Security Incidents mailing list archives
Re: Discovering and Stopping Phishing/Scam Attacks
From: byte_jump <bytejump () gmail com>
Date: Tue, 26 Apr 2005 22:39:57 -0600
Oh, I'm not advocating adjusting images. To me it seems like a headache - not to mention, how do you inform people of the changes? I agree that tracking referrers is a great idea. Aside from that, there's not much one can do from a prevention standpoint. byte_jump On 4/26/05, Thomas Adams <tgadams () bellsouth net> wrote:
The problem comes in making changes to production servers during production. Most people don't want to take the chance of doing that. Not too mention high targeted companies receive hundreds of attacks a day. There is your headache waiting to happen. Just go with what is already set up. Referrer logs are easy to turn on(may be default on most webservers now). Very easy to watch them and you are definitely in a proactive stance by doing so. The phishers change just as fast as you can change your server. For instance, we just setup a new layout for our webserver. A few hours later, we noticed new updated phishing kits to reflect our changes. Thomas Adams, CISSP -----Original Message----- From: byte_jump [mailto:bytejump () gmail com] Sent: Tuesday, April 26, 2005 6:56 PM To: thomas adams Cc: incidents () securityfocus com Subject: Re: Discovering and Stopping Phishing/Scam Attacks It's really not that bad to change images or refer to a different image, or even add an image. If you are tracking referrers to special files such as images (there are others too, depending on your site) the fraudster will have to host the images himself in order to avoide being detected. Once he does that, he gives the legitimate site the ability to take proactive action such as adding images to the site, changing them, etc., though that doesn't buy a whole lot unless you can get the word out to your customers. byte_jump On 27 Apr 2005 04:42:14 -0000, thomas adams <tgadams () bellsouth net> wrote:In-Reply-To: <1312.128.173.146.141.1114545545.spork () webmail lovebug org> I have actually worked with another guy in coding a small app that willwatch the referrer logs. If the referrer is not in a list of 'known referrers' an email will be sent to the admin. This actually helps in spotting phishing sites fairly early, because we can see the site being made. Doesnt catch them all, but you can bet if they use this method we will see them.Changing the images could get to be a massive headache. I think the referrer method is much easier than what you are suggesting. Thomas Adams, CISSPAs we have all noticed, there has increase in the number of phishing/scam attempts via e-mail that appear to be legitimate. Most of these e-mails look identical to e-mails that would be sent by the e-commerce or banking institute. They also frequently link to fraudulent/hacked webservers that also appear very similar to the website they are masquerading as. I noticed quite some time ago is that most of these websites and e-mails do not host their own images. From what I have seen, more often than not, these e-mails and websites link directly to images hosted by the legitimate website. For example, I just received an eBay scam asking me to signup to be a PowerSeller. The PowerSeller artwork, logos, and other images are all linked directly from eBay. So this makes me realize that there are a few things some of these targeted websites/businesses can do to detect these scam sites much quicker. I have made this suggestion to a few banking institutions in the past, andIhave no idea if anyone has actually decided to implement my ideas or not -- but they seem pretty feasible. Since they are linking to the images hosted on the site they are cloning -- the banking/e-commerce website could just rename their images on their own webpage every so often (and update their webpages accordingly). However, at the same time they should keep copies of the images withtheirold names. Now they can check their logs to see what webpage(s) are accessing these old image names. Chances are they will link directlybackto the hacked website purporting to be their page. This would allow for quicker detection of this phishing and scam websites, providing a slight leg up for sites trying to fight this. Just an idea -- let me know if anyone has any comments. Steven steven () lovebug org-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Discovering and Stopping Phishing/Scam Attacks, (continued)
- Re: Discovering and Stopping Phishing/Scam Attacks Lode Vermeiren (Apr 26)
- RE: Discovering and Stopping Phishing/Scam Attacks matt.neeley (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Lode Vermeiren (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Michael J. Pomraning (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks Crispin Cowan (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks thomas adams (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Thomas Adams (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Scovetta, Michael V (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Marco A. Zamora Cunningham (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Krul Thomas (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Calder, James (EXP) (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Nuno Costa (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Dave Greer (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Rainer Duffner (Apr 28)
- Message not available
- Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Daniel Hanson (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)