Full Disclosure mailing list archives
Re: Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 02 Apr 2006 11:01:55 +1200
Dave Korn to Jasper Bryant-Greene:
Phishing scams are public in nature. They aren't trying to avoid detection :) ...
Actually, that depends on the scam. Some phishers go to elaborate lengths to hide the real location of their phishing sites, using fast-changing DNS entries with multiple host (A) records for their bogus domains, quickly rotating the domain through sizable chunks of widely distributed IP address space across their vast botnets. The bots at the business end of these setups act as HTTP proxies to the "real" phishing site, but are incredibly difficult to "catch in the act" and analyse (and doing so requires a level of inter-ISP, etc cooperation you're unlikely to find in practice). Why they go to that much trouble unless they are trying to avoid detection of the real scam site's location I cannot imagine.
... and the IP address would of course be spoofed.No it wouldn't. IP address spoofing is easy over UDP but incredibly difficult over TCP.
Exactly. BUT, it can be "practically" implemented -- i.e. the same end result (the phisher's real location remaining unknown) can be achieved with readily available means... There's nothing to prevent a phishmonger who is running a botnet much like that described above to also distribute the "check the supplied login credentials" effort across the botnet, rate-limiting the requests to a specific target banking site from each bot to "a few per hour", such that each bot might look, to any traffic or other pattern monitoring at the banking site, much like an "Internet cafe" or other similar public access node. And don't forget that, unlike the actual spamming of such phishing schemes, the total traffic involved here would be quite small anyway, as normally only a very small proportion of the phishing scam recipients will actually get as far as visiting the phish site _and then_ entering login data (in fact, this response rate is probably so low that the checking could be done by the bot proxying the current victim's HTTP traffic to the real scam site). Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow Nick FitzGerald (Apr 01)
- Re: Re: [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow Dave Korn (Apr 02)