Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Discovering and Stopping Phishing/Scam Attacks

From: Krul Thomas <Thomas.Krul () psepc-sppcc gc ca>
Date: Wed, 27 Apr 2005 10:30:59 -0400
I received a phishing scam email for RBC Bank literally moments ago. The Web
site is based in the Czech Republic with very little in the way to disguise
the address of the site. (At last check, the site was still up at:
http://updatestatus.webz.cz/rbc/cgi-bin/rbaccess/login.html)

Odd, either there are some newbie phishers out there, or they are starting
to realise that no matter how much they disguise their sites someone will be
having them shut down soon enough so catching the uninformed in the few
moments they have is paramount. Will we be seeing an increase in the
diversity of referring addresses in a flooding attempt to catch the last
remaining moms and pops who don't know better versus well-crafted addresses
that don't arouse suspicions?

-----Original Message-----
From: Alex [mailto:incidents () alex gotdns org] 
Sent: Tuesday, April 26, 2005 7:51 PM
To: incidents () securityfocus com
Subject: Re: Discovering and Stopping Phishing/Scam Attacks


I agree that checking by referer addresses is a powerful way to detect
phishing sites, but such logs can easily be adverted?

Doesn't some anti-popup software remove referer fields?

Simple use of javascript can allow a page to fetch anything without showing
up in referer logs.

While we are on the subject, has anyone come across commercial and/or
government websites being (illegally?) mirrored?

For example, I recently came a website located on a (Asian?) hosting
provider where the content of the website was EXACTLY that of a well-known
US govt website.  (It appeared that they ran the equivalent of a recursive
"wget" on the real site and hosted the files).  It appeared to be several
layers deep.

Why would anyone want to do that?

-Alex


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: