WebApp Sec mailing list archives
RE: Phishing
From: "Griffiths, Ian" <Ian.Griffiths () liv-coll ac uk>
Date: Wed, 12 May 2004 17:26:20 +0100
Some good ideas there Rogan. I to feel educating users is a large part of this but how far can you go? Consider this (ficticious) URL: https://secure.bank.com:/logon/12345 () nefarious fraud net/ Fairly easy to set up, completely compliant with protocol, starting with the right thing, looks genuine to the untrained eye and yet completely unscrupulous. I've actually seen something similar in the wild and I'm completely sure it works, spotting this takes more than a passing exposure to knowledge of URL composition. Ian -----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Wed 12/05/2004 13:59 To: Griffiths, Ian Cc: Amit Sharma; webappsec () securityfocus com Subject: Phishing Make the site name as short as possible, and as obvious as possible, to reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com", try to use something short and simple like "secure.bank.com", and use it consistently for all servers supporting a particular application. That way there is less confusion for users, and less likelihood that a scammer will get away with using a slightly different domain name.
Current thread:
- RE: Phishing Sarah Elan (May 12)
- RE: Phishing Shivangi Nadkarni (May 12)
- RE: Phishing Zoso (May 13)
- <Possible follow-ups>
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
- Re: Phishing Rogan Dawes (May 13)
- RE: Phishing Adam Lydick (May 14)
- Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
(Thread continues...)
- RE: Phishing Shivangi Nadkarni (May 12)