Educause Security Discussion mailing list archives

Re: phishing link using Google...

From: Robert Kerr <r.kerr () CRANFIELD AC UK>
Date: Wed, 30 Nov 2005 17:15:12 +0000

On Wed, 2005-11-30 at 10:04 -0500, Gary Flynn wrote:

Out of curiosity, why would someone use Google as the
start point of a phishing link? Is it just so something
familiar is near the front for anyone looking at it?

<a
href="http://www.google.pt/url?sa=U&start=4&q=http://203.52.104.73/images/.../.pcb.peoples.com/";>www.peoples.com</a>


There are a number of URI based blacklists that contain spammy and phish
domains eg SURBL (www.surbl.org) and URIBL (www.uribl.com). These
blacklists tend to key on the domain, so by using the google redirector
they can make software checking against these blacklist see a link to
google instead of one to the true destination.

The use of redirects like this in junk email has become quite common
since spamassassin started using SURBL. I believe future versions will
also include rules for URIBL.

--
 Robert Kerr

Current thread:

phishing link using Google... Gary Flynn (Nov 30)
- <Possible follow-ups>
- Re: phishing link using Google... Michael Hornung (Nov 30)
- Re: phishing link using Google... Robert Kerr (Nov 30)
- Re: phishing link using Google... A. J. Wright (Nov 30)
- Re: phishing link using Google... Jeni Li (Nov 30)
- Re: phishing link using Google... Gary Flynn (Nov 30)