|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Discovering and Stopping Phishing/Scam Attacks
From: byte_jump (bytejump
gmail.com)
Date: Tue Apr 26 2005 - 18:59:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Like I said, I've implemented something as simple as a Perl script
that is controlled by cron and had it be very, very effective at
grabbing sites while they were still in development. The greatest
difficulty is maintaining a list of known, good referrers, but as long
as you train your web development guys this isn't too bad. All the
implementations I've been involved with have had very few false
positives.
byte_jump
On 4/26/05, Michael J. Pomraning <mjp-incidents-mlsecurepipe.com> wrote:
>
> Steven,
>
> You may not even need honeytoken resources.
>
> If you can detect "deeplinking" or unusual navigational patterns
> associated with your web app login, you may have a malicious third
> party at play. Was 'process-login.asp' fetched from an offsite
> Referer? Was that the first hit the client's session?
>
> Yes, there would be tuning and false positives (search engines may
> want your images) and profiling (what does a typical login look
> like?). Scam sites that are completely self-contained, or that
> cleverly interleave themselves in an otherwise ordinary browsing
> (e.g., a convincing login popovers) would remain undetected. Some
> folks might be behind proxies that strip Referer strings, etc.
>
> However, I share your belief that a good number of these phishing
> sites create incidental traffic that could be detected -- at least
> until attackers get more sophisticated.
>
> Has anyone tried to detect in more-or-less realtime through log (or
> wire capture) analysis?
>
> Regards,
> Mike
> --
> Michael J. Pomraning, CISSP
> Project Manager, Infrastructure
> SecurePipe, Inc. - Managed Network Security
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]