Latest phishing technique - Printable Version

Latest phishing technique - Printable Version

+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Filters (/forumdisplay.php?fid=38)
+--- Forum: Privacy/Security/Spam (/forumdisplay.php?fid=10)
+--- Thread: Latest phishing technique (/showthread.php?tid=113)

- Siamesecat - Jun. 15, 2004 07:01 AM

How would one filter the latest phish style which is supposed to work on even Mozilla browsers? Apparently the format is:
http://[trusted_site]%2F%20%20%20.[malicious_site]/
It would be necessary to remove any number of space codes from this.

- sidki3003 - Jun. 15, 2004 08:41 AM

Do you have a real example URL?

- Shea - Jun. 15, 2004 02:57 PM

Link Test

It doesn't seem to work on the forums here, I typed:

http://74.53.146.215%2F%20%20%20.www.unitethecows.com

PS - Both sites are clean.

- ProxRocks - Jun. 15, 2004 03:25 PM

My un-prefix filter blocks those (with a slight problem with the link title)...

Code:

Name = "Un-Prefix Multi URL Links [Key=^Shift] {unknown origin} (modified) [add]"

Active = TRUE

Multi = TRUE

URL = "($TYPE(htm)|$TYPE(js))(^$TST(keyword=*.redpref.*))(^$KEYCHK(^S))(^$LST(Secure))"

Bounds = "<a\s*</a>"

Limit = 512

Match = "<a\s"

"\2href="

"("

"("|)\0(^javascript:)"

""

"&$AV("

"("

"????????*[^a-z0-9]"

""

"("

"((http|ftp)(s|)://)\4"

"|URL=(^(http|ftp)(s|)://)$SET(4=http://)"

"|www.$SET(4=http://www.)"

")"

")+{1,*}([^\&]+)\1*([\&]+)\7*([^\&]+[^a-z0-9]+[^\&]+)\8*"

""

")"

""

")\6"

"\3>\5</a>"

Replace = "<a title='Link Prefix Removed: \6' class="prefixed" \2href=\0\4\1\7\8\0 \3>\5</a>"

- Kye-U - Jun. 15, 2004 07:56 PM

I have no problem here... I have Mozilla Firefox [unsure]

- Siamesecat - Jun. 16, 2004 06:19 AM

When I try Shea's example, I get an error message. My browser is trying to find something on the first host, not the second. Just because spaces are in the URL, why would the browser go to the second host?

- Siamesecat - Jun. 16, 2004 06:20 AM

When I try Shea's example, I get an error message. My browser is trying to find something on the first host, not the second. Just because spaces are in the URL, why would the browser go to the second host?

- ProxRocks - Jun. 16, 2004 10:45 AM

That's what "phishing" is - a "method" to "trick" the browser into going to that second host... I'm not sure if a fully patched IE prevents this or not... All of the "latest" config sets prevent it if you use JD or sidki configs...

Try a Google search on "internet browser phishing" and see what comes up...

- Shea - Jun. 16, 2004 03:54 PM

In my example I also said it DIDNT WORK. I was just testing it here on the forums.

Last time didn't hpguru make some test pages? Maybe he'd do it again if we can get him back to the forums here.

- Jaded_Goth - Jul. 16, 2004 10:12 PM

News of yet another phishing scam,here:

http://spamwatch.codefish.net.au/modules.p...article&sid=142

Pretty nice site,that.I hadn't been then before-followed a link from SANS.