This is really going Crazy over Internet. And has got many victims. Its good that this Script doesn't have any Evasion techniques involved in it. So, there is scope for IDS to detect it.
Regards, Srinivas Naik On Tue, May 25, 2010 at 2:59 PM, Sandeep Thakur <[email protected]>wrote: > Did anyone get chance to go thru the below. Let me add few more details for > your research. The below mail headers shows a CSRF, XSS attacks examples. > Please go thru all IMG related tags then you will know. > Probably this can help you study in the subject (How Facebook Can Be > Compromised/Impersonated). Also this will through some lights on issue of > how rogue applications like beach babes impacting users, posted today. > > > Regards > Sandeep Thakur > > > On Fri, May 21, 2010 at 2:57 AM, Sandeep Thakur <[email protected]>wrote: > >> Let your know about how you have to check this infact.... you have to >> check the original email with all headers. Given below the original email >> with headers for everyone reference: >> >> ------------- >> >> >> >> >> Delivered-To: [email protected] >> Received: by 10.141.37.16 with SMTP id p16cs192037rvj; >> Sat, 15 May 2010 21:54:13 -0700 (PDT) >> Received: by 10.141.187.9 with SMTP id o9mr2331623rvp.211.1273985653009; >> >> >> Sat, 15 May 2010 21:54:13 -0700 (PDT) >> Return-Path: <[email protected]> >> Received: from www.bagcrafters.com ([74.208.166.151]) >> >> >> by mx.google.com with SMTP id t1si9872196rvl.76.2010.05.15.21.54.12; >> Sat, 15 May 2010 21:54:12 -0700 (PDT) >> Received-SPF: neutral (google.com: 74.208.166.151 is neither permitted nor >> denied by best guess record for domain of [email protected]) >> client-ip=74.208.166.151; >> >> >> Authentication-Results: mx.google.com; spf=neutral (google.com: >> 74.208.166.151 is neither permitted nor denied by best guess record for >> domain of [email protected]) [email protected] >> >> >> Date: Sun, 16 May 2010 00:46:01 +0400 >> To: <[email protected]> >> >> From: Facebook <[email protected] >> <notification%[email protected]>> >> >> Reply-to: noreply <[email protected]> >> >> Subject: Facebook Support sent you a message on Facebook... >> Message-ID: <[email protected]> >> >> >> X-Priority: 3 >> X-Mailer: ZuckMail [version 1.00] >> X-Facebook-Notify: msg; from=124112171639398; t=151694426525; >> mailid=CA2DDD7Da65B9F6Ab114Cb01d4e0Ce >> Errors-To: [email protected] >> <notification%[email protected]> >> >> >> X-FACEBOOK-PRIORITY: 0 >> MIME-Version: 1.0 >> Content-Type: text/html; charset = "UTF-8" >> Content-Transfer-Encoding: 7bit >> >> >> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional //EN"> >> >> >> <html><head><meta http-equiv="Content-Type" content="text/html; >> charset=utf-8"><title>Facebook</title></head><body style="margin: 0; >> padding: 0;" dir="ltr"><table width="98%" border="0" cellspacing="0" >> cellpadding="40"><tr><td bgcolor="#f7f7f7" width="100%" style="font-family: >> lucida grande, tahoma, verdana, arial, sans-serif;"><table cellpadding="0" >> cellspacing="0" border="0" width="620"><tr><td style="background: #3b5998; >> color: #fff; font-weight: bold; font-family: lucida grande, tahoma, verdana, >> arial, sans-serif; padding: 4px 8px; vertical-align: middle; font-size: >> 16px; letter-spacing: -0.03em; text-align: left;">facebook</td></tr><tr><td >> style="background-color: #fff; border-bottom: 1px solid #3b5998; >> border-left: 1px solid #ccc; border-right: 1px solid #ccc;font-family: >> lucida grande, tahoma, verdana, arial, sans-serif; padding: 15px;" >> valign="top"><table width="100%"><tr><td width="100%" style="font-size: >> 12px;" valign="top" align="left"><div style="margin-bottom: 15px;"><a >> href="http://www.facebook.com";>Facebook</a> sent you a message.</div><div >> style="margin-bottom: 15px;"><table cellpadding="0" cellspacing="0" >> style="width: 90%; font-size: 12px;"><tr><td colspan="2" >> style="border-top:1px solid #cfd7e4;"></td></tr><tr><td valign="top" >> style="padding: 7px 7px 7px 0px; width: 57px;"><a >> href="http://www.facebook.com";><img >> src="http://static.ak.fbcdn.net/rsrc.php/z5HB7/hash/ecyu2wwn.gif"; >> alt="Facebook" style="border: 0; width:50px; " /></a></td><td valign="top" >> align="left" style="padding: 7px 0px;"><div style="padding-bottom: 7px;"><a >> style="font-weight: bold;" href="http://www.facebook.com";>Facebook</a><span >> style="padding-left: 7px; color: #888;"> </span></div><div >> style="padding-bottom: 7px;">Subject: Important information</div><div >> style="padding-bottom: 7px;"> </div></td></tr><tr><td colspan="2" >> style="border-top:1px solid >> #cfd7e4;"></td></tr></table></div></td></tr></table><div style="padding-top: >> 15px;"><table width="100%" cellspacing="0" cellpadding="0"><tr><td >> style="background-color: #FFF8CC; border: 1px solid #FFE222; color: #333; >> padding: 10px; font-size: 11px;"><div style="font-weight: bold; >> margin-bottom: 2px;">To read this message, follow the link below:</div><a >> href="http://profibrosis.org/participants.html"; style="color: #3b5998; >> text-decoration: >> none;">http://www.facebook.com/n/?inbox/readmessage.php&t=1896555548701&mid=e57eb542edf6134cc3d131c422355f97&n_m=facebook >> team</a></td></tr></table></div></td></tr><tr><td style="color: #999; >> padding: 10px; font-size: 11px; font-family: lucida grande, tahoma, verdana, >> arial, sans-serif;">This message was intended for you. If you do not wish to >> receive this type of email from Facebook in the future, please click on the >> link below to unsubscribe. >> >> http://www.facebook.com/o.php?k=5b6f4f&u=1424721642895&mid=6debdc83342b2e8d5d2e0c10ec2db015 >> Facebook`s offices are located at 1601 S. California Ave., Palo Alto, CA >> 94304.</td></tr></table></td></tr></table></body></html> >> >> >> >> ------------- >> >> Regards >> Sandeep Thakur >> >> >> On Thu, May 20, 2010 at 2:17 PM, Sandeep Thakur <[email protected]>wrote: >> >>> In addition to the mail sent with subject "Facebook Password Reset Scam >>> By Macfee" by Amardeep last day, I would like to share one such real >>> spam mail to you all. Can any point in the code where is the problem... a >>> perfect XSS example though.... given you hint rather... >>> >>> >>> >>> Regards >>> Sandeep Thakur >>> >>> >>> ---------- Forwarded message ---------- >>> From: Facebook >>> <[email protected]<notification%[email protected]> >>> > >>> Date: Sat, May 15, 2010 at 1:46 PM >>> Subject: Facebook Support sent you a message on Facebook... >>> To: [email protected] >>> >>> >>> facebook >>> Facebook sent you a message. >>> [image: Facebook] >>> Facebook >>> Subject: Important information >>> To read this message, follow the link below: >>> http://www.facebook.com/n/?inbox/readmessage.php&t=1896555548701&mid=e57eb542edf6134cc3d131c422355f97&n_m=facebook >>> team >>> This message was intended for you. If you do not wish to receive this >>> type of email from Facebook in the future, please click on the link below to >>> unsubscribe. >>> http://www.facebook.com/o.php?k=5b6f4f&u=1424721642895&mid=6debdc83342b2e8d5d2e0c10ec2db015Facebook`s >>> offices are located at 1601 S. California Ave., Palo Alto, CA >>> 94304. >>> >>> >> > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
![http://static.ak.fbcdn.net/rsrc.php/z5HB7/hash/ecyu2wwn.gif"](https://static.ak.fbcdn.net/rsrc.php/z5HB7/hash/ecyu2wwn.gif"){kind=link}