Re: Discovering and Stopping Phishing/Scam Attacks

To: "steven@xxxxxxxxxxx" <steven@xxxxxxxxxxx>
Subject: Re: Discovering and Stopping Phishing/Scam Attacks
From: byte_jump <bytejump@xxxxxxxxx>
Date: Tue, 26 Apr 2005 21:36:48 +0000
Cc: incidents@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WJUSWSjCzZW1psIS8cC7vyFKsZxafFbMGJoUoylzo+s5y0K634UzcgnsB5cW4R3BvXb9biUpXYeEbjp2UaRrIa7WxLcl/IANQnMa4v2GHvy/tlmRDKdhvx5AoyPVfGl+TquZStQFqdmyFM8W6k8USeNqXvact4kHpdlYOZ8Eqhk=
In-reply-to: <1312.128.173.146.141.1114545545.spork@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <1312.128.173.146.141.1114545545.spork@xxxxxxxxxxxxxxxxxxx>
Reply-to: byte_jump <bytejump@xxxxxxxxx>

I know of some financial institutions that have done this (for I
helped implement it) and it works quite well. They have proactively
shut down phishing sites while they were still in "test mode".

byte_jump

On 4/26/05, steven@xxxxxxxxxxx <steven@xxxxxxxxxxx> wrote:
> As we have all noticed, there has increase in the number of phishing/scam
> attempts via e-mail that appear to be legitimate.  Most of
> these e-mails look identical to e-mails that would be sent by the
> e-commerce or banking institute.  They also frequently link to
> fraudulent/hacked webservers that also appear very similar to the website
> they are masquerading as.
> 
> I noticed quite some time ago is that most of these websites
> and e-mails do not host their own images.  From what I have seen, more
> often than not, these e-mails and websites link directly to images hosted
> by the legitimate website.  For example, I just received an eBay scam
> asking me to signup to be a PowerSeller.  The PowerSeller artwork, logos,
> and other images are all linked directly from eBay.  So this makes me
> realize that there are a few things some of these targeted
> websites/businesses can do to detect these scam sites much quicker.  I
> have made this suggestion to a few banking institutions in the past, and I
> have no idea if anyone has actually decided to implement my ideas or not
> -- but they seem pretty feasible.
> 
> Since they are linking to the images hosted on the site they are cloning
> -- the banking/e-commerce website could just rename their images on
> their own webpage every so often (and update their webpages accordingly).
> However, at the same time they should keep copies of the images with their
> old names.  Now they can check their logs to see what webpage(s) are
> accessing these old image names.  Chances are they will link directly back
> to the hacked website purporting to be their page.  This would allow for
> quicker detection of this phishing and scam websites, providing a slight
> leg up for sites trying to fight this.
> 
> Just an idea -- let me know if anyone has any comments.
> 
> Steven
> steven@xxxxxxxxxxx
> 
> --------------------------------------------------------------------------
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
> 
>

References:
- Discovering and Stopping Phishing/Scam Attacks
  - From: steven

Prev by Date: RE: IE - cross site click detection?
Next by Date: Re: Discovering and Stopping Phishing/Scam Attacks
Previous by thread: Discovering and Stopping Phishing/Scam Attacks
Next by thread: Re: Discovering and Stopping Phishing/Scam Attacks
Index(es):
- Date
- Thread