[Mimedefang] Browser Bug: Very bad in IE and varies on Netscape and Mozilla

Kevin A. McGrail kmcgrail at pccc.com
Fri Dec 19 17:12:39 EST 2003 

WARNING: There is documentation of a scam in this document.  Read the
document, don't feel the need to click on things!

Not to alarm everyone, but I feel that there is a bug/scam that more people
need to know about that I found out about last week.  This bug causes some
browsers, notably Internet Explorer but ALSO AFFECTING NETSCAPE AND MOZILLA
TO SOME EXTENT, to parse web links incorrectly and allow a person to nearly
perfectly cover up the fact that they are redirecting you to a different
link.

I believe this bug should be identifiable in SpamAssassin but I have seen a
few different techniques and I am not 100% sure what the bug is!  Something
akin to this (tested but I don't make a lot of rules):

# This rule is to mark emails using the exploit of the URI parsing
uri KAM_URIPARSE       /\%01\@/i
describe KAM_URIPARSE    Attempted use of URI bug.  Very high probability of
fraud.
score KAM_URIPARSE     7.00

This trick is so good, it even tricks popup blockers such as google's
toolbar.

As an example, using a link such as the one below will LOOK like you are
going to paypal.com but in fact you are going to netcbc.net/paypal (this is
a REAL fraud website so don't go using it).

http://www.paypal.com%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01@netcbc.net/paypal/

I found out about this problem late last week and was hoping Microsoft would
have it patched before I had to write this note.

Unfortunately, it is still not patched to the best of my knowledge on
December 19th over a week later.  Additionally, on December 17th, I was
forwarded a copy of one of the emails using this technique to fraudulently
gather information.  This technique called "Phishing" has been around for a
while but this bug will make even expert users fall prey to this trick.

I would recommend forwarding this information to people you feel can
properly handle the information but I think this is going to very quickly
become the largest scam tool on the internet.

Regards,
KAM

More information about the MIMEDefang mailing list