Security Incidents mailing list archives
Re: Discovering and Stopping Phishing/Scam Attacks
From: byte_jump <bytejump () gmail com>
Date: Tue, 26 Apr 2005 23:59:42 +0000
Like I said, I've implemented something as simple as a Perl script that is controlled by cron and had it be very, very effective at grabbing sites while they were still in development. The greatest difficulty is maintaining a list of known, good referrers, but as long as you train your web development guys this isn't too bad. All the implementations I've been involved with have had very few false positives. byte_jump On 4/26/05, Michael J. Pomraning <mjp-incidents-ml () securepipe com> wrote:
Steven, You may not even need honeytoken resources. If you can detect "deeplinking" or unusual navigational patterns associated with your web app login, you may have a malicious third party at play. Was 'process-login.asp' fetched from an offsite Referer? Was that the first hit the client's session? Yes, there would be tuning and false positives (search engines may want your images) and profiling (what does a typical login look like?). Scam sites that are completely self-contained, or that cleverly interleave themselves in an otherwise ordinary browsing (e.g., a convincing login popovers) would remain undetected. Some folks might be behind proxies that strip Referer strings, etc. However, I share your belief that a good number of these phishing sites create incidental traffic that could be detected -- at least until attackers get more sophisticated. Has anyone tried to detect in more-or-less realtime through log (or wire capture) analysis? Regards, Mike -- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Network Security -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Discovering and Stopping Phishing/Scam Attacks steven (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Lode Vermeiren (Apr 26)
- RE: Discovering and Stopping Phishing/Scam Attacks matt.neeley (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Lode Vermeiren (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Michael J. Pomraning (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks Crispin Cowan (Apr 27)
- <Possible follow-ups>
- Re: Discovering and Stopping Phishing/Scam Attacks thomas adams (Apr 26)
- Re: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Thomas Adams (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks byte_jump (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 26)
- RE: Discovering and Stopping Phishing/Scam Attacks Scovetta, Michael V (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Marco A. Zamora Cunningham (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Krul Thomas (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks Calder, James (EXP) (Apr 27)