know the tricks. spot the scam. prevent the crime.

vectorblog  about  contact

 

 

 

 

 

 

 

 


Blinder Alert

infectionvectors.com

March 2005

 

Vector          Malicious web pages (often phishing attempts sent via email)

 

Impact          High (personal data theft)

 

Blinder is the name of a specific exploit that attempts to hide the true URL serving a particular web page. The attack arrives as a few additional lines of java script added to a page used for phishing. Normal scrutiny of these pages will protect the most critical users, however, those that rely upon their browser's address bar may be fooled. 

 

By default, XP SP2's settings will block the active content, allowing viewers to see where the web page comes from. However, without this activated, a user would see this (ebay logos removed for test):

 

Click for full image.

 

Notice how the address bar is completely obfuscated by the Blinder pop-up. During infectionvectors.com lab test for this and many previous versions of the exploit, the phony URL appeared below the address bar (covering toolbars, sometimes anti-phishing toolbars, so the attack still has some relevance to the criminal). 

 

As mentioned above, the code for this attack is not a significant addition to any existing phishing attempt. A subset of the code is seen here:

 

var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px; font-family: \'Tahoma\', sans-serif; font-size: 8pt;">https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&favoritenav=&sid=&ruproduct

=&pp=&co_partnerId=2&ru=&i1=&ruparams=&pageType'

if (window.createPopup) {
vuln_calc();
vuln_pop();
window.setInterval(vuln_calc, 25);

The risk for the malicious coder, however, is that a misplaced pop-up will draw more attention to the phony address line. In fact, if the page is open, the fake address bar is prone to show up over whatever window is in focus, as can be seen in the example below, taken from a lab machine analyzing the HTML/script:

 

 

Accompanying this attack is the previously analyzed use of the "window.status" command to place a phony URL in the status bar of the browser (traditionally the bottom left of the window, see top image). 

 

<script language = "javascript"> window.status ="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&favoritenav=&sid=&ruproduct

=&pp=&co_partnerId=2&ru=&i1=&ruparams=&pageType=&pa2=&bshowgif=&pa1=&pUserId=

&errmsg=&UsingSSL=&runame=&siteid=0" </script> 

 

Blinder is another trick in a bag already overflowing for scammers. It is yet another example of why broad based education and awareness is required to beat phishing attempts. 

Copyright Ó 2005 infectionvectors.com. All rights reserved.