Re: phishing link using Google...

[Gary Flynn <flynngn () JMU EDU>]

Jeni Li wrote:

> <snip author="Gary">
>
> > > |Out of curiosity, why would someone use Google as the
> > > |start point of a phishing link?
>
> </snip>
>
> <snip author="Michael">
>
> > One benefit of redirecting phishing targets through Google is so
> > enterprises can't block the phishing site for their constituency
> > using perhaps more traditional means - via DNS or advertising
> > bogus routes for the destination web server's IP address.
>
> </snip>
>
> I thought the same thing at first, but I hit the URL in question with a sniffer running. All the Google hit does is 302-redirect 
> you to the URL provided in the query string (aside, seems like kind of a dumb "service" for Google to offer).


Hmmm. That rings a bell....
http://clsc.net/research/google-302-page-hijack.htm


> Because of the redirect, the client machine still makes a normal GET request to the phishy server, after hitting the Google 
> URL... so the Google URL wouldn't serve effectively to work around any measures designed to block undesirable HTTP 
> traffic.
>
> Given that, I think Robert Kerr's rationale (working around anti-spam/privacy software that uses URI blacklists -- 
> e.g., SpamAssassin at the server or Norton at the desktop) is the most probable. Thanks to Robert for posting; I was 
> scratching my head over this for a while.
>
> Jeni Li
> Arizona State University


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security