RE: Phishing

[Sarah Elan <selan () testsys com>]

One hole I've seen on many large, respected sites are pages that accept any
url as input and will automatically redirect to that url without (appearing
to) perform any validation that the requested url is one which they want to
redirect to. 

For example, http://www.trustme.com/url?q=http://www.phishme.com. 
Url?q=http://www.phishme.com can be obfuscated with the usual techniques and
the user thinks he is going to trustme.com, when in fact trustme.com has
blindly redirected him to phishme.com. 

Redirect pages should always validate against a list of known good urls. 

-----Original Message-----
From: Jordan Dimov [mailto:jdimov () nsegcorp com] 
Sent: Wednesday, May 12, 2004 10:51 AM
To: webappsec () securityfocus com
Subject: Re: Phishing


These are good starting points, Rogan.  I'd love to see further discussion
on this topic.  

> Make the site name as short as possible, and as obvious as possible, 
> to
> reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com", 
> try to use something short and simple like "secure.bank.com", and use it 
> consistently for all servers supporting a particular application. That 
> way there is less confusion for users, and less likelihood that a 
> scammer will get away with using a slightly different domain name.

This doesn't really protect against typographical domain name scams (e.g.
paypai.com vs. paypal.com)

Additionally, there are several known security vulnerabilities in MSIE and
other browsers that make it much easier for attackers to hide the true
identity of their fake site and mislead the user.  

  -- Jordan 

Association for Information Security (www.iseca.org)