|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Discovering and Stopping Phishing/Scam Attacks
From: byte_jump (bytejump
gmail.com)
Date: Tue Apr 26 2005 - 23:39:57 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Oh, I'm not advocating adjusting images. To me it seems like a
headache - not to mention, how do you inform people of the changes?
I agree that tracking referrers is a great idea. Aside from that,
there's not much one can do from a prevention standpoint.
byte_jump
On 4/26/05, Thomas Adams <tgadamsbellsouth.net> wrote:
> The problem comes in making changes to production servers during production.
> Most people don't want to take the chance of doing that. Not too mention
> high targeted companies receive hundreds of attacks a day. There is your
> headache waiting to happen.
> Just go with what is already set up. Referrer logs are easy to turn on(may
> be default on most webservers now). Very easy to watch them and you are
> definitely in a proactive stance by doing so.
> The phishers change just as fast as you can change your server. For
> instance, we just setup a new layout for our webserver. A few hours later,
> we noticed new updated phishing kits to reflect our changes.
>
> Thomas Adams, CISSP
>
> -----Original Message-----
> From: byte_jump [mailto:bytejumpgmail.com]
> Sent: Tuesday, April 26, 2005 6:56 PM
> To: thomas adams
> Cc: incidentssecurityfocus.com
> Subject: Re: Discovering and Stopping Phishing/Scam Attacks
>
> It's really not that bad to change images or refer to a different
> image, or even add an image. If you are tracking referrers to special
> files such as images (there are others too, depending on your site)
> the fraudster will have to host the images himself in order to avoide
> being detected. Once he does that, he gives the legitimate site the
> ability to take proactive action such as adding images to the site,
> changing them, etc., though that doesn't buy a whole lot unless you
> can get the word out to your customers.
>
> byte_jump
>
> On 27 Apr 2005 04:42:14 -0000, thomas adams <tgadamsbellsouth.net> wrote:
> > In-Reply-To: <1312.128.173.146.141.1114545545.sporkwebmail.lovebug.org>
> >
> > I have actually worked with another guy in coding a small app that will
> watch the referrer logs. If the referrer is not in a list of 'known
> referrers' an email will be sent to the admin. This actually helps in
> spotting phishing sites fairly early, because we can see the site being
> made. Doesnt catch them all, but you can bet if they use this method we will
> see them.
> > Changing the images could get to be a massive headache.
> > I think the referrer method is much easier than what you are suggesting.
> >
> > Thomas Adams, CISSP
> >
> > >As we have all noticed, there has increase in the number of phishing/scam
> > >attempts via e-mail that appear to be legitimate. Most of
> > >these e-mails look identical to e-mails that would be sent by the
> > >e-commerce or banking institute. They also frequently link to
> > >fraudulent/hacked webservers that also appear very similar to the website
> > >they are masquerading as.
> > >
> > >I noticed quite some time ago is that most of these websites
> > >and e-mails do not host their own images. From what I have seen, more
> > >often than not, these e-mails and websites link directly to images hosted
> > >by the legitimate website. For example, I just received an eBay scam
> > >asking me to signup to be a PowerSeller. The PowerSeller artwork, logos,
> > >and other images are all linked directly from eBay. So this makes me
> > >realize that there are a few things some of these targeted
> > >websites/businesses can do to detect these scam sites much quicker. I
> > >have made this suggestion to a few banking institutions in the past, and
> I
> > >have no idea if anyone has actually decided to implement my ideas or not
> > >-- but they seem pretty feasible.
> > >
> > >Since they are linking to the images hosted on the site they are cloning
> > >-- the banking/e-commerce website could just rename their images on
> > >their own webpage every so often (and update their webpages accordingly).
> > >However, at the same time they should keep copies of the images with
> their
> > >old names. Now they can check their logs to see what webpage(s) are
> > >accessing these old image names. Chances are they will link directly
> back
> > >to the hacked website purporting to be their page. This would allow for
> > >quicker detection of this phishing and scam websites, providing a slight
> > >leg up for sites trying to fight this.
> > >
> > >Just an idea -- let me know if anyone has any comments.
> > >
> > >Steven
> > >stevenlovebug.org
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------------------
> >
> >
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]