www.wellsfargo.com.lobcns.us internet address = 72.29.83.36
lobcns.us nameserver = ns904.dizinc.com
lobcns.us nameserver = ns903.dizinc.com
ns903.dizinc.com internet address = 72.29.83.37
ns904.dizinc.com internet address = 72.29.83.38
>

> This is the first time I have ever seen this, so I thought I would poll
> the group for your thoughts, insight, opinions.
>
> Recieved some SPAM today with the following URL:
>
http://www.wellsfargo.com.\lobcns.us/signon/?chrt=nf-one&client=tribalsimba@hotmail.com
>
> At first glance it seems legit, until you notice the .\lobcns.us after the
> "legit" webhost www.wellsfargo.com. Apparently IE recognized
> www.wellsfargo.com as a subdomain with a host record at the lobcns.us
> domain. The part that threw me was the .\ being 'valid' totally
> disguising that lobcns.us is part of the FQDN.
>
> Any thoughts?
>
> Thanks,
> Jeff
>



Posted by Karl Levinson, mvp on October 7, 2005, 6:24 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I suspect there may be a hidden character in there that you are not seeing?
Because my IE 6 goes to wells fargo using the URL below. I am not sure that
.\ is the thing that is fooling IE. We would need to see the hidden HTML
source code of this email to know what is going on and whether this issue
has already been patched or not..

There are attacks that fool IE and attacks that fool other browsers. Is
your machine fully patched, by going to http://windowsupdate.microsoft.com?
Particularly with the latest cumulative update for Internet Explorer? Most
of the known URL spoofing attacks against IE have been patched.


> This is the first time I have ever seen this, so I thought I would poll
the
> group for your thoughts, insight, opinions.
>
> Recieved some SPAM today with the following URL:
>
http://www.wellsfargo.com.\lobcns.us/signon/?chrt=nf-one&client=tribalsimba@hotmail.com
>
> At first glance it seems legit, until you notice the .\lobcns.us after the
> "legit" webhost www.wellsfargo.com. Apparently IE recognized
> www.wellsfargo.com as a subdomain with a host record at the lobcns.us
> domain. The part that threw me was the .\ being 'valid' totally
disguising
> that lobcns.us is part of the FQDN.
>
> Any thoughts?
>
> Thanks,
> Jeff
>
>



Similar ThreadsPosted
Security issue June 7, 2006, 2:30 pm
DESKTOP SECURITY ISSUE July 24, 2006, 5:48 am
file transfer security issue June 30, 2005, 11:06 am
Issue with DL's and security groups October 19, 2005, 10:47 am
Security issue with MS Exchange moving November 28, 2005, 5:08 pm
internet radio security issue June 7, 2006, 10:34 am
wireless and router; security issue August 20, 2006, 6:36 pm
Security Issue - Locked Out of My Own Drive August 5, 2007, 4:26 pm
spybot scan advice on a security issue March 15, 2006, 3:09 pm
Security issue with making NNTP accessible? March 17, 2007, 9:47 am

The site map in XML format XML site map

Contact Us | Privacy Policy