Google used as a URL cloaking device in phishing
This just came across my desk: Phishers are using urls in the form "http://www.google.com/=url?q=http://www.climagro.com.ar/agro/chase.htm" to obfuscate URLs and/or help the spam get past the spam filters. Google has been informed of the problem.
Note that as of this writing, the spammed URL is still up. This url is hosted on a site that was probably hacked into -- a common use for zombie computers is as temporary hosting for spammer's web pages.
In this particular case, the site in question is a simple meta redirect to another site in India (for a total of two levels of indirection.) It looks like this site also was hacked by the phisher.
The "login confirmation" page was a php script that seemed to return nothing useful when executed without cgi arguments, so I lost the trail there. Clearly there would have been at least a third level of indirection when the phished data was sent on to the phisher, but without more time and/or access to the php source, I can't tell where that is.
Update (23 Mar): I got one of these myself today. First redirect goes to "jTrue Technologies" in Shanghai, China. I have notified them; let's see what they say. Data was handled via php as before, so without the source code, I couldn't go any further.
Here's a thought about what Chase and other phishing victims could do: Most of these phishing sites grab icons and other media directly from the victim sites. Perhaps Chase et al could pay attention to the referrer address when serving up icons. Any reference from outside of their own site should sound an alert.
Update #2 (23 Mar): I spoke to Google security about the redirect issue. They know about it, and have some ideas on how to stop it. They admit it's a common problem (and certainly not specific to Google), but a non-trivial one to solve. Any site that has redirects is vulnerable to this kind of abuse.
Note that as of this writing, the spammed URL is still up. This url is hosted on a site that was probably hacked into -- a common use for zombie computers is as temporary hosting for spammer's web pages.
In this particular case, the site in question is a simple meta redirect to another site in India (for a total of two levels of indirection.) It looks like this site also was hacked by the phisher.
The "login confirmation" page was a php script that seemed to return nothing useful when executed without cgi arguments, so I lost the trail there. Clearly there would have been at least a third level of indirection when the phished data was sent on to the phisher, but without more time and/or access to the php source, I can't tell where that is.
Update (23 Mar): I got one of these myself today. First redirect goes to "jTrue Technologies" in Shanghai, China. I have notified them; let's see what they say. Data was handled via php as before, so without the source code, I couldn't go any further.
Here's a thought about what Chase and other phishing victims could do: Most of these phishing sites grab icons and other media directly from the victim sites. Perhaps Chase et al could pay attention to the referrer address when serving up icons. Any reference from outside of their own site should sound an alert.
Update #2 (23 Mar): I spoke to Google security about the redirect issue. They know about it, and have some ideas on how to stop it. They admit it's a common problem (and certainly not specific to Google), but a non-trivial one to solve. Any site that has redirects is vulnerable to this kind of abuse.
0 Comments:
Post a Comment
<< Home