Re: phishing with google ?

Re: phishing with google ?

am 25.09.2006 08:49:32 von unknown

Post removed (X-No-Archive: yes)

Re: phishing with google ?

am 25.09.2006 09:59:29 von Mak

Sebastian Gottschalk wrote:
> mak wrote:
>
>> hi, got a phishing mail today, very easy to recognize, but the link that
>> you are supposed to click and "renew your paypal account, because it
>> expired " is the following:
>>
>>
>>
>>
>> so 2 questions: what happens when people click the link as far as google
>> "pagead"
>
> The website is opened?

yes, but obviously there is some sort of redirect, what is this "pagead" business?
why would the spammer not just use the "http://1037997238:9999/webscrr/index.php" link ?

?
mak
>> why can a browser read http://1037997238:9999
>
> Because many webbbrowser utilize standardized string conversion functions
> from LibC, which also process some unwanted formats. Yes, this is a
> problem.
>
> ->
>
>
>
>> or how do you convert that into an ipaddress?
>
> It's the decimal expression of an unsigned 32 bit integer. IP (v4)
> addresses are 32 bit fields. Trivial.

Re: phishing with google ?

am 25.09.2006 10:10:25 von unknown

Post removed (X-No-Archive: yes)

Re: phishing with google ?

am 26.09.2006 06:53:29 von Barry Margolin

In article <4nph88Fbes6sU1@news.dfncis.de>,
Sebastian Gottschalk wrote:

> mak wrote:
>
> > yes, but obviously there is some sort of redirect, what is this "pagead"
> > business?
>
> The website advertisement business from Google Inc.? What else?
>
> > why would the spammer not just use the
> > "http://1037997238:9999/webscrr/index.php" link ?
>
> 1. to obfuscate the real link target
> 2. to possibly spoof the browser's address bar for a short time, depending
> on slow GUI reaction

Or when the user hovers his mouse over the link in the mail, he'll see a
Google URL. Since he uses Google all the time, he trusts them, and
won't be suspicious of the link.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: phishing with google ?

am 26.09.2006 09:29:54 von unknown

Post removed (X-No-Archive: yes)

Re: phishing with google ?

am 26.09.2006 19:40:07 von Barry Margolin

In article <4ns38bFbok3rU1@news.dfncis.de>,
Sebastian Gottschalk wrote:

> Barry Margolin wrote:
>
> > In article <4nph88Fbes6sU1@news.dfncis.de>,
> > Sebastian Gottschalk wrote:
> >
> >> mak wrote:
> >>
> >>> yes, but obviously there is some sort of redirect, what is this "pagead"
> >>> business?
> >>
> >> The website advertisement business from Google Inc.? What else?
> >>
> >>> why would the spammer not just use the
> >>> "http://1037997238:9999/webscrr/index.php" link ?
> >>
> >> 1. to obfuscate the real link target
> >> 2. to possibly spoof the browser's address bar for a short time, depending
> >> on slow GUI reaction
> >
> > Or when the user hovers his mouse over the link in the mail, he'll see a
> > Google URL. Since he uses Google all the time, he trusts them, and
> > won't be suspicious of the link.
>
> That's that obfuscation means.

I thought you were referring to getting around automatic phishing
filters, not human observers.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***