In this section

• Home
• Security
• SophosLabs blog
• 2007
• 04

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

23 April 2007 16:32 GMT

Isle of Man Phish

UK element to a phishing attack against PayPal today. The spammed out phish email (below) provided three different links, all to a .location.html file on what appear to be 3 compromised boxes (one in Japan, two in Korea).

The .location.html file simply contains a short redirect script:

<script>window.location="http://(ip_removed)/.pp/confirm-account/processing.php";</script>

The IP addresses places the server within a location facility based on the Isle of Man. Looking through the files on that machine, reveals some of the usual content, including a public JavaScript (some of which appears to have been written in 2003) designed to validate credit-card details submitted in web forms! Nice to see code reuse, with no reinventing of the wheel! The harvesting site appears to have been constructed for the phishing attack, and is not using another compromised server.

Fraser Howard, SophosLabs UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot