|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Discovering and Stopping Phishing/Scam Attacks
From: Michael J. Pomraning (mjp-incidents-ml
securepipe.com)
Date: Tue Apr 26 2005 - 17:09:18 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 26 Apr 2005 stevenlovebug.org wrote:
> I noticed quite some time ago is that most of these websites
> and e-mails do not host their own images. From what I have seen, more
[....]
> Since they are linking to the images hosted on the site they are cloning
> -- the banking/e-commerce website could just rename their images on
> their own webpage every so often (and update their webpages accordingly).
> However, at the same time they should keep copies of the images with their
> old names. Now they can check their logs to see what webpage(s) are
> accessing these old image names. Chances are they will link directly back
> to the hacked website purporting to be their page. This would allow for
> quicker detection of this phishing and scam websites, providing a slight
> leg up for sites trying to fight this.
Steven,
You may not even need honeytoken resources.
If you can detect "deeplinking" or unusual navigational patterns
associated with your web app login, you may have a malicious third
party at play. Was 'process-login.asp' fetched from an offsite
Referer? Was that the first hit the client's session?
Yes, there would be tuning and false positives (search engines may
want your images) and profiling (what does a typical login look
like?). Scam sites that are completely self-contained, or that
cleverly interleave themselves in an otherwise ordinary browsing
(e.g., a convincing login popovers) would remain undetected. Some
folks might be behind proxies that strip Referer strings, etc.
However, I share your belief that a good number of these phishing
sites create incidental traffic that could be detected -- at least
until attackers get more sophisticated.
Has anyone tried to detect in more-or-less realtime through log (or
wire capture) analysis?
Regards,
Mike
--
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Network Security
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]