iThreats

As I was reading my RSS feeds, I just noticed that Aviv Raff disclosed two vulnerabilities found in iPhone on Jewish new year (Oct 2). But, to my surprise the phishing vulnerability isn’t new to me, this is bit old, in fact I created a crafted email with spoofed URL on it, as inspired by its original author Juan Pablo Lopez Yacubian.

This topic has been blogged last April 24 – Zero Day Exploit: Safari Address Bar URL Spoofing

Since this vulnerability affects Safari 3.1, obviously iPhone users are affected as well. I just created this email to show that this vulnerability exist.

Notice the URL, you’ll find it creepy ‘coz in Desktop email browser you will usually see the complete URL in the lower right side bar. But in this case, the attacker can simply create a hyperlink to hide it and it’s not that obvious!

Upon clicking it, here’s what you’ll find …

Google in URL bar and Yahoo on the content ? Yes, this is the security flaw found in Safari. This happens when you input a URL containing special characters followed by “@” which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.

However,  once you minimize the page, the URL displayed should ring a bell, that this is something fishy!

The lesson here is to be aware and stay safe!

These are urls commonly found inside malicious/infected MPEGs, MP3s, AVI, WMA and .WMV files.

h t t p://coolpixhost.biz/rd/redir.php?kw=mp3 — > redirecting to minisites.mypengo.com
h t t p://playmoviesx.com/go/?a=vidwmv&t=search&cmp=wmv_audio
h t t p://isvbr.net?t=3
h t t p://www.fastmp3player.com/affiliates/772465/2/
h t t p://missing-codecs.net/inc/24002/media_codecs/

Upon opening it will connect to any of these URL and download malicious program such as Windows_Media_Player_Flash_Codec_Plugin.exe. 

Be careful and stay safe!