justin
Australian
join:1999-05-28
Brooklyn, NY | reply to The Way Out
Re: Don't trust the Lock icon either!
Did you knock this site up? i was going to try an https redirect to see if it could be done, it seemed like it could but I didn't have a domain handy. |
|
The Way Out
join:2003-01-20 | Yes, I set it up. As long as the "real" webhost has a valid SSL certificate (and is issued by a root that is trusted by the browser), no warning is popped up at all. Scary, huh. |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | I figured it would work, as its just a display bug, really. Damn. I updated the news bit to link to your post demonstrating the fake encrypted site that gives no alerts about the certificate not matching what is displayed in the address bar. |
|
Googled
Yay, I have FIOS
join:2001-08-13
Orchard Park, NY
 ·VoicePulse
 ·Verizon FIOS
 ·WildBlue
|  reply to justin
I was thinking some more about this bug and I came up with an even scarier usage.
Using the Apache "Redirect" directive you can phish an entire site! Just put this into your httpd.conf!
Redirect /test "http://www.domainyouwant.com^A@www.domainyouhave.com"
Now anyone who visits www.domainyouhave.com/test will be redirected to the phished site! Doing this makes IE automatically modify EVERY link on the page to a phished version!
--
DirecWay DW3000 DRS, SatMex 5 1170 gateway 164, P3-533/256 MB, AOL+ 7.0 4114.10712 on 98SE w/ICS,shared to 2 x 2K Pro, 1 x Redhat Linux 7.3, 1 x Netgear 802.11b |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| thats cute. I figured there would be creative use of redirectors.
I mean - you could post one of those "Special offer" links, the ones that nobody expects to look correct because they are long and have affiliate pay-on-click codes in them? - and then redirect to a phished version of SBC DSL signup page and keep them within it. Then collect credit card numbers for days before the victims noticed. |
|
