Coding error thwarts Paralympic phishing scam
Summary: Australians have been targeted by a phishing email claiming to accept donations for the Paralympic team - but it fails to work because of a mistake in the code
A new phishing email aimed at diverting donations to the Australian Paralympic Team has emerged -- complete with a coding error which means that the cold-hearted scam is unlikely to work.
The email, which falsely claims to be from Westpac, is a replica of a page from the bank's Web site which provides information on making donations to the Australian Paralympians, who need to raise AU$2m to fund their visit to Athens this year.
It includes details of how to make a donation in person, by phone, or via a credit card. However, the link for credit card donations does not go to the official Australian Paralympic Committee donation site. Instead, the credit card link is designed to divert to a site which mimics the appearance of the APC site, but which is actually hosted in Romania.
Fortunately for the Paralympic movement, the phishers made a critical mistake. Due to a coding error in which a large number of blank spaces have been inserted in the fake URL, the address actually fails to resolve. Despite the error, the appeal to charitable instincts suggests that phishers -- often said to be linked to organised crime -- aren't slowing down their attempts to harvest credit card details and other financial information.
Westpac has been the target of numerous phishing scams in recent months, but a spokesperson recently told ZDNet Australia that customers had become more alert to the problem. All Australia's major banks now have an official policy of never requesting information from customers via email.
ZDNet Australia's Angus Kidman reported from Sydney. For more coverage from ZDNet Australia, click here.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Text below from: http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the clear-text authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display http://www.tailspintoys.com in the address bar, but actually contained content from another Web Site, such as http://www.wingtiptoys.com. (Note: these web sites are provided as an example only, and both redirect to http://www.microsoft.com.)