Re: Discovering and Stopping Phishing/Scam Attacks

[Lode Vermeiren <lode () linu cx>]

On Tue, 26 Apr 2005 steven () lovebug org wrote:
> > As we have all noticed, there has increase in the number of phishing/scam
> > attempts via e-mail that appear to be legitimate.  Most of

> > and e-mails do not host their own images.  From what I have seen, more
> > often than not, these e-mails and websites link directly to images hosted
> > by the legitimate website.

> > Since they are linking to the images hosted on the site they are cloning
> > -- the banking/e-commerce website could just rename their images on
> > their own webpage every so often (and update their webpages accordingly).

Op di, 26-04-2005 te 13:13 -0700, schreef Randy:
> Seems like a maintenance nightmare waiting to happen.
>
> ~randy

Renaming the files would indeed be a maintenance nightmare, but I don't
see a reason why the webserver hosting the image can't do a referrer
check, and only serve the real images if they are being loaded from the
real domain. In all other cases they could return a "THIS IS A FAKE
PAGE" image, or perhaps even some shock site[1]

Lode

[1] please don't follow any of the links on
http://en.wikipedia.org/wiki/Shock_site
You have been warned.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------