Educause Security Discussion mailing list archives

Re: phishing link using Google...

From: Michael Hornung <hornung () CAC WASHINGTON EDU>
Date: Wed, 30 Nov 2005 08:44:53 -0800

Hi Gary.  One benefit of redirecting phishing targets through Google is so
enterprises can't block the phishing site for their constituency using
perhaps more traditional means - via DNS or advertising bogus routes for
the destination web server's IP address.  Since the destination is Google,
and most places aren't going to block all HTTP traffic to Google to block
a given phishing scam, it's harder to block users from getting to the
site.

In this instance one would have to do more - maybe work with Google to
break the redirection on their end, or use an IDS or IPS to block the
traffic based purely on the URI inside the TCP connections to Google.

____________________________________________________
 Michael Hornung          Computing & Communications
 hornung () washington edu   University of Washington

On Wed, 30 Nov 2005 at 10:04, Gary Flynn wrote:

|Out of curiosity, why would someone use Google as the
|start point of a phishing link? Is it just so something
|familiar is near the front for anyone looking at it?
|
|<a
|href="http://www.google.pt/url?sa=U&start=4&q=http://203.52.104.73/images/.../.pcb.peoples.com/";>www.peoples.com</a>
|
|It works if the initial URL is www.google.com too.

Current thread:

phishing link using Google... Gary Flynn (Nov 30)
- <Possible follow-ups>
- Re: phishing link using Google... Michael Hornung (Nov 30)
- Re: phishing link using Google... Robert Kerr (Nov 30)
- Re: phishing link using Google... A. J. Wright (Nov 30)
- Re: phishing link using Google... Jeni Li (Nov 30)
- Re: phishing link using Google... Gary Flynn (Nov 30)