[vox-tech] OT: one of the most pernicious spams i've ever seen.

Mitch Patenaude vox-tech@lists.lugod.org
Thu, 25 Sep 2003 20:00:51 -0700


On Thursday, Sep 25, 2003, at 11:23 US/Pacific, Rob Rogers wrote:
> I see a couple other problems with this idea too. First, this is the
> first phishing scheme I've seen that loaded the actual homepage. Most
> just steal their logos.

Yes.. that was actually what got me thinking.. when image files
are loaded with a referrer that isn't "local" maybe they should be
replaced with fraud warnings. It's not 100% effective, and if it became
widespread then it would relatively easy to circumvent, but it would
probably prevent a few ID thefts.  While referrer is optional, it's
controlled by the browser, and the people most likely to fall for these
schemes are going to be running stock browsers without things like
privacy screening proxies that strip them out.

>  Secondly, I'm almost potitive that your browser
> wouldn't send encoded characters in the referer. Your browser would 
> have
> already decoded them, and it would send them unencoded.

Why would your browser decode them?  The browser usually does nothing
with a URL except pass it unmodified to the server.  When I write log
processing scripts.. I have to decode them if I want to get consistent
results.

> As for usernames, I don't think your browser would EVER send that as
> part of the referer.

Yet they are..  Along with the CGI arguments,  This was used a while
back to steal hotmail/webmail accounts.  Send somebody HTML email with
an <img> tag which gets fetched from a server you have access to, and
the referrer (used to) give you a fully functional URL into their
mailbox.  This has been fixed with almost all web-based email clients
now.

>  That would be a MAJOR security flaw.

And it has been exploited...

   -- Mitch