Danger - Phishing ahead > Don't trust the Lock icon either!

Don't trust the Lock icon either!

Did you knock this site up? i was going to try an https redirect to see if it could be done, it seemed like it could but I didn't have a domain handy.

Yes, I set it up. As long as the "real" webhost has a valid SSL certificate (and is issued by a root that is trusted by the browser), no warning is popped up at all. Scary, huh.

I figured it would work, as its just a display bug, really. Damn. I updated the news bit to link to your post demonstrating the fake encrypted site that gives no alerts about the certificate not matching what is displayed in the address bar.

reply to The Way Out
omg no way!! you're one evil genius

reply to The Way Out
Hmmmm...when I click it I get »secure.divo.net/notpaypal/ in the address bar.

IE Version 6.0.2800.1106.xpsp2.030422-1633

hover your link over his paypal link .. see (phish removed) ?

I added phish protection to these forums

but it did work just fine, he is right.

edit: protection will be lifted shortly just for his post. Try it later if you're still interested.

reply to The Way Out
Interesting, using IE through Avant Browser, I get
»www.paypal.com
@secure.divo.n···tpaypal/

But using IE standalone I get:
»www.paypal.com/

Using Firebird I get
»www.paypal.com%01@secure.divo.net/notpaypal/
--
"Comparing information and knowledge is like asking whether the fatness of a pig is more or less green than the designated hitter rule."-- David Guaspari

reply to The Way Out
The address bar doesn't even say www.paypal.com
It says "https://www.paypal.com%01@secure.divo.net/notpaypal/"

reply to kwitko7

Avant Browser

reply to justin

Re: Don't trust the Lock icon either!

reply to justin
I was thinking some more about this bug and I came up with an even scarier usage.

Using the Apache "Redirect" directive you can phish an entire site! Just put this into your httpd.conf!

Redirect /test "http://www.domainyouwant.com^A@www.domainyouhave.com"

thats cute. I figured there would be creative use of redirectors.

I mean - you could post one of those "Special offer" links, the ones that nobody expects to look correct because they are long and have affiliate pay-on-click codes in them? - and then redirect to a phished version of SBC DSL signup page and keep them within it. Then collect credit card numbers for days before the victims noticed.

reply to The Way Out
/extreme_sarcasm

Well, hopefully, Microsoft will give this matter several weeks or months of careful consideration and analysis, as they seem to be with the recently-announced active scripting exploits.

--
"Security is a tax on the honest." --Bruce Schneier, Beyond Fear, Copernicus, 2003

reply to The Way Out
I actually blocked the link from showing up using ad blocker in norton IS

reply to The Way Out

said by The Way Out:

---

Want to see something scary? Try this link:

https://www.paypal.com

It says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :|

---

reply to The Way Out
ViruScan Enterprise pops a window just by opening the forum post. I guess Microsoft will get around to this soomer or later....