PaulDotCom mailing list archives

Re: How to detect phishing and spoofed websites

From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 13 Dec 2012 10:30:09 -0600

Brian Erdelyi <brian_erdelyi () yahoo com> writes:

Good morning everyone,

I'd like to create a guide and checklist for detecting phishing attacks.  I want to focus on server side.  What can a 
website admin do to detect phishing attacks and spoofed websites?  What can a web app developer do to make it easier 
to detect phishing attacks and spoofed websites?


It depends on what exactly you're looking to achieve.  

If you're looking for "is my company's brand and/or site being
leveraged in a phishing attack?"  then developing some sort of
monitoring for http log entries that are status 200 for image files,
but lack any referrer information might be one way to look at trends.
That would get a lot of current phishes where they're leveraging
branding and logos from the actual live site.   I'm not sure this is
so much the domain of a web developer as a security architect charged
with monitoring and intrustion detection, though.  I can't think of
much a web dev would do in this domain. 

To complement the above, doing something on the email server side
where mail to illegitimate addresses gets quietly accepted and logged
safely somewhere might be another data source to mine.  A sudden flood
of out of office notifications going to some invalid address at your
company is also a strong indicator that your brand has been hijacked
in a phishing ruse.  The cost/benefit of this analysis though is
something to consider.  Accepting mail for all possible email
addresses can be a very expensive disk/bandwidth/mail processing
proposition.   


If you're defending your company's users against inbound flurry of
phishing emails, obviously a strong anti-spam/anti-phish email gateway
is the best first line of defense.  Some vendors are really pretty bad
at anti-phish, but decent at anti-spam.  Some are less effective at
anti-spam, but seem to do well against phishing emails.  The next line
of defense (and probably even more important) is a web proxy aka
secure web gateway that includes a content categorization feed that's
actively managed by the vendor, coupled with a policy blocking
malicious sites as well as phishing sites.  Bluecoat, Websense,
McAfee, Barracuda all have such goodies.   To complement on-premises
web proxy solutions, there are cloud solutions to protect your mobile
workers.  


Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

How to detect phishing and spoofed websites Brian Erdelyi (Dec 12)
- Re: How to detect phishing and spoofed websites xgermx (Dec 12)
  - Re: How to detect phishing and spoofed websites allison nixon (Dec 12)
    - Re: How to detect phishing and spoofed websites Bill Swearingen (Dec 12)
    - Re: How to detect phishing and spoofed websites Brian Erdelyi (Dec 13)
    - Re: How to detect phishing and spoofed websites allison nixon (Dec 13)
- Re: How to detect phishing and spoofed websites swierckxlists (Dec 13)
  - Re: How to detect phishing and spoofed websites Robert Cazares (Dec 13)
- Re: How to detect phishing and spoofed websites Todd Haverkos (Dec 13)
- <Possible follow-ups>
- Re: How to detect phishing and spoofed websites Ian Ahl (Dec 14)
  - Re: How to detect phishing and spoofed websites Tim Krabec (Dec 14)