Slashdot Mirror
Scam Combines Patriot Act FUD With IE Bug
LostCluster writes "CNET, Reuters, and the AP are all reporting this morning about a circulating e-mail scam that claims that people will lose their FDIC bank account insurance because they are suspected of violating the Patriot Act unless they confirm their bank account information with a website. The scammers then use the already documented bug in IE that allows a site in Pakistan to get 'www.fdic.gov' to appear in the URL bar. Where's an MS patch when we really need one?"
For those of us that don't feel like switching to another OS, Opera will do.
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Where does India come in? Your thinking that Pakistan belongs to "that area of the world close to where all the outsourcing is" shows your utter lack of basic geographical knowledge
Here is a repost of the email on news.admin.net-abuse.sightings.
" >http://www.fdic.gov/idverify/cgi-bin/index.htm</a >
The link text:
<a href="http://www.fdic.gov@202.63.206.88/index.htm
There's no point in a slashdotting/DDoS since the U.S. connectivity provider has already choked off the flow of packets to this server in Pakistan. Pinging 202.63.206.88 times out.
Um. India and Pakistan border each other, do they not?
A patch was released by an open source development site for this bug, unfortunately, it turned out that the patch contained a buffer overflow and malicious code, click here for the story.
The IT section color scheme sucks.
And for those of us too cheap to buy a new browser, Mozilla or Firebird will have to do.
"Hu, ho, ho-ah-oh-oh-oh. Hu, ho ho-ah-oh-oh-oh. Mario Paint! Whoaaa!"
But the problem is your solutions also requires one of these upgrades.
;)
I would rather recomend this upgrade.
Or if you have a dislike for linux even just this upgrade helps much.
-- Karma: beyond good and evil - mostly affected by posting political
...shows your utter lack of basic geographical knowledge... ;-) (and probably the parent's post too). Pakistan where a part of the crown colony India until 1948.
And shows your utter lack of historical knowledge a well
Auto-reply to ACs: "Truly, you have a dizzying intellect."
Now that I'm unemployed, I feel more secure knowing that I have no money which can be scammed from me because of a "Patriot" Act. Thank God for the state of our Bushist economy!
The Welkin: Online Music Reviews
The problem was that if you introduced a certain character just before the @ sign, the false url (eg the one that is actually the auth detail) will be the only one displayed. The real url would be left off, and thus people would be tricked. Its interesting to note that a similiar issue has been around a fair while, as there have been scams based on it (eg "banks" emailing you, asking you to click on a link and verify your login details. Page displayed looks real as its just a copy of your banks real site, but the url has @www.scammersurl.com at the end, after what looks like valid HTTP/GET data.
Im going on what official reports of the bug say, because I have never actually been able to replicate the effect myself, on IE5.5, IE5.5sp1, IE6, IE6sp1 and IE6sp2, so it does seem that not all installs are vulnerable, as they all displayed the fake url and the real url as you would expect in the address bar. For the record, I tried this on WinXP (just the IE6 versions) and Win2k.
That was either some biting political commentary or a bad typo. (The real "nasty" site is .com not .gov :P)
The REAL problem is that inserting a %01 and unescaping the URL causes IE to NOT display the URL to display as typed. Thus, it redirects you to a different site without you knowing. Only IE does this, so clearly there's a "right way" and a "wrong way" to do it and IE is doing it wrong. That's a BUG and a big security problem.
=Smidge=
(puts on asbestos underwear)
The Patriot act invades the privacy and tramples the civil rights of America's citizenry by allowing the DOJ and the CIA to bypass the Bill of Rights whenever they feel like it by declaring someone a suspected terrorist, or, even better, and enemy combatant. The only thing preventing the Executive branch from using this to silence political dissidents is the enormous political fallout should they attempt it. It is, in addition, transparently racist in its implementation because it is being used to focus the eyes of law enforcement on dark-skinned foreigners, while largely ignoring homegrown terrorist groups such as the Ku Klux klan, National Alliance, Posse Comitatus, and the World Church of the Creator.
But, if none of these issues bother you, ignore me. You probably will anyway.
You are not the customer.
What you described has been known for a long time and arguably isn't a bug, yes. But what they're using is a newer variation that's more dangerous and clearly a bug. If you include a %00 just before the @, only "http://www.slashdot.org" is displayed. (Apparently the display code evalutes the hex escape and treats the %00 as end-of-string, but the engine itself does not.) Your only real indication that something is wrong is the lack of the trailing "/", which you're not likely to notice even if you know what it means.
You are not the customer.
I believe M$ said that this wasn't important to fix. Moz and all the others had it patched the same very day it was posted on bugtraq.
Nick
Here's the text that prompted me into give away my personal info :)
Important News About Your Bank Account
To whom it may concern;
In cooperation with the Department Of Homeland Security, Federal, State and Local Governments your account has been denied insurance from the Federal Deposit Insurance Corporation due to suspected violations of the Patriot Act. While we have only a limited amount of evidence gathered on your account at this time it is enough to suspect that currency violations may have occurred in your account and due to this activity we have withdrawn Federal Deposit Insurance on your account until we verify that your account has not been used in a violation of the Patriot Act.
As a result Department Of Homeland Security Director Tom Ridge has advised the Federal Deposit Insurance Corporation to suspend all deposit insurance on your account until such time as we can verify your identity and your account information.
Please verify through our IDVerify below. This information will be checked against a federal government database for identity verification. This only takes up to a minute and when we have verified your identity you will be notified of said verification and all suspensions of insurance on your account will be lifted.
http://www.fdic.gov/idverify/cgi-bin/index.htm
Failure to use IDVerify below will cause all insurance for your account to be terminated and all records of your account history will be sent to the Federal Bureau of Investigation in Washington D.C. for analysis and verification. Failure to provide proper identity may also result in a visit from Local, State or Federal Government or Homeland Security Officials.
Thank you for your time and consideration in this matter.
Donald E. Powell
Chairman Emeritus FDIC
John D. Hawke, Jr.
Comptroller of the Currency
Michael E. Bartell
Chief Information Officer
Yesterday I received a message that appeared similar in nature to that described by the article. After many phone calls I managed to speak to the fraud section at the Commonwealth Bank (biggest bank in Oz), where the message appeared to come from.
Their solution (after getting some of the bank staff to pull their head from the sand) was to redirect all requests to a specific URL to the Bank's home-page.
Now I for one, think that the only way that they could do that, was with cooperation from ALL ISP's in this country.
The scam and the banks initial response pissed me off, but the redirect scares the *shit* out of me.
Anyone else share my concerns, or should I just crawl back into my box and live with the idea that the Internet has just died...
|>>?
And sometimes on that occasion you can put "about:config" in the address bar, change general.useragent.vendor to "MSIE" and have it work anyway. MBNA recently changed their online payment system, and they're telling people to do this if they want to use Firebird. Just change it back when you're done so that the rest of the world is aware of the fact that other browsers are used!
India and Pakistan are two different countries, India is not even mentioned in the article. Who modded this funny?
Banks get notified of tons of things like this every day (I work in one), and all the tellers should know of the scams. Before you do anything involving your bank account, call your bank!
We also get memos telling us NOT to let Bin Laden or Saddam open accounts... allong with a list of the US Government's top 100 most wanted. I'm still not quite sure how we're suppossed to memorize all those names...
When I first heard about this bug I put a body_check in Postfix to block messages containing the offending code. In the past 24 hours it's blocked 40 messages that tried to exploit the bug but none were this FDIC scam.
n etwork.com/update/ which loads a microsoft page in one frame and in another frame attempts to download a file of type application/hta.
The virus is faked as coming from "security-center@microsoft.com" and it tries to send the user to http://www.microsoft.com%01@d2341647.u35.worldisp
I have yet to find information about this on any of the major Virus Scanners' websites. Anybody know more about it?
A friend of mine got one of the emails, the text of it was very convincing and well written. Normally stuff like this has typos, but this one had a very compelling story to tell and the website for it was quite well done also.
I can see how many people would have been suckered into providing their info.
Need Free Juniper/NetScreen Support? JuniperForum
This browser toolbar isn't spyware and detects the spoofing...
http://www.dejasurf.com/help/spoofwarn.html
A lot of people here have suggested Mozilla as a solution. That is a partial answer. But a proper solution has not been implemented yet in Mozilla. See Bugzilla bug 122445, "Spoof prevention: Warn if username/password in link (url) looks like a hostname". The bug has been outstanding for two years now and it's still not been fixed in Mozilla. There is a proposed patch planned to go into 1.7a.
5
For the full discussion see: http://bugzilla.mozilla.org/show_bug.cgi?id=12244
"Moz and all the others had it patched the same very day it was posted on bugtraq."
c urity/ex01/vun2.htm"
Moz doesn't exactly fix it. Granted, it's better than what IE does as you can see where it is really headed. However, it still sends you a misleading URL.
"http://www.microsoft.com%01@zapthedingbat.com/se
It works as expected, but it is still not fixed. Opera, however, does actually address this issue. If you attempt to go to a URL that is formed like that, an error window appears. It says that you are trying to go to a site that has a Username in it, and it tells you specfically which domain you are trying to enter. Without this warning, Mozilla is only a little better off than IE.
"Derp de derp."
To whom it may concern;
In cooperation with the Department Of Homeland Security, Federal, State and Local Governments your account has been denied insurance from the Federal
Deposit Insurance Corporation due to suspected violations of the Patriot Act. While we have only a limited amount of evidence gathered on your account at
this time it is enough to suspect that currency violations may have occurred in your account and due to this activity we have withdrawn Federal Deposit
Insurance on your account until we verify that your account has not been used in a violation of the Patriot Act.
As a result Department Of Homeland Security Director Tom Ridge has advised the Federal Deposit Insurance Corporation to suspend all deposit insurance on
your account until such time as we can verify your identity and your account information.
Please verify through our IDVerify below. This information will be checked against a federal government database for identity verification. This only takes
up to a minute and when we have verified your identity you will be notified of said verification and all suspensions of insurance on your account will be
lifted.
http://www.fdic.gov/idverify/cgi-bin/index.htm [202.63.206.88]
Failure to use IDVerify below will cause all insurance for your account to be terminated and all records of your account history will be sent to the
Federal Bureau of Investigation in Washington D.C. for analysis and verification. Failure to provide proper identity may also result in a visit from Local,
State or Federal Government or Homeland Security Officials.
Thank you for your time and consideration in this matter.
Donald E. Powell
Chairman Emeritus FDIC
John D. Hawke, Jr.
Comptroller of the Currency
Michael E. Bartell
Chief Information Officer
/. users need to keep their eyes open for patches!! The patch was releasd some time back and /. did a story on it too.
OpenWares.org
Look for the IE patch. It was released Dec 2003
"This patch addresses a vulnerability in Microsoft Internet Explorer that could allow Hackers and con-artists to to display a fake URL in the address and status bars. The vulnerability is caused due to an input validation error, which can be exploited by including the "%01" and "%00" URL encoded representations after the username and right before the "@" character in an URL. "