Re: Determining who gave passwords to bogus site

[Paul Johnston <paul.johnston () pentest co uk>]

Hi,

> XSS attack. The user clicked on a link in the email which called up a page
> that injected a script into the actual login page and redirected to a bogus
> login page before anything was actually entered into the real login page.

A network-based approach would imply a sniffer. But I guess this is
after the event, so unless you have one permanently in place, that's no
help.

The two places I could see you could look are:
1) Proxy logs
2) Web server logs on the site that is XSS attacked

It's just possible that on the phishing site, the page after details are
submitted contains some kind of reference back to the original web
server - perhaps an image, or a redirect. So you could check the web
server logs for that.

Paul

-- 
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------