Bugtraq mailing list archives
Re: Discovering and Stopping Phishing/Scam Attacks
From: Crispin Cowan <crispin () immunix com>
Date: Tue, 26 Apr 2005 15:59:30 -0700
I think that this will just force the phishers to host their own images. As such, this approach is not very interesting unless there actually is a problem for the phishers in hosting their own images. The phishers could even host their own images on virtual domains that are typo-alike to the legitimate domain name.
For me personally, I would not notice the difference, as I already have my mail client configured to not load referenced images, because spammers already use hits on their hosted images as web bugs to detect working e-mails, and that just brings more spam down on your head. If you are loading images referenced in e-mails, you probably want to figure out how to turn that off.
Crispin steven () lovebug org wrote:
As we have all noticed, there has increase in the number of phishing/scam attempts via e-mail that appear to be legitimate. Most of these e-mails look identical to e-mails that would be sent by the e-commerce or banking institute. They also frequently link to fraudulent/hacked webservers that also appear very similar to the website they are masquerading as. I noticed quite some time ago is that most of these websites and e-mails do not host their own images. From what I have seen, more often than not, these e-mails and websites link directly to images hosted by the legitimate website. For example, I just received an eBay scam asking me to signup to be a PowerSeller. The PowerSeller artwork, logos, and other images are all linked directly from eBay. So this makes me realize that there are a few things some of these targeted websites/businesses can do to detect these scam sites much quicker. I have made this suggestion to a few banking institutions in the past, and I have no idea if anyone has actually decided to implement my ideas or not -- but they seem pretty feasible. Since they are linking to the images hosted on the site they are cloning -- the banking/e-commerce website could just rename their images ontheir own webpage every so often (and update their webpages accordingly). However, at the same time they should keep copies of the images with theirold names. Now they can check their logs to see what webpage(s) are accessing these old image names. Chances are they will link directly back to the hacked website purporting to be their page. This would allow for quicker detection of this phishing and scam websites, providing a slight leg up for sites trying to fight this. Just an idea -- let me know if anyone has any comments. Steven steven () lovebug org
-- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- Discovering and Stopping Phishing/Scam Attacks steven (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks Crispin Cowan (Apr 27)