Monday 29 December 2003

IE Browser Exploit Bogus Pay Pal E-Mail

There is an IE browser spoof vulnerability that has not yet been patched. This allows mal-formed HTML links to appear to send you to one location when in fact they are going someplace else. This link can be hidden in a web page or in an HTML enabled email. The link can be a text screen or a Pay Pal button. There is currently circulating, a very official looking email that appears to link back to Pay Pal. Once at the fake Pay Pal site you will see that Pay Pal is moving and that you are asked to re-register to continue using your Pay Pal account. When you re-register you are asked to enter the keys to your financial kingdom. This information is then loaded into hacker/criminal databases where it can be used to raid your bank account steal your credit cards and in general ruin your day.

What can you do to protect yourself? Follow the rule that NO financial organization worthy of being in business will solicit your account access information via email. It just isn't done. Even if your electronic statement notification email contains a link to your account it will only link directly to a login/password screen. When going to a web location via an email link if your are asked for your password type in nonsense with a fake name. You may be asked to confirm this information. Once confirmed fake sites will "log you in" and begin to ask you questions regarding your name address social security number depending on the type of account they may require your email address, bank account number and routing information, shipping address if different, credit card info etc all while looking very professional and the address bar looking as if you are doing business with Pay Pal. Trouble is they don't check your user name and password they store it along with any other information you care to provide. You may also notice that the site you are "logged" into is not using HTTPS, another tip that this is not a real Pay Pal site.

I expect now that there is a real exploit for this browser weakness in the wild Microsoft will be patching IE directly. Meanwhile be aware of this scam, turn off HTML support in your mailer software. Never ever give out your credit card or banking information online unless you are SURE of where you are. In the case of IE check the actual http:// link via page source code and or email headers and raw content. Pay Pal sends confirmations on payment and receipts it will send out activity reports if enabled. They generally do not send anything else to clients.

So SOME bogus sites have URL's with non printing characters in them like this:

http://www.paypal.com%01%01%01%01%01%01%
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01@pp.youlikeshe.com

(removed proper html code so it doesn't render as a link) you see the real address is pp.youlikeshe.com hidden out of sight. This address is registered in Switzerland and is currently being served out of Krakow Poland.

Be careful out there!

Updated: Test your browser/antivirus software use this link you will see your browser address bar pointing at Microsoft.com but you will not be there. What if the page at the place you were sent to looked a lot like microsoft.com? What if it were your bank site with a login screen? Would you know enough to NOT log in? That is the crux of the problem. Note some Anti-Virus software might get tripped by the link above. If that is the case GOOD. THe link is safe no virus or malicious code is eexecuted (regardless of what your AV software is telling you. Happy surfing!

Posted by Philip at Monday 29 December 2003 | TrackBack
Comments

HI Philip, thanks for telling us about these bad people, you did good here! Regards SD ~<>~

Posted by: ScrewDriver at December 29, 2003 06:28 AM

***********************

I recieved one of these fraudelent emails today.

I have never seen a real PayPal email but I knew immediately since I do not do business with them and from looking at the coding of this email that it was not legit.

These things can be forwarded to spoof@paypal.com and reported to your email service provider.

http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/email-security-outside

The one I recieved came from .de (Germany .de - Search the WHOIS Domain Name Registry)

http://www.ipmenu.com/domainnames.htm

The link in the email went to:

httpwwwpaypalcom%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01@217.19.16.242

where ever or whoever that is.

There were other goodies in the code and header that I won't reprint but nonetheless this email is no good.

Posted by: HB at January 30, 2004 02:58 PM

***********************

I received an e-mail with this exploit in my yahoo mail today.

It was cleverly elaborated so that it looked like it was sent by yahoo mail admin, with some rantom typos to avoid spam filters, and probably would have stealed my yahoo mail password.

Fortunately I don't use IE and the Opera browser showed me the complete link :) .

.

Posted by: Marco at February 7, 2004 09:07 AM

***********************

Glad you were not fooled Marco. That is why it is an IE exploit and not an Opera exploit.

Posted by: Philip at February 7, 2004 09:27 AM

***********************