Beware!: PayPal Phishing Site Exploits Google XSS Vulnerability
There is a new PayPal phishing site that is crafty and cunning in attempting to hide its true address from the surfer. Unsuspecting users might fall for this devious trickery. Unfortunately, Google is vulnerable to a XSS attack to which they are aware and are working to resolve. Actually this isn't a "traditional" javascript or similar XSS vulnerability, it is a a redirect that is prone to being abused. It is this venue that the phishing site uses to begin its lure and deception of the surfer.
A 1024x768 flash film of the whole visitation is available in the extended entry of this blog item. It shows the whole email delivery, thru the Google exploit, and the execution of the scam sites cunning.
Securiteam displays the jist of a similar exploit involving UTF-7:
Two XSS vulnerabilities were identified in the Google.com website, which allow an attacker to impersonate legitimate members of Google's services or to mount a phishing attack. Although Google uses common XSS countermeasures, a successful attack is possible, when using UTF-7 encoded payloads.
The problem is, the advisory says the solution has been implemented already. But I'm able to replicate this still via the email that just arrived in my inbox.
Needless to say, an email is being sent to Google with this information. And this data is being made aware to the public such that users won't get taken in by the scam.
Below is a "thumbnail" of the full screen video of my journey in this nefarious scam. You'll see what the scam site does to conceal your true address location, and spoofs an entirely different address.
Even without the Google XSS exploit, this is a very dangerous phishing scam. The video is about 18 megabytes, so give it time to download. Spread the word, don't let anyone fall victim!
