Declan Moriarty wrote:
I recently got spam with this link, and got about 33% of the way into it
before I realised I was lost. Can anyone tell me what he's doing (apart
from freaking IE :)
http://mail.yahoo.com/config/login?/_javascript:OpenWin%28%27http://65.54.186.250/cgi-bin/linkrd?_lang=EN&lah=34b89aba8099657c89ad303f8e158e82&lat=1097686053&hm___action=http://mail.yahoo.com/config/login?/http%253a%252f%252fwww%252ewellsfargo%252ecom%252f%253bjsessionid%253dLVS0UZ3FGUON4CSYBJLU3NQKDPILUUM0%27%29;
BTW, 65.54.186.250 is in a range assigned to m$:-D. It gets a bit
inspirational after that, but I take this
http%253a%252f%252fwww%252ewellsfargo%252ecom
to be a valid url in a different character set, loading a presaved
session. You can feel the money slipping out of your pockets already,
can't you? :-).
Seems to me to be a html injection scam. Nasty things. You click on a
link which opens up a legitimate page eg your yahoo mail page. It then
offers you a chance to open another offer, check your
credetionals...etc. The javascript opens up another page from another
server which may be just an advert or something sinister. This bypasses
some popup blockers'n'stuff. The "%252f" thingies can be used to fool
the blockers into not thinking its an url. Visually you dont see
anything different. I am most probably wrong as I am not an expert (an
expert is a definition for a has been drip under pressure). IE used to
have that (probably still has) html injection "feature" and IIRC mozilla
has it now too.
--
Shane Shields
Registered LFS Compiler: 7582
To drink the WINE of success you must first seek the sayings of source
Anyone sending unwanted advertising e-mail to this address will be charged $25
for network traffic and computing time. By extracting my address from this
message or its header, you agree to these terms.
--
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
