Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2003-07-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Paypal scam site using SSL spotted

Published: 2003-07-07
Last Updated: 2003-07-07 13:40:44 UTC
by Handlers (Version: 1)
0 comment(s)
A member of our 'handler' group spotted a fake Paypal site with uses a valid
SSL certificate. While this certificate is not issued for 'paypal.com', standard
URL masking techniques make it plausible to untrained users that the site is
a valid Paypal site.

We do receive almost daily reports of fake Paypal or e-bay sites. Usually it is
the goal of these sites to extract information from users which will be used
in identity theft or credit card fraud. The page is usually advertised via
spam and looks just like a regular Paypal/ebay page. The e-mail suggests that
the user should visit the page to confirm billing information.

A standard technique to mask the actual url, and make it more look like a
valid Paypal site, is the addition or user name / password prefixes. HTTP urls
can include user name and passwords for http basic authentication. These are
prepended to the url in the following syntax:

http://username:password@www.somewebsite.com/somepage.html

For example, in order to make "isc.sans.org" look like a paypal site, the following url could be users:

http://www.paypal.com:asldkfjalsdkjflaksjfd@isc.sans.org/index.html

The user name / password is ignored if no authentication is required.

In most cases, these scam sites are easily spotted as they are not using SSL. Sometimes they attempt to hide this fact by increasing the browser window size to push the lower part of the browser window off the screen, so users will not see the open browser lock.

However, this latest site uses a valid SSL certificate. Unless users inspects the certificate in more detail, they will not know see the problem.

The particular URL of the fake paypal site it:
https://ki54ft.worldispnetwork.com/i.CgI

As shown in the spam used to advertise it, it looks like:
https://www.paypal.com:ac=alksdjflakdjflkasdjruoiwehjrlkajdf@KI54fT.WoRlDiSpNeTwOrK.CoM/i.CgI?billing@yourdomain.com

The URL is overly long to hide the actual host name.

After submitting the form, the cgi script redirects the user to the actual Paypal login page, further hiding the fact that the user just used a fake page.

The page uses a wild card certificate for 'worldispnetwork.com'.

-----------
more information? Please let us know: isc@sans.org

Keywords:
0 comment(s)
Diary Archives