[ILUG] Ignorant question on spam

[Kae Verens]

Rory Browne wrote:
> Yep - its a phishing attack, and that's actually a pretty lame attempt at
> it. I would have expected the url to be something like
> www.paypal.com.attacker.com/phishattack, or
> www.paypal.com/dummy_stuff at www.attacker.com ( although that is a known issue
> that most browsers will block, or warn the user about these days. )

the second one is a really annoying one, as you'd expect paypal (or whatever the target is) to vet its redirection URLs 
before following through on them.

>> -------------------------------------------------
>> follow the instructions.<br />  \n <br />  \n
>> <a href="http://213.244.26.140/index.html"
>> target="_blank">
>> http://www.paypal.com/us/cgi<wbr />-bin/webscr?
>> cmd=_login-run</a>
>> -------------------------------------------------
>>
>> If I click on the URL I see I am taken to 213.244.26.140
>> rather than www.paypal.com (which is all I see).
>>
>> Is that a standard html trick?

yes.

what I usually do when I find things like that is to email the owners of the site, which has usually been hijacked. In 
the case you show, it's probably not the case, as an IP address is generally owned by the owner of the box, but if teh 
url was something like http://awebsite.com/f/fgh/paypal.com/ then you can be pretty confident that the awebsite.com site 
is a virtual server running on a machine where at least one user account has been hacked and the site owners are not 
aware of it.

it happens to the best of us - especially if you use scripts which might have known exploits.

kae