BigAl233
Premium
join:2001-08-14
New York, NY
| eBay Java spoof -
Fake address bar | 
With real address bar |
This link:
»parisharm.com/images/LKJDjedssjh···dex2.htm
contains java script that closes the address bar in IE and has a fake address bar at the top that makes it look like you are on the real ebay site: |
|
inTulsa
Premium
join:2002-02-24 | That's a pretty serious problem, the browser shouldn't allow that kind of spoof. Is that IE6 with all the latest patches? Did all the other links point to parisharm.com or was it just that script referenced from therm? |
|
mepadre
join:2003-08-15
Waterloo, ON
| reply to BigAl233
That is insane. Took a look at some of the scripting that is going on in that page and they are really doing some interesting stuff. That spoof will 'fool' 95% of the people who see it. Gotta hand it to them, even though their goals suck, their methods are brilliant. Now if we could only harness that knowledge for something 'good'.
That must be reported to Ebay ASAP. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
1 edit | reply to BigAl233
looks like that URL is not valid anymore
on the other hand, it looks long enough to be generated dynamically, so it could still be hitting people
another attempt to evade tracking .. ebay complaint staff go "well, guess they closed it down - no need to do anything".
hmm...
edit: guess the domain is a stolen one, with the target files camped out in the bottom of a directory from some company in new jersey who doesn't keep their web server patched. the phishers would have dozens or hundreds of such hacked domains to use, if they are sophisticated. |
|
starstuff
Fly By Wire
Premium
join:2001-12-05
Mcallen, TX | Is the address bar removal limited to IE or it can be done in firefox/firebird? |
|
GrandFunkRR7
Got Funk??
Premium
join:2003-02-12
Lebanon, PA | reply to BigAl233
Scary stuff.Time to have another security talk with my wife.
Ugh  |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
 ·Comcast
| reply to inTulsa
said by inTulsa  :
That's a pretty serious problem, the browser shouldn't allow that kind of spoof. Is that IE6 with all the latest patches?
I was just thinking about how to keep that from happening- you can't force the address bar to appear without making pages like the flash-based pop-up NBA scores applets on espn i enjoy so much look annoying. (since they hide the toolbars now to look more like an applet and less like a web window).
IE would need some serious AI to interpret the page and suspect the page is a phish, so I don't know how you could warn people.
Maybe an micro address bar at the bottom of the page, that just shows where you are?
[rant]
Or maybe we let these people get swindled, just like the people who try to beat the people at the street corner offering 3-card monte. People need to learn when to suspect a scam- ebay is not going to ask you to go verify credit card information. You need to be wary anytime any one asks you for a cc#. I see these emails and that's the first flag that fires, even if it is valid. Eventually it will cost the credit card companies less money to educate people than it will to go after all of the phishers.
[/rant]
--
-Ryan
The more you know the more you know how little you know,you know? |
|
inTulsa
Premium
join:2002-02-24
| said by Daemon :
IE would need some serious AI to interpret the page and suspect the page is a phish, so I don't know how you could warn people.
It uses a "feature" (undocumented bug with a useful side-effect). IE has been patched several times to circumvent window manipulation & closure issues ... but now someone found a way around the previous fixes. Otherwise this would have appeared to be just a popup window and the spoof would not have been quite so convincing. Microsoft may have to change (again) the way IE determines when a window can be closed by simple scripting without a prompt.
Should we be staying here or the Security thread? »What do you think of this phish? not pretty... |
|
Mordy
Comfortably Numb
Premium,MVM,ExMod 2004-07
join:2001-12-02
Denver, CO
·Comcast Formerly ..
| reply to Daemon
said by Daemon :
[rant]
Or maybe we let these people get swindled, just like the people who try to beat the people at the street corner offering 3-card monte. People need to learn when to suspect a scam- ebay is not going to ask you to go verify credit card information. You need to be wary anytime any one asks you for a cc#. I see these emails and that's the first flag that fires, even if it is valid. Eventually it will cost the credit card companies less money to educate people than it will to go after all of the phishers.
[/rant]
Nice idea, but I remember the words of PT Barnum quote:
There's a sucker born every minute
Education will never solve the problem; some people will never learn. If that were the case, we wouldn't need laws against breaking into someone's house, because everybody should know that you need to lock your door. The reality is that security is everyone's problem, not just the maker of the browser, or the user, or the legislator who writes the laws.
As far as needing AI, all that is really needed is a warning that the browser's display is being modified...let the user decide to have the screen changed.
--
Facts do not cease to exist because they are ignored - Aldous Huxley |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | reply to BigAl233
Another sad part to this is that »parisharm.com is an IT consulting firm. |
|
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs:
| reply to Mordy
said by Mordy :
Nice idea, but I remember the words of PT Barnum quote:
There's a sucker born every minute
I never remember him saying that
?????
--
The smarter computers get, the more faith I put into Newton's 3rd law. |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
·Comcast
| reply to inTulsa
said by inTulsa :
Otherwise this would have appeared to be just a popup window and the spoof would not have been quite so convincing. Microsoft may have to change (again) the way IE determines when a window can be closed by simple scripting without a prompt.
Ah- I hadn't realized the phish had to open a new window and close the old one. (Now I see that it does, obviously) Does it get the size of the old window so the new one opens in the same size?
--
-Ryan
The more you know the more you know how little you know,you know? |
|
inTulsa
Premium
join:2002-02-24
| said by Daemon :
Does it get the size of the old window so the new one opens in the same size?
Good insight!! Step 1 of the spoof maximized the old window, so the replacement window appeared over it seamlessly.
I'm amazed at how many people have a 1280x1024 video mode yet still have their browser maximized. Few of them would have noticed anything peculiar. |
|
Mordy
Comfortably Numb
Premium,MVM,ExMod 2004-07
join:2001-12-02
Denver, CO
·Comcast Formerly ..
| reply to pcscdma
said by pcscdma :
said by Mordy :
Nice idea, but I remember the words of PT Barnum quote:
There's a sucker born every minute
I never remember him saying that
?????
You are right! Mea culpa... »www.historybuff.com/library/refbarnum.html
--
Facts do not cease to exist because they are ignored - Aldous Huxley |
|
Daemon
Premium
join:2003-06-29
San Francisco, CA
·Comcast
| reply to inTulsa
said by inTulsa :
I'm amazed at how many people have a 1280x1024 video mode yet still have their browser maximized. Few of them would have noticed anything peculiar.
Yes, well, I'd be one of those people.  (It's only useful for a few sites, I know)
--
-Ryan
The more you know the more you know how little you know,you know? |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to BigAl233
throw them in jail
They need to start throwing these criminal con artists in jail.
There is no end of cons in this world, and there is simply no way of educating people to stop them getting conned when law enforcement hasn't seen the con yet.
It isn't perfect, but it does reduce fraud in the physical world. |
|
Lucif4
Premium
join:2000-12-12
clubs:
| reply to BigAl233
Re: eBay Java spoof -
This really isn't a new spoof, so to speak. But, the address is one I have not seen. I've been getting a lot of eBay and Paypal fake emails. Most of them having to do with the same thing posted here. And, each and every one of them have been forwarded on to spoof@ebay.com and spoof@paypal.com, respectively. I don't really think eBay cares too much. I wish I could do more, because it is annoying enough seeing these ID theft attempts. Even worse, for every one I see, there is a handful that are becoming a part of the ID theft crowd.
Lesson is (once again) you never click on a link in an email.
--
You never know when you'll need a guardian devil. |
|
