PDA

View Full Version : Abused DD dhtml script



paypalscam
04-16-2005, 04:46 AM
DD source html this is ecactly what I uncovered:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>PayPal-Log In-</TITLE>
<SCRIPT language=JavaScript1.2>

<!--



/*

Auto Maximize Window Script- By Nick Lowe (nicklowe@ukonline.co.uk)

For full source code, 100's more free DHTML scripts, and Terms Of Use

Visit http://www.dynamicdrive.com

*/



top.window.moveTo(0,0);

if (document.all) {

top.window.resizeTo(screen.availWidth,screen.availHeight);

}

else if (document.layers||document.getElementById) {

if (top.window.outerHeight<screen.availHeight||top.window.outerWidth<screen.availWidth){

top.window.outerHeight = screen.availHeight;

top.window.outerWidth = screen.availWidth;

}

}

//-->

</SCRIPT>

<META http-equiv=Content-Type
content="text/html; charset=windows-1252"><HTA:APPLICATION id=oHTA VERSION="1.0"
APPLICATIONNAME="AmPost" BORDER="thin" BORDERSTYLE="normal" CAPTION="yes"
CONTEXTMENU="no" ICON="yes" INNERBORDER="yes" MAXIMIZEBUTTON="no"
MINIMIZEBUTTON="no" NAVIGABLE="yes" SCROLL="no" SCROLLFLAT="yes" SELECTION="yes"
SHOWINTASKBAR="yes" SINGLEINSTANCE="yes" SYSMENU="yes" WINDOWSTATE="normal" />
<STYLE>BODY {
BORDER-RIGHT: medium none; BORDER-TOP: medium none; FONT-SIZE: 8pt; MARGIN: 0px; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none; FONT-FAMILY: Arial; BACKGROUND-COLOR: buttonface
}
TD {
FONT-SIZE: 8pt
}
.indent {
LEFT: auto; TEXT-INDENT: 15pt; WHITE-SPACE: normal; TEXT-ALIGN: left
}
.size {
WIDTH: 100%
}
</STYLE>

<SCRIPT type=text/javascript>
<!--
<!--
var history=new Array(16);
hpos=0;
function MM_checkBrowser(NSvers,NSpass,NSnoPass,IEvers,IEpass,IEnoPass,OBpass,URL,altURL) { //v3.0
var newURL='', verStr=navigator.appVersion, app=navigator.appName, version = parseFloat(verStr);
if (app.indexOf('Netscape') != -1) {
if (version >= NSvers) {if (NSpass>0) newURL=(NSpass==1)?URL:altURL;}
else {if (NSnoPass>0) newURL=(NSnoPass==1)?URL:altURL;}
} else if (app.indexOf('Microsoft') != -1) {
if (version >= IEvers || verStr.indexOf(IEvers) != -1)
{if (IEpass>0) newURL=(IEpass==1)?URL:altURL;}
else {if (IEnoPass>0) newURL=(IEnoPass==1)?URL:altURL;}
} else if (OBpass>0) newURL=(OBpass==1)?URL:altURL;
if (newURL) { window.location=unescape(newURL); document.MM_returnValue=false; }
}

function forward()
{
frames["newFr"].location.href=history[hpos];
}

function load()
{
l=frames["newFr"].location.href;
if (l.lastIndexOf("?")==(l.length-1)) l=l.substr(0,l.length-1);
history[hpos]=l;
hpos++;
hpos%=16;
}
function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}
function MM_displayStatusMsg(msgStr) { //v1.0
status=msgStr;
document.MM_returnValue = true;
}
function go()
{
a=document.all.newAddr.value;
if (a.indexOf("http://")!=0) a="http://"+a;
nav.action=a;
return true;
MM_swapImage('Image1','','go1click.gif');
MM_displayStatusMsg('Done');

}
// -->

function MM_showHideLayers() { //v3.0
var i,p,v,obj,args=MM_showHideLayers.arguments;
for (i=0; i<(args.length-2); i+=3) if ((obj=MM_findObj(args[i]))!=null) { v=args[i+2];
if (obj.style) { obj=obj.style; v=(v=='show')?'visible':(v='hide')?'hidden':v; }
obj.visibility=v; }
}
//-->
</SCRIPT>

<META content="Microsoft FrontPage 5.0" name=GENERATOR></HEAD>
<BODY onmousedown="MM_showHideLayers('pop','','hide')"
onload="MM_preloadImages('pdownclick.gif');MM_checkBrowser(4.0,1,1,4.0,0,0,1,'http://www.paypal.com','http://www.paypal.com');return document.MM_returnValue"
onunload=;><SPAN class=" indent">
<TABLE height="100%" cellSpacing=0 cellPadding=0 width="100%">
<TBODY>
<TR borderColor=#cccccc>
<TD>
<TABLE borderColor=#c0c0c0 cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<FORM name=nav onsubmit=go(); action=about:blank method=get target=newFr>
<TD
style="PADDING-RIGHT: 1px; PADDING-LEFT: 1px; PADDING-BOTTOM: 1px; PADDING-TOP: 1px"
align=right width=3 height=22>
<P align=left><IMG height=18 src="sline.gif" width=3 align=right
border=0></P></TD>
<TD
style="BACKGROUND-POSITION: right 50%; BACKGROUND-IMAGE: url(addr.gif); BACKGROUND-REPEAT: no-repeat"
width=34 height=22>
<P>&nbsp;</P></TD>
<TD
style="BACKGROUND-POSITION: left 50%; BACKGROUND-IMAGE: url(ress.gif); BACKGROUND-REPEAT: no-repeat"
align=left width="81%" height=22><INPUT class=indent id=newAddr
style="BACKGROUND-POSITION: left top; FONT-SIZE: 8pt; BACKGROUND-IMAGE: url(ie2.gif); WIDTH: 100%; BACKGROUND-REPEAT: no-repeat; HEIGHT: 22px"
size=40 value=https://www.paypal.com/cgi-bin/webscr?cmd=_login-run name=no>
</TD>
<TD width=146 height=22 no-repeat? BACKGROUND-REPEAT: url(?addr.gif?);
BACKGROUND-IMAGE:><A onmousedown="MM_swapImage('Image2','','pdownclick.gif',1)"
style="CURSOR: default" onmouseout=MM_swapImgRestore()
href="primapagina.htm#"><IMG onclick="MM_showHideLayers('pop','','show')"
height=21 src="pdown.gif" width=17 border=0 name=Image2></A><A
onmousedown="MM_swapImage('Image1','','go1click.gif',1);MM_displayStatusMsg('Done');return document.MM_returnValue"
onmouseover="MM_swapImage('Image1','','go1roll.gif',1);MM_displayStatusMsg('Done');return document.MM_returnValue"
onmouseout=MM_swapImgRestore() href="file:///E:/"><INPUT id=Image1
style="CURSOR: default" onclick=go() type=image height=22 width=49 src="go1.gif"
border=0 name=image1> </A></TD></FORM></TR>
<TR>
<TD width=798 bgColor=#000000 colSpan=4><IMG height=1 src="hide.htm" width=1
border=0></TD></TR>
<TR>
<TD width=798 bgColor=#ffffff colSpan=4><IMG height=1 src="hide.htm" width=1
border=0></TD></TR></TBODY></TABLE>
<DIV id=pop
style="BORDER-RIGHT: #000000 1px; BORDER-TOP: #000000 1px; Z-INDEX: 1; LEFT: 53px; VISIBILITY: hidden; BORDER-LEFT: #000000 1px; WIDTH: 81%; BORDER-BOTTOM: #000000 1px; POSITION: absolute; HEIGHT: 50px; BACKGROUND-COLOR: #999999; layer-background-color: #999999"><TEXTAREA class=size name=textfield rows=5 wrap=VIRTUAL cols=77></TEXTAREA>
</DIV></TD></TR>
<TR height="100%">
<TD vAlign=top><IFRAME id=newFr style="WIDTH: 100%; HEIGHT: 100%" name=newFr
src="primapagina.htm" onload=load()
application="no"> </IFRAME></TD></TR></TBODY></TABLE></SPAN></BODY></HTML>

It's not Dynamic Drives fault when someone misuses good script for an illegal scheme. I got a new spoof claiming I was sucessful in adding a new e-mail address to my paypal account. After linking to their "sign-in" page a nifty pop-up appeared. It not only had a credit to Dynamic Drive but even had the name of the author of the page whose title was "Paypal SIgnin". It was very authentic but there was no "lock icon" but https came up more often than just http which is new. The link I was supposed to use is the following.
http://211.233.13.173/.ssl/paypal/secure/pl/index.htm?a%20s%20d%20h%20a%20j%20d%20h%20a%20s%20g%20d%20a%20s%20d%20fa%20s%20g%20h%20f%20g%20a%20s%20h%20d%20f%20a%20s%20d%20a%20s%20d%20a%20s%20d%20a%20s%20d %20a%20s%20d" target=_blank>https://www.paypal.com/row/wf/f=ap_email
I guess I'm frustrated since I get at least 1 spoof every day of the week.

jscheuer1
04-16-2005, 06:23 AM
Pay Pal specifically says not to link to them through email, though they send you plenty of emails with links to their site. This has nothing to do with Pal Pal, DD or anything really other than that there are scams out there. If you receive an emaill from any company group or organization asking you to use a link in the email to update your info, don't. Instead, go to their website and see if there is anything there about this 'needed' update or if in fact an address was added or whatever. You may even have to call customer service to find out for sure. All of this is 1000% better than falling prey to a scam, or worse.

ddadmin
04-16-2005, 08:20 AM
Unfortunately there's little that can be done to prevent scammers from using a script from Dynamic Drive (or any other JavaScript archive for that matter) within their webpage or email spam. We're very aware of cases like the above, and even contacted one of the involved companies (in this case, eBay) in the past regarding it. But if eBay couldn't put a stop to scammers like these when they're a multi billion dollar company and directedly harmed by the scam, it puts things into perspective as far as what we could do.