I agree that It's very unlikely that we would not catch it. I know that change made my eyes jump immediately. However, it's very likely that, given enough targets... I am 100% confident that many of them will fall for it. Keep in mind that this group is the group that responds to emails like the following: "From: coolguy131@xxxxxxxxxxxxxxxxx You are akcount is ABOUT TO BE UPDATED respond with you'r SOCIAL SECURITY AND LICENSE SCAN. Error code 51535351535153515.5f." Also as this is an user attention issue, targeting pages that are heavily animated or otherwise distracting may help in the exploit. On Thu, Dec 8, 2011 at 5:09 PM, Michal Zalewski <lcamtuf@xxxxxxxxxxx> wrote: >> And you don't believe that people would think that's suspicious? > > What part? The change of a URL that is not associated with the > repainting of window contents? I believe that they are very unlikely > to catch this after initially examining the URL, in absence of other > indicators (change in URL length, page repainting, throbber activity). > > /mz
