[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
http://www.theregister.co.uk/2007/05/25/strange_spoofing_technique/ A Reg reader has produced screen shots that demonstrate a powerful phishing technique that's able to spoof eBay, PayPal and other top web destinations without triggering antiphishing filters in IE 7 or Norton 360. Plenty of other PayPal users are experiencing the same ruse, according to search engine results. It would appear the scam method isn't limited to PayPal, either. Hall has supplied screen shots of something very similar happening when he used IE to log on to his online account at HSBC, and he says he also experiences variations on that theme when trying to access accounts on Barclays and eBay. "There is some malicious infection on my machine regarding IE 7, which Symantec hasn't worked out and Microsoft hasn't either," Hall surmises. A Symantec spokeswoman says company researchers are looking in to the matter. We left messages for representatives of eBay and Microsoft late on Thursday, but had not heard back at the time of writing. Based on our description, Roger Thompson, who tracks web exploits for Exploit Prevention Labs, guesses those experiencing this attack have inadvertently installed an html injector. That means the victims' browsers are, in fact, visiting the PayPal website or other intended URL, but that a dll file that attaches itself to IE is managing to read and modify the html while in transit. i.e. this is a security breach in IE7 - the address bar shows the correct URL (unlike most phishing attacks which send you to http://fdgse4.ga/?get=www.paypal.com etc. and which could work with any browser if you don't check the link carefully) because this attack happens between the genuine website and the browser. The HTML sent by www.paypal.com|uk is modified before it reaches the HTML parser, changing the address for all those forms, sending your identification data to the attacker. Nasty. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpHxXRDHWtaU.pgp
Description: PGP signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html