Toolkit
Story: Coding error thwarts Paralympic phishing scam
Posted by: Anonymous (Thursday 3 June 2004, 5:15 AM)
Are you sure it's a code error. It's a part of the scam and intentional. If you don't have Microsoft Security Bulletin MS04/004 installed, the specially formed linked will load the phishers site, but the address bar will say the Paralympic site's address.
Text below from: http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the clear-text authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)
Full Talkback thread
