WebApp Sec mailing list archives
Re: Phishing
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 13 May 2004 08:42:42 +0200
The other thing about using short URL's is that the path should preferably be short (and simple - i.e. no punctuation) as well, reducing the total amount of information that the user has to process. If you are directing users to a user-specific message, I guess that might complicate things (https://secure.bank.com/message?myhashedreference or https://secure.bank.com/message?email=discard () dawes za net) for example start to look quite messy again :-(
It might also be a thought to get useragents (MUA or browsers) to prompt when following links that have "passwords" in them:
"You have clicked a link to 'nefarious.fraud.net', with username 'secure.bank.com' and password '********'. Do you want to continue? Ask me next time (x)"
I guess this could be a password dialogue, with the username and password filled in, similar to the current basic auth password dialogs.
Just a thought, and one that would take a long time to take effect, if ever. Rogan Griffiths, Ian wrote:
Some good ideas there Rogan. I to feel educating users is a large part of this but how far can you go? Consider this (ficticious) URL:https://secure.bank.com:/logon/12345 () nefarious fraud net/ Fairly easy to set up, completely compliant with protocol, starting with the right thing, looks genuine to the untrained eye and yet completely unscrupulous. I've actually seen something similar in the wild and I'm completely sure it works, spotting this takes more than a passing exposure to knowledge of URL composition. Ian-----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Wed 12/05/2004 13:59 To: Griffiths, Ian Cc: Amit Sharma; webappsec () securityfocus com Subject: PhishingMake the site name as short as possible, and as obvious as possible, to reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com", try to use something short and simple like "secure.bank.com", and use it consistently for all servers supporting a particular application. That way there is less confusion for users, and less likelihood that a scammer will get away with using a slightly different domain name.
-- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- RE: Phishing Sarah Elan (May 12)
- RE: Phishing Shivangi Nadkarni (May 12)
- RE: Phishing Zoso (May 13)
- <Possible follow-ups>
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
- Re: Phishing Rogan Dawes (May 13)
- RE: Phishing Adam Lydick (May 14)
- Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
- RE: Phishing Adam Lydick (May 15)
(Thread continues...)
- RE: Phishing Shivangi Nadkarni (May 12)