Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY
Host:
OptimumOnline
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
| New Phishing Technique?
I just received an Ebay Phishing Email.
The whole email was just the attached picture which was a clickable link.
Using OE, when I hover my mouse over the picture, the same link that's listed in the picture appears in the status bar at the bottom of OE.
If you click on the picture, you go to the typical phishing IP address type website.
How do they get the status bar to show the wrong link?
I'd think this would be a major problem as, in the past, I've seen many people suggest that you use the status bar to see that the link is wrong.
Is this something new? |
|
Old Computer
Premium
join:2002-04-12
Europe
| I have received the same mail one month ago... 
I am not an Ebay user, and followed the link to know where to go. Here is a screenshot, with a false user name. I enter a wrong Card number and was redirected to a page in order to confirm also my Paypal account.
A Whois show the site in China (IP range), and I reported immediately this to Ebay and forwarded the whole false email. |
|
bbrlogue
Learning New Things Daily
Premium
join:2003-12-07
Alexandria, VA
| reply to Lex Luthor
Is the HTML email using label attribute to show the fake ebay URL on the status bar?
You can turn off HTML, or instead of directly launching links from the mail reader, right click, copy link location (in TB, but there must something similar in OE), and paste it to the browser address bar to see the actual URL.
Or display the full message header to verify the sender. In TB, the "View Headers Toggle Button" extension adds a convenient button for that, or just CTRL-U for the full source. |
|
stephen d
An Important Message From
Premium
join:2005-11-25
Laval, QC
| I got that email over 6 months ago!!!!. You can put anything in the username and password field if you want to go further. And as i recall, it was always changing IP address. There was even one that had a guide to phising on the same server!!!!!!!
I laugh my head of at that one |
|
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY
Host:
OptimumOnline
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
1 edit | reply to bbrlogue
said by bbrlogue  :Is the HTML email using label attribute to show the fake ebay URL on the status bar? How would I know that?
Yes, I understand this type of email is old and been around. No, I'm not going to get fooled by it either way.
What I am questioning is if it's some new technique that can make my status bar show something different URL from what happens when the link is clicked.
I'm surprised that it's not something Microsoft has patched/fixed as it's a pretty good trick to fool people to going to the site.
Here's the whole "view source" of the email.
I made it a screen shot, because I couldn't figure out how to enter it here with all that html coding. |
|
Old Computer
Premium
join:2002-04-12
Europe
| reply to bbrlogue
I have an old screen shot to show a part of the Html code.
And Yes when you move the mouse over the image (the mail) you can see the Fake Ip address 218.4.240.130/xxxxx and not Https://Cgi.ebay.... |
|
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY
Host:
OptimumOnline
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
1 edit | said by Old Computer :And Yes when you move the mouse over the image (the mail) you can see the Fake Ip address 218.4.240.130/xxxxx and not Https://Cgi.ebay.... Not with mine you don't.
See attached. |
|
Old Computer
Premium
join:2002-04-12
Europe
| Ouch !
I use Mozilla Mail as my mail client.
Do you have your Windows fully patched ?
When I move the mouse over the image (anywhere) I can see the full direct (fake) link with IP address. |
|
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY
Host:
OptimumOnline
Users Find Hot Deals
Users find Hot Dea..
Requests for Hot D..
| said by Old Computer :Ouch ! I use Mozilla Mail as my mail client. Do you have your Windows fully patched ? When I move the mouse over the image (anywhere) I can see the full direct (fake) link with IP address. Yes, fully patched, most recent IE/OE and I'm on W2K.
I'll have to check on my XP machine later, but I suspect the same.
Same thing happens when I view the mail in IE through my ISP's webmail.
When viewing the mail in FF through the ISP's webmail, I see the fake URL in the status line.
I didn't think OE/IE could be tricked that easily. Can't MS fix that behaivor? |
|
B
Premium,MVM
join:2000-10-28 | ...must...resist...ms...bashing...
-- B |
|
Red Dragon
Imagine BBR in 20 years
join:2005-04-30
Scarsdale, NY
| reply to Lex Luthor
Sure they can just give them 2 years to admit there is a problem then give them an additional 2 months to make a patch. After they make a patch expect another 3 moths of testing. Now you have a patch that is well great it works. And by that time IE 7 sp4 will be out.
--
That light that you see at the end of the tunnel. You know that reealy bright one; well its not salvation. Its the 6 o'clock freight train |
|
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY | Is this trick something new? I was under the impression that MS had previously altered IE/OE so that it shows the true URL in the status bar. No? |
|
Red Dragon
Imagine BBR in 20 years
join:2005-04-30
Scarsdale, NY
| The address bar spoofing has been around for a while now and is employed in most phishing scams. For the average user if it says ebay in the address bar its ebay to them.
--
That light that you see at the end of the tunnel. You know that reealy bright one; well its not salvation. Its the 6 o'clock freight train |
|
claudeo
join:2000-02-23
Redmond, WA
| reply to Lex Luthor
Now this status bar trick is sick. Fullscreen window in IE and FireFox always comes up with a status bar these days, with no way to defeat the status bar so as to prevent the classic "fake desktop" trick. But if the content of the status bar can be faked (e.g. by setting window.status in a mouseover handler) that defeats the whole purpose. Half security here is sometimes worse than no security. |
|
dantz
join:2005-05-09
Honolulu, HI
 ·Hawaiian Telcom
| reply to Lex Luthor
said by Lex Luthor :Yes, fully patched, most recent IE/OE and I'm on W2K. I'll have to check on my XP machine later, but I suspect the same. Same thing happens when I view the mail in IE through my ISP's webmail. When viewing the mail in FF through the ISP's webmail, I see the fake URL in the status line. I didn't think OE/IE could be tricked that easily. Can't MS fix that behaivor? WinXP SP2 with OE6 (fully updated) is not susceptible to the spoof you are describing. |
|
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY | dantz , I'll check that tonight. |
|
stephen d
An Important Message From
Premium
join:2005-11-25
Laval, QC | Also note it is from "EBay Inc" Usually it is always from Ebay.ca or ebay.com (or the domain in which country you are like ebay.co.uk) |
|
Lex Luthor
Premium,Mod
join:2000-09-17
Hicksville, NY | Yes, XP SP2 with patched IE/OE appears to not be succeptable to this type of trick.
I guess that's why I thought it was something new. I get most of my mail on my XP machine. |
|
B
Premium,MVM
join:2000-10-28
| reply to dantz
said by dantz :said by Lex Luthor :Yes, fully patched, most recent IE/OE and I'm on W2K. WinXP SP2 with OE6 (fully updated) is not susceptible to the spoof you are describing. ...must...resist...
--
In a realm outside causality and function |
|
Red Dragon
Imagine BBR in 20 years
join:2005-04-30
Scarsdale, NY | Give in to you feelings. |
|
