Security Incidents mailing list archives
Re: Discovering and Stopping Phishing/Scam Attacks
From: "Michael J. Pomraning" <mjp-incidents-ml () securepipe com>
Date: Tue, 26 Apr 2005 17:09:18 -0500 (CDT)
On Tue, 26 Apr 2005 steven () lovebug org wrote:
I noticed quite some time ago is that most of these websites and e-mails do not host their own images. From what I have seen, more
[....]
Since they are linking to the images hosted on the site they are cloning -- the banking/e-commerce website could just rename their images on their own webpage every so often (and update their webpages accordingly). However, at the same time they should keep copies of the images with their old names. Now they can check their logs to see what webpage(s) are accessing these old image names. Chances are they will link directly back to the hacked website purporting to be their page. This would allow for quicker detection of this phishing and scam websites, providing a slight leg up for sites trying to fight this.
Steven, You may not even need honeytoken resources. If you can detect "deeplinking" or unusual navigational patterns associated with your web app login, you may have a malicious third party at play. Was 'process-login.asp' fetched from an offsite Referer? Was that the first hit the client's session? Yes, there would be tuning and false positives (search engines may want your images) and profiling (what does a typical login look like?). Scam sites that are completely self-contained, or that cleverly interleave themselves in an otherwise ordinary browsing (e.g., a convincing login popovers) would remain undetected. Some folks might be behind proxies that strip Referer strings, etc. However, I share your belief that a good number of these phishing sites create incidental traffic that could be detected -- at least until attackers get more sophisticated. Has anyone tried to detect in more-or-less realtime through log (or wire capture) analysis? Regards, Mike -- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Network Security -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Discovering and Stopping Phishing/Scam Attacks steven (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Lode Vermeiren (Apr 26)
- RE: Discovering and Stopping Phishing/Scam Attacks matt.neeley (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Lode Vermeiren (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Michael J. Pomraning (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks Crispin Cowan (Apr 27)
- <Possible follow-ups>
- Re: Discovering and Stopping Phishing/Scam Attacks thomas adams (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Thomas Adams (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 26)
- RE: Discovering and Stopping Phishing/Scam Attacks Scovetta, Michael V (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Marco A. Zamora Cunningham (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Krul Thomas (Apr 27)