PaulDotCom mailing list archives
Re: How to detect phishing and spoofed websites
From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 13 Dec 2012 10:30:09 -0600
Brian Erdelyi <brian_erdelyi () yahoo com> writes:
Good morning everyone, I'd like to create a guide and checklist for detecting phishing attacks. I want to focus on server side. What can a website admin do to detect phishing attacks and spoofed websites? What can a web app developer do to make it easier to detect phishing attacks and spoofed websites?
It depends on what exactly you're looking to achieve. If you're looking for "is my company's brand and/or site being leveraged in a phishing attack?" then developing some sort of monitoring for http log entries that are status 200 for image files, but lack any referrer information might be one way to look at trends. That would get a lot of current phishes where they're leveraging branding and logos from the actual live site. I'm not sure this is so much the domain of a web developer as a security architect charged with monitoring and intrustion detection, though. I can't think of much a web dev would do in this domain. To complement the above, doing something on the email server side where mail to illegitimate addresses gets quietly accepted and logged safely somewhere might be another data source to mine. A sudden flood of out of office notifications going to some invalid address at your company is also a strong indicator that your brand has been hijacked in a phishing ruse. The cost/benefit of this analysis though is something to consider. Accepting mail for all possible email addresses can be a very expensive disk/bandwidth/mail processing proposition. If you're defending your company's users against inbound flurry of phishing emails, obviously a strong anti-spam/anti-phish email gateway is the best first line of defense. Some vendors are really pretty bad at anti-phish, but decent at anti-spam. Some are less effective at anti-spam, but seem to do well against phishing emails. The next line of defense (and probably even more important) is a web proxy aka secure web gateway that includes a content categorization feed that's actively managed by the vendor, coupled with a policy blocking malicious sites as well as phishing sites. Bluecoat, Websense, McAfee, Barracuda all have such goodies. To complement on-premises web proxy solutions, there are cloud solutions to protect your mobile workers. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- How to detect phishing and spoofed websites Brian Erdelyi (Dec 12)
- Re: How to detect phishing and spoofed websites xgermx (Dec 12)
- Re: How to detect phishing and spoofed websites allison nixon (Dec 12)
- Re: How to detect phishing and spoofed websites Bill Swearingen (Dec 12)
- Re: How to detect phishing and spoofed websites Brian Erdelyi (Dec 13)
- Re: How to detect phishing and spoofed websites allison nixon (Dec 13)
- Re: How to detect phishing and spoofed websites allison nixon (Dec 12)
- Re: How to detect phishing and spoofed websites xgermx (Dec 12)
- Re: How to detect phishing and spoofed websites Robert Cazares (Dec 13)
- <Possible follow-ups>
- Re: How to detect phishing and spoofed websites Ian Ahl (Dec 14)
- Re: How to detect phishing and spoofed websites Tim Krabec (Dec 14)