SillyDog701

[profman]

A recent thread, Re: Spoofstick for Mozilla?, in the netscape.mozilla.user.win32 newsgroup discussed how to determine if a link really goes to where it is suppose to. The practice, PHISHING, is where you are sent to page that looks like an official site, but the site really is just designed to steal personal data.

Mozilla already shows the real URL in the Status Bar at the bottom, but "hb" offers a fairly neat way of checking. He states:

Create a bookmark named VERIFY URL. Put this in its "location" box...

Code: Select all

javascript:alert(%22The real URL is: %22 + location.protocol + %22//%22 + location.hostname + %22/%22 + %22\nThe address URL is: %22 + location.href + %22\n%22 + %22If the server names do not match, this may be a spoof.%22);

I straightened out the code which had wrapped in the original newsgroup post. It looks wrapped above, but seems to paste in just fine.

I tried it, and it seems to work.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

[Antony]

Thanks profman.
And I am here to confirm that it works with Safari!


Related issues...
There are a few other ways to detect if the actual page is located as where the URL bar. Context click (*) on the page, and try to get the view source. If there view source has the frame structure, you will need to worry about it.

Also, when clicking a link from emails, be very carefully about the structure of that link...
Many scam websites hide their URLs in following format....
http://www.paypal.com:randomstring@123.123.123.123/
Where they fake to be PayPal, and the actual URL is 123.123.123.123
The format was:
http://user:pass@url.com/


(*) Commonly known as right-click.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/124 (KHTML, like Gecko) Safari/125.1

[profman]

Antony: Thanks for those good comments!

Everyone should be aware of these deceptive methods of fooling people into divulging personal or financial information.

Here are a couple links on "phishing", although you can do your own Google search to find much more.

FTC Consumer Alert: How Not to Get Hooked by a 'Phishing' Scam

CNET News.com: U.S. hit by rise in 'phishing' attacks

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

[Antony]

slightly off topic,
Those look-alike "phishing" things also appear to be on the emails as well...



Looks like a link you should click?

But when you check the source code...
It's not the link as it look like to be, but a link to run the attached virus.


the virus?


Suggestion, verify before you click.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/124 (KHTML, like Gecko) Safari/125.1

[Antony]

Today, I received one fake email said from eBay.com <aw-confirm@ebay.com> (the email was sent from IP address 218.154.70.10) with title "Your account at eBay has been suspended".

Without a thought, I knew it was a fake and wanting to steal my data.

So I decided to investigate it.



The email asked me to click
http://signin.ebay.com/aw-cgi/eBayISAPI.dll?Verify
But if I click that the actual link I click would be
[tt]http://signin_ebay_com_account.rndsystems.co.kr:7308/ebay.htm[/tt]
BINGO!



The real website is rndsystems.co.kr with subdomain signin_ebay_com_account and using an unusual port number 7308. (the usual web pages use port 80)

You can read my further investigating of that website.

I recommend all users check the raw source of any questionable emails.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8

[Fulvio]

"It's not the link as it look like to be, but a link to run the attached virus."

I got one, exactly like that, yesterday. I clicked Junk on it, without knowing about profman's post. It looked phishy.
Thanks to both of you.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707

[djv1]

Spoofstick also works on firefox 0.9.1, as you can see in lime green on the top left




BTW.- nice aviator pic Fulvio

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1

[Antony]

Just received another email from the same sender IP:218.154.70.10,



The problem... I don't have a Neteller account.

[tt]http://www_neteller_com.Kk21.CO.KR:7308/neteller.htm[/tt]
Their eBay phishing page appears to be closed. They've got enough credit card numbers?

More in AntBlog701.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8

[Wellander]

Hi,
I think that stealing is against the law.
Is it not?
I think it is.
Why do websites do that?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040714

[geffr]

The "bookmark" works great in Firefox, THANK YOU!! I get these "phishing" emails daily & have for several months. They don't worry me, but i suspect there will soon be a new generation of more effective spoofs.

If only the US credit card companies would stop accepting payments for these "people" & the spammers..................

I see the above as the only long term solution to spam. Good luck getting the corporations to ssacrifice a few pennies, though.

Geff

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

[angrytuna]

There is a new demonstrable spoof that works in Mozilla browsers, among others. The javascript checker above does not work with this new spoof. For details, see http://www.netsquirrel.com/articles/mozilla_spoofing.html, and try the fix on the page they link to.

UserAgent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

[Antony]

There is a new demonstrable spoof that works in Mozilla browsers, among others. The javascript checker above does not work with this new spoof. For details, see http://www.netsquirrel.com/articles/mozilla_spoofing.html, and try the fix on the page they link to.

The JavaScript check provided does work!



The demonstrated page is actually same as [sdt=8260]"IDN" Spoofing Security Issue in FF,Moz,NS7,Safari[/sdt] posted by J-M.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.6 (KHTML, like Gecko) Safari/125.12

[Al]

It does not work on Mozilla Firefox

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20041108 Firefox/1.0

[Antony]

A new way to detect phishing emails (links),

Move the mouse cursor over the link, and wait for revealing the actual URL (if different to what it appeared on the HTML based mail)



Next thing to do is to forward the received phishing email to [tt]spoof@ebay.com[/tt] or [tt]spoof@paypal.com[/tt] and help other people not to get scammed.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5