USBank Scam
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: USBank Scam

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    USBank Scam

    Just saw this on the Full Disclosure list...

    This is the best phishing scam I've seen yet: http://www.bis1bp.com/a12/index.html

    I have Windows Server 2003 fully patched and this works. The program fakes an address bar so this would pass through most people's safety check, after all the address bar clearly has the correct address.

    There are bugs in the code, for example, all your Internet Explorer windows will now have this address, but again for most people would only have one window open.
    Pretty smart and very dirty scammers...

    If you disable active scripting they can't fake the address bar... or if you have a google toolbar (or similar), the script messes up and places the URL in the wrong place. Or, if you use a different resolution other than 800x600 or 1024x768 the script will mess up again and append the faked address to the real address.... also, I've noticed that it caries over to things such as outlook when the browser window is left open.

    BTW: The box I tested this on is fully patched too.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    On Firefox, it starts to load and then a box pops up that says I need IE5.5/Win or above to run the 'Demonstration'.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Interestingly enough if you copy and paste the "apparent" url in the address bar into Notepad it shows the http://www.bis1bp.com/a12/index.html url not the usbank one...... and if you pull down the address bar to show the history it shows the same address.

    It looks like a lot of people are going there because when I first tried it it was quite convincing, right now it's so slow that the bad address stays there for a while though I'm sure some people would take it to be some "fancy" redirection being done by the real site.

    Pulling down the address bar history or the cut and paste to Notepad is a test if you are suspicious though.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Not exactly a new technique, but not used very often. It's interesting to look at some of the variants using DHTML and so on. Most of them only hit a very narrow spectrum of browsers and are probably one of the few reasons I am glad that javascript is evil and hard to do right on all browsers.

    People who fall for it should have been checking for the proper use of ssl. Also the new url is displayed over all other windows you have up...I'm looking at the url over visual studio at the moment.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Also, if you view source before the script is completely loaded... it will give the real source code.

    If you try to view the source after the script is loaded... it gives you different source code that looks like it displays the fake address...

    Juridan: I noticed that too. But only on some appliations... not all. Outlook is one... but some third party software did not... maybe just another bug in the script.

    Aparently it won't load on every window you have open if you open it multiple times.

    Or, maybe thats because the site is so slow now.

    The first thing I noticed was that the little lock wasn't in the bottom right hand corner of the screen which indicated ssl. But I've heard that it can be faked? They tried by putting the lock in the bottom left in the screen itself and by making the fake address diplay a https://
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Off topic [ what's with the 'new' titles on the senior members names ? ] end.

    Personally, I find that I am too slow on the uptake to be taken in by a 'phishing' scam, however, I have followed this, and it is 'good'.
    Just another problem to be (Ad) aware of
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by moxnix
    On Firefox, it starts to load and then a box pops up that says I need IE5.5/Win or above to run the 'Demonstration'.
    In IE, if you disable active scripting, it will say it needs scripting to run demonstration.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    what's with the 'new' titles on the senior members names ?
    If we told you, we'd have to reformat your brain.

  9. #9
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Also, if you view source before the script is completely loaded... it will give the real source code.

    If you try to view the source after the script is loaded... it gives you different source code that looks like it displays the fake address...
    How would that be achieved?

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  10. #10
    Just a guess, but I'd presume there's a segment of code that hides the source code, so if you pull up the source code before it has a chance to load up, then that's how you get around it. You have to pull it up before it has a chance to kick in.

    That'd be my guess...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •