WebApp Sec mailing list archives
Warning about accessing / attacking phising and spoofing sites
From: Amir Herzberg <herzbea () cs biu ac il>
Date: Sun, 19 Dec 2004 09:59:16 +0200
"Ian" <webappsec2 () fishnet co uk> wrote on Thu, 16 Dec 2004 10:42:23: <snip>>> Personally, I like stringing them on and giving them false information and
>> wasting their time. Its fun, I recommend all of you try it : ) > You make have stumbled across a solution here ;)You both probably meant this as a joke, but just for safety, let me warn anybody against doing this, or entering phishing sites `just for fun`. Since we're doing research on secure user-interface extensions to browsers to prevent web spoofing and phishing, I've been looking at many phishing and spoofing web sites (see article at http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm or extension for Mozilla/FireFox at http://trustbar.mozdev.org). However, this should be done very carefully (read: from a specially protected, not sensitive machine), since many of these sites try (also) to use different browser vulnerabilities to break into machines. While I am sure you are all trying to maintain your browsers and OS updated and configured securely, there is always the risk of some exploit you were not aware of. So, I suggest you don't visit these pages `just for fun`.
> Why not code an automated system that fills > in their bogus log in screens with false > information?I'm not sure if you were serious but if you were... this idea isn't. Too many sites being attacked, this system would take substantial effort to build; and it could be abused to launch DOS attack on web sites, by making people running this program (`to punish phishers`) attack honest sites (or would you be able to really identify the honest sites? how?)
Best, Amir Herzbreg Associate professor, computer science dept. Bar Ilan University http://AmirHerzberg.com
Current thread:
- Warning about accessing / attacking phising and spoofing sites Amir Herzberg (Dec 19)
- RE: [in] Warning about accessing / attacking phising and spoofing sites Curt Purdy (Dec 20)