Educause Security Discussion mailing list archives
Re: phishing link using Google...
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 30 Nov 2005 15:15:46 -0500
Jeni Li wrote:
<snip author="Gary">|Out of curiosity, why would someone use Google as the |start point of a phishing link?</snip> <snip author="Michael">One benefit of redirecting phishing targets through Google is so enterprises can't block the phishing site for their constituency using perhaps more traditional means - via DNS or advertising bogus routes for the destination web server's IP address.</snip> I thought the same thing at first, but I hit the URL in question with a sniffer running. All the Google hit does is 302-redirect you to the URL provided in the query string (aside, seems like kind of a dumb "service" for Google to offer).
Hmmm. That rings a bell.... http://clsc.net/research/google-302-page-hijack.htm
Because of the redirect, the client machine still makes a normal GET request to the phishy server, after hitting the Google URL... so the Google URL wouldn't serve effectively to work around any measures designed to block undesirable HTTP traffic. Given that, I think Robert Kerr's rationale (working around anti-spam/privacy software that uses URI blacklists -- e.g., SpamAssassin at the server or Norton at the desktop) is the most probable. Thanks to Robert for posting; I was scratching my head over this for a while. Jeni Li Arizona State University
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- phishing link using Google... Gary Flynn (Nov 30)
- <Possible follow-ups>
- Re: phishing link using Google... Michael Hornung (Nov 30)
- Re: phishing link using Google... Robert Kerr (Nov 30)
- Re: phishing link using Google... A. J. Wright (Nov 30)
- Re: phishing link using Google... Jeni Li (Nov 30)
- Re: phishing link using Google... Gary Flynn (Nov 30)