Go Back   Velocity Reviews > Newsgroups > Computer Security
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

Computer Security - How to interpret this?!

 
Thread Tools Search this Thread
Old 03-16-2007, 12:43 AM   #1
Default How to interpret this?!


Lately I received a number (phishing) mails from a bank asking for
confirmation. In the message, there was a URL:

https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN

However, when I moved my mouse pointer to the beginning on the URL, at
the bottom of the screen, it showed the following instead.

http://163.23.70.201/http/www1.royal...tSign&LANG=EN/

First of all, the link seems not using SSL (http instead of https).
Secondly, when I pinged 163.23.70.201, there was no response.

I hesitate to click on the https:// link.

Could someone help me understand what is it all about? Any info is
much appreciated.

A Monk



a_monk
  Reply With Quote
Old 03-16-2007, 01:21 AM   #2
Sebastian Gottschalk
 
Posts: n/a
Default Re: How to interpret this?!
a_monk wrote:

> Lately I received a number (phishing) mails from a bank asking for
> confirmation. In the message, there was a URL:
>
> https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN
>
> However, when I moved my mouse pointer to the beginning on the URL, at
> the bottom of the screen, it showed the following instead.
>
> http://163.23.70.201/http/www1.royal...tSign&LANG=EN/
>
> First of all, the link seems not using SSL (http instead of https).
> Secondly, when I pinged 163.23.70.201, there was no response.
>
> I hesitate to click on the https:// link.
>
> Could someone help me understand what is it all about? Any info is
> much appreciated.


<a
href="http://this.is/the/real/destination.php">http://can.claim/anything/about/the/link.html</a>

Your problem obviously is that you messed up your mail client to render
HTML content. Very very bad idea.

And since you're abusing MSIE as a webbrowser, I presume your mail client
in Outlook Express or Outlook. That means you'd be even worse off, since
there a various features^W unpatched vulnerabilities which allow the
attacker to fake the displayed URL. You're lucky that this attacker didn't
try.


Sebastian Gottschalk
  Reply With Quote
Old 03-16-2007, 01:34 AM   #3
David H. Lipman
 
Posts: n/a
Default Re: How to interpret this?!
From: "a_monk" <>

| Lately I received a number (phishing) mails from a bank asking for
| confirmation. In the message, there was a URL:
|
| https://www1.royalbank.com/cgi-bin/r...ntSign&LANG=EN
|
| However, when I moved my mouse pointer to the beginning on the URL, at
| the bottom of the screen, it showed the following instead.
|
| http://163.23.70.201/http/www1.royal...tSign&LANG=EN/
|
| First of all, the link seems not using SSL (http instead of https).
| Secondly, when I pinged 163.23.70.201, there was no response.
|
| I hesitate to click on the https:// link.
|
| Could someone help me understand what is it all about? Any info is
| much appreciated.
|
| A Monk

What part of Phishing don't you understand ?

The screen shows; https://www1.royalbank.com but the HTML really points to;
http://163.23.70.201

http://www.dnsstuff.com/tools/whois....0.201&email=on

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm




David H. Lipman
  Reply With Quote
Old 03-16-2007, 01:39 AM   #4
a_monk
 
Posts: n/a
Default Re: How to interpret this?!
On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:
> From: "a_monk" <dfox...@hotmail.com>
>
> | Lately I received a number (phishing) mails from a bank asking for
> | confirmation. In the message, there was a URL:
> |
> |https://www1.royalbank.com/cgi-bin/r...=1&F21=IB&F22=...
> |
> | However, when I moved my mouse pointer to the beginning on the URL, at
> | the bottom of the screen, it showed the following instead.
> |
> |http://163.23.70.201/http/www1.royal...access/F21=IB&...
> |
> | First of all, the link seems not using SSL (http instead of https).
> | Secondly, when I pinged 163.23.70.201, there was no response.
> |
> | I hesitate to click on the https:// link.
> |
> | Could someone help me understand what is it all about? Any info is
> | much appreciated.
> |
> | A Monk
>
> What part of Phishing don't you understand ?
>
> The screen shows; https://www1.royalbank.com but the HTML really points to;http://163.23.70.201
>
> http://www.dnsstuff.com/tools/whois....0.201&email=on
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm


What would happen if I clicked on the link?



a_monk
  Reply With Quote
Old 03-16-2007, 01:44 AM   #5
a_monk
 
Posts: n/a
Default Re: How to interpret this?!
On Mar 15, 9:39 pm, "a_monk" <dfox...@hotmail.com> wrote:
> On Mar 15, 9:34 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
> wrote:
>
>
>
>
>
> > From: "a_monk" <dfox...@hotmail.com>

>
> > | Lately I received a number (phishing) mails from a bank asking for
> > | confirmation. In the message, there was a URL:
> > |
> > |https://www1.royalbank.com/cgi-bin/r...=1&F21=IB&F22=...
> > |
> > | However, when I moved my mouse pointer to the beginning on the URL, at
> > | the bottom of the screen, it showed the following instead.
> > |
> > |http://163.23.70.201/http/www1.royal...access/F21=IB&...
> > |
> > | First of all, the link seems not using SSL (http instead of https).
> > | Secondly, when I pinged 163.23.70.201, there was no response.
> > |
> > | I hesitate to click on the https:// link.
> > |
> > | Could someone help me understand what is it all about? Any info is
> > | much appreciated.
> > |
> > | A Monk

>
> > What part of Phishing don't you understand ?

>
> > The screen shows; https://www1.royalbank.combut the HTML really points to;http://163.23.70.201

>
> >http://www.dnsstuff.com/tools/whois....0.201&email=on

>
> > --
> > Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.c...

>
> What would happen if I clicked on the link?- Hide quoted text -
>
> - Show quoted text -


Where could one report this crime?



a_monk
  Reply With Quote
Old 03-16-2007, 02:07 AM   #6
David H. Lipman
 
Posts: n/a
Default Re: How to interpret this?!


David H. Lipman
  Reply With Quote
Old 03-16-2007, 03:03 AM   #7
Arthur T.
 
Posts: n/a
Default Re: How to interpret this?!
In
Message-ID:< ups.com>,
"a_monk" <> wrote:

>Lately I received a number (phishing) mails from a bank asking for
>confirmation. In the message, there was a URL:

<snip>
>However, when I moved my mouse pointer to the beginning on the URL, at
>the bottom of the screen, it showed the following instead.

<snip>
>Could someone help me understand what is it all about? Any info is
>much appreciated.


This is standard HTML used for nefarious purposes.

I'll show an example, using parens instead of angle brackets
(in case you have a newsreader that renders HTML).

(a href="http://ACTUAL.URL")WHAT TO DISPLAY(/a)

In the above, an HTML-knowledgeable reader will show "WHAT TO
DISPLAY", but if you click on it, it'll take you to
"http://ACTUAL.URL". If "WHAT TO DISPLAY" *looks* like a URL,
it'll cause the confusion you experienced.

--
Arthur T. - ar23hur "at" intergate "dot" com
Looking for a z/OS (IBM mainframe) systems programmer position


Arthur T.
  Reply With Quote
Old 03-16-2007, 08:40 AM   #8
Jim Watt
 
Posts: n/a
Default Re: How to interpret this?!
On 15 Mar 2007 17:43:50 -0700, "a_monk" <> wrote:

>Lately I received a number (phishing) mails from a bank


Then either delete them and move on or report them to
the bank.
--
Jim Watt
http://www.gibnet.com


Jim Watt
  Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46