PaulDotCom mailing list archives

Re: How to detect phishing and spoofed websites

From: Brian Erdelyi <brian_erdelyi () yahoo com>
Date: Thu, 13 Dec 2012 17:25:36 -0400

Thank you everyone.

Once detected, there are many ways of dealing with a spoofed website such as contacting system owners, ISPs, publishing 
advisories and reporting URLs to various blacklists.

I'm investigating options on how to be more proactive at detecting phishing websites.

1. Placing emails online in the hopes of it being harvested by an attacker (phishing the phisher if you will)
2. Monitoring web server logs for attempts by an attacker to copy all the data from our site
3. Monitoring web server logs for images that are retrieved with an HTTP referrer of a URL different from what is 
expected
4. Google searches that look for something that would likely be copied by a phisher to a spoofed website?

I'm not saying these techniques are perfect or effective.  Are there any other techniques you can think of (or sites 
that provide details on doing the above... Or provide tools to automate the above)?  Anything more a web admin can do?  
Is there anything a developer of an web app can do to improve detection of phishing attempts?  Is there any kind of 
configuration can be done that prevents images from being referenced by a phishing website (or load different images)?

Brian

Sent from my iPad

On Dec 12, 2012, at 11:27 PM, Bill Swearingen <hevnsnt () i-hacked com> wrote:

I have found that an email to the hosting company to be very successful, even in other countries.

On Dec 12, 2012 7:14 PM, "allison nixon" <elsakoo () gmail com> wrote:

As a web app developer, I'm not sure how your responsibilities would apply to dealing with phishing sites. Are you
maintaining a website and people are creating phishing sites mimicking yours? If so, pls read the following
wikipedia entry:
http://en.wikipedia.org/wiki/Backscatter_(email)

also, phishers typically dump people onto the real website after they have fallen for the scam so it would be wise
to locate some of the phishing pages imitating your site, "falling" for the scam yourself, and looking at the
pattern of traffic that ends up going to your site. Other IPs with the same pattern of traffic could have their
accounts compromised. Finally, once you've found the site, you could file dmca complaints, and you would have good
standing to do so, but it probably wouldn't help you anyways. Phishing websites are disposable. I have seen people
attempt to fill in the phishing site with lots and lots of garbage info to make the operation unprofitable, as well
as locating the caches of stolen credentials on the server, but that begins to fall into a very grey area and you
can make your own decisions on the matter. You could also create fake accounts and enter them into known phishing
sites, and track the activity of any IP that attempts to log into those accounts. Typically the attacker attempts
to log in with many usernames from its stolen credential cache, and you might even want to lower your login security
to allow for many different logins from one IP, so they don't need to recycle IPs and are easier to track.

Of course, do what makes sense for your situation.

-Allison Nixon

On Wed, Dec 12, 2012 at 1:25 PM, xgermx <xgermx () gmail com> wrote:

Check for encoded javascript/php, check any redirects, check for any 1x1 iframes, etc
wget/curl scripting can really do a lot for you and if you want to roll up your scripting sleeves, you can leverage 
the VirusTotal API.
https://www.virustotal.com/documentation/public-api 


On Wed, Dec 12, 2012 at 8:43 AM, Brian Erdelyi <brian_erdelyi () yahoo com> wrote:

Good morning everyone,

I'd like to create a guide and checklist for detecting phishing attacks.  I want to focus on server side.  What 
can a website admin do to detect phishing attacks and spoofed websites?  What can a web app developer do to make 
it easier to detect phishing attacks and spoofed websites?

Brian

Sent from my iPhone
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

How to detect phishing and spoofed websites Brian Erdelyi (Dec 12)
- Re: How to detect phishing and spoofed websites xgermx (Dec 12)
  - Re: How to detect phishing and spoofed websites allison nixon (Dec 12)
    - Re: How to detect phishing and spoofed websites Bill Swearingen (Dec 12)
    - Re: How to detect phishing and spoofed websites Brian Erdelyi (Dec 13)
    - Re: How to detect phishing and spoofed websites allison nixon (Dec 13)
- Re: How to detect phishing and spoofed websites swierckxlists (Dec 13)
  - Re: How to detect phishing and spoofed websites Robert Cazares (Dec 13)
- Re: How to detect phishing and spoofed websites Todd Haverkos (Dec 13)
- <Possible follow-ups>
- Re: How to detect phishing and spoofed websites Ian Ahl (Dec 14)
  - Re: How to detect phishing and spoofed websites Tim Krabec (Dec 14)