| SillyDog701 Forums |
| Author |
Message |
profman
Joined: 11 Sep 2002
Posts: 1500
|
 24 May, 2004 7:04 pm A check for URL address spoofing |
[sdp=33462] |
|
A recent thread, Re: Spoofstick for Mozilla? , in the netscape.mozilla.user.win32 newsgroup discussed how to determine if a link really goes to where it is suppose to. The practice, PHISHING, is where you are sent to page that looks like an official site, but the site really is just designed to steal personal data.
Mozilla already shows the real URL in the Status Bar at the bottom, but "hb" offers a fairly neat way of checking. He states:
| Quote: |  Create a bookmark named VERIFY URL. Put this in its "location" box...
| Code: | | javascript:alert(%22The real URL is: %22 + location.protocol + %22//%22 + location.hostname + %22/%22 + %22\nThe address URL is: %22 + location.href + %22\n%22 + %22If the server names do not match, this may be a spoof.%22); |
 |
I straightened out the code which had wrapped in the original newsgroup post. It looks wrapped above, but seems to paste in just fine.
I tried it, and it seems to work.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
|
|
| Back to top |
 |
 |
Antony
Joined: 18 Jun 2002
Posts: 12725
Location: Sydney, Australia
|
| 24 May, 2004 10:29 pm |
[sdp=33482] |
|
Thanks profman.
And I am here to confirm that it works with Safari!
Related issues...
There are a few other ways to detect if the actual page is located as where the URL bar. Context click (*) on the page, and try to get the view source. If there view source has the frame structure, you will need to worry about it.
Also, when clicking a link from emails, be very carefully about the structure of that link...
Many scam websites hide their URLs in following format....
http://www.paypal.com:randomstring@123.123.123.123/
Where they fake to be PayPal, and the actual URL is 123.123.123.123
The format was:
http://user:pass@url.com/
(*) Commonly known as right-click.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/124 (KHTML, like Gecko) Safari/125.1
|
|
| Back to top |
 |
|
profman
Joined: 11 Sep 2002
Posts: 1500
|
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12725
Location: Sydney, Australia
|
| 25 May, 2004 10:57 am |
[sdp=33516] |
|
slightly off topic,
Those look-alike "phishing" things also appear to be on the emails as well...
Looks like a link you should click?
But when you check the source code...
It's not the link as it look like to be, but a link to run the attached virus.
the virus?
Suggestion, verify before you click.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/124 (KHTML, like Gecko) Safari/125.1
|
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12725
Location: Sydney, Australia
|
| 19 Jul, 2004 9:10 am |
[sdp=38862] |
|
Today, I received one fake email said from eBay.com <aw-confirm@ebay.com> (the email was sent from IP address 218.154.70.10) with title "Your account at eBay has been suspended".
Without a thought, I knew it was a fake and wanting to steal my data.
So I decided to investigate it.
The email asked me to click
http://signin.ebay.com/aw-cgi/eBayISAPI.dll?Verify
But if I click that the actual link I click would be
http://signin_ebay_com_account.rndsystems.co.kr:7308/ebay.htm
BINGO!
The real website is rndsystems.co.kr with subdomain signin_ebay_com_account and using an unusual port number 7308. (the usual web pages use port 80)
You can read my further investigating of that website.
I recommend all users check the raw source of any questionable emails.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8
Last edited by Antony on 24 Jul, 2004 10:24 pm; edited once(1) |
|
| Back to top |
|
|
Fulvio
Joined: 19 Jun 2002
Posts: 11030
|
| 19 Jul, 2004 10:18 am |
[sdp=38866] |
|
"It's not the link as it look like to be, but a link to run the attached virus."
I got one, exactly like that, yesterday. I clicked Junk on it, without knowing about profman's post. It looked phishy.
Thanks to both of you.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707
"I've got a very poor sense of direction. I keep forgetting which way is forwards."
WinXP, SP3, 512 MB, 3.0.15 regular, 3.5.5 regular and portable , TB2.0.0.23, Flock2.5.2, IE8.0, SM2.0, Google Chrome2.0.x, Zone Alarm; AVG9.0, JRE1.6_17 |
|
| Back to top |
|
|
djv1
Dustin
Joined: 14 Jan 2004
Posts: 1159
|
| 19 Jul, 2004 11:22 am |
[sdp=38877] |
|
Spoofstick also works on firefox 0.9.1, as you can see in lime green on the top left
BTW.- nice aviator pic Fulvio
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
Dustin |
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12725
Location: Sydney, Australia
|
| 24 Jul, 2004 9:52 pm |
[sdp=39433] |
|
Just received another email from the same sender IP:218.154.70.10,
The problem... I don't have a Neteller account.
http://www_neteller_com.Kk21.CO.KR:7308/neteller.htm
Their eBay phishing page appears to be closed. They've got enough credit card numbers?
More in AntBlog701.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8
|
|
| Back to top |
|
|
Wellander
Joined: 21 Oct 2002
Posts: 2576
|
| 24 Jul, 2004 10:12 pm |
[sdp=39434] |
|
Hi,
I think that stealing is against the law.
Is it not?
I think it is.
Why do websites do that?
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a2) Gecko/20040714 |
|
| Back to top |
|
|
geffr
Geff
Joined: 07 Mar 2004
Posts: 193
|
| 25 Jul, 2004 12:43 am |
[sdp=39445] |
|
The "bookmark" works great in Firefox, THANK YOU!! I get these "phishing" emails daily & have for several months. They don't worry me, but i suspect there will soon be a new generation of more effective spoofs.
If only the US credit card companies would stop accepting payments for these "people" & the spammers..................
I see the above as the only long term solution to spam. Good luck getting the corporations to ssacrifice a few pennies, though.
Geff
UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 |
|
| Back to top |
|
|
angrytuna
aron beal
Joined: 09 Feb 2005
Posts: 1
|
| 09 Feb, 2005 1:15 pm Flaw in spoof checker |
[sdp=52579] |
|
There is a new demonstrable spoof that works in Mozilla browsers, among others. The javascript checker above does not work with this new spoof. For details, see http://www.netsquirrel.com/articles/mozilla_spoofing.html, and try the fix on the page they link to.
UserAgent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 |
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12725
Location: Sydney, Australia
|
| 09 Feb, 2005 5:38 pm Re: Flaw in spoof checker |
[sdp=52609] |
|
The JavaScript check provided does work!
The demonstrated page is actually same as "IDN" Spoofing Security Issue in FF,Moz,NS7,Safari posted by J-M.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.5.6 (KHTML, like Gecko) Safari/125.12
|
|
| Back to top |
|
|
Al
Joined: 20 Dec 2002
Posts: 1696
|
| 09 Feb, 2005 5:48 pm |
[sdp=52612] |
|
It does not work on Mozilla Firefox
UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5) Gecko/20041108 Firefox/1.0
User of Firefox  3.0 on Windows XP |
|
| Back to top |
|
|
Antony
Joined: 18 Jun 2002
Posts: 12725
Location: Sydney, Australia
|
| 21 Oct, 2005 10:19 pm |
[sdp=65263] |
|
A new way to detect phishing emails (links),
Move the mouse cursor over the link, and wait for revealing the actual URL (if different to what it appeared on the HTML based mail)
Next thing to do is to forward the received phishing email to spoof@ebay.com or spoof@paypal.com and help other people not to get scammed.
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412.7 (KHTML, like Gecko) Safari/412.5
|
|
| Back to top |
|
|
|
Search
Log in
Search | FAQ | Rules and Policies
| MozInfo701 - Mozilla Information Centre
| SD701 Open Directory
| Message Board Map
| download Netscape
