|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Discovering and Stopping Phishing/Scam Attacks
From: thomas adams (tgadams
bellsouth.net)
Date: Tue Apr 26 2005 - 23:42:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
In-Reply-To: <1312.128.173.146.141.1114545545.sporkwebmail.lovebug.org>
I have actually worked with another guy in coding a small app that will watch the referrer logs. If the referrer is not in a list of 'known referrers' an email will be sent to the admin. This actually helps in spotting phishing sites fairly early, because we can see the site being made. Doesnt catch them all, but you can bet if they use this method we will see them.
Changing the images could get to be a massive headache.
I think the referrer method is much easier than what you are suggesting.
Thomas Adams, CISSP
>As we have all noticed, there has increase in the number of phishing/scam
>attempts via e-mail that appear to be legitimate. Most of
>these e-mails look identical to e-mails that would be sent by the
>e-commerce or banking institute. They also frequently link to
>fraudulent/hacked webservers that also appear very similar to the website
>they are masquerading as.
>
>I noticed quite some time ago is that most of these websites
>and e-mails do not host their own images. From what I have seen, more
>often than not, these e-mails and websites link directly to images hosted
>by the legitimate website. For example, I just received an eBay scam
>asking me to signup to be a PowerSeller. The PowerSeller artwork, logos,
>and other images are all linked directly from eBay. So this makes me
>realize that there are a few things some of these targeted
>websites/businesses can do to detect these scam sites much quicker. I
>have made this suggestion to a few banking institutions in the past, and I
>have no idea if anyone has actually decided to implement my ideas or not
>-- but they seem pretty feasible.
>
>Since they are linking to the images hosted on the site they are cloning
>-- the banking/e-commerce website could just rename their images on
>their own webpage every so often (and update their webpages accordingly).
>However, at the same time they should keep copies of the images with their
>old names. Now they can check their logs to see what webpage(s) are
>accessing these old image names. Chances are they will link directly back
>to the hacked website purporting to be their page. This would allow for
>quicker detection of this phishing and scam websites, providing a slight
>leg up for sites trying to fight this.
>
>Just an idea -- let me know if anyone has any comments.
>
>Steven
>stevenlovebug.org
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]