20 Jun

interesting phishing method

You’ve all seen those scams where an email claims that your ebay or paypal account is violated, and gives a link directly to the login, which you can easily see is fake because a hover over the link shows an IP address in the status bar of your email client.

I just received an email which had me puzzled for a few minutes. It was obviously a phishing attempt, but a quick glance through the page didn’t show anything fake-looking. Hovering over the provided links showed a proper paypal address (https://www.paypal.com/cgi-bin/webscr?cmd=_login-run). Even right-click->copy on the links provided the right address in a browser. Puzzling.

Then I looked in the source, and found that the links were actually surrounding a submit input which was made to look like a plain link. Clicking that input would submit a form going to a nastier place.

The fact that a submit button can look so much like a link and not give any warning, is a security bug in my eyes. Here is the suspicious code:

<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_login-run">
			<font size="2" face="Arial, Verdana">

<INPUT style="BORDER-RIGHT: 0pt;
hand; COLOR:
blue; BORDER-BOTTOM: 0pt; BACKGROUND-COLOR: transparent;
TEXT-DECORATION: underline" type=submit
value="click here and process your login." tabindex="1"></font></a>

What I think is vexing about this is that it took a look at the source to find this out. In my opinion, hovering over an input button should definitely not show a surrounding link’s url on the status-bar.

I’m submitting a bug to Thunderbird at the moment (although it’s probably more apt to submit to Firefox – it’ll all end up right, anyway) asking that a hover over a Submit input show the form target’s url in the status bar.

2 thoughts on “interesting phishing method

  1. They started using that kind of method a couple of months ago. It’s not the easiest thing to spot, so the SPF plugin for Thunderbird can help a lot

  2. I think I only noticed it because I usually totally ignore those emails (ie; they are either caught by my bayesian filter, or I unconsciously stick them in the junk pile without reading it).

    This time, though, I was tempted to read it as I am selling a few things in Ebay at the moment. and the email was very close to the mark.

    Anyway… the bug is noted here. So far, there is only one commenter, who said “worksforme”, which says to me that he did not actually read my notes…

Comments are closed.