Re: How to detect phishing and spoofed websites

[allison nixon <elsakoo () gmail com>]

Ask your users to report phishing websites

On Thu, Dec 13, 2012 at 4:25 PM, Brian Erdelyi <brian_erdelyi () yahoo com>wrote:

> Thank you everyone.
>
> Once detected, there are many ways of dealing with a spoofed website such
> as contacting system owners, ISPs, publishing advisories and reporting URLs
> to various blacklists.
>
> I'm investigating options on how to be more proactive at detecting
> phishing websites.
>
> 1. Placing emails online in the hopes of it being harvested by an attacker
> (phishing the phisher if you will)
> 2. Monitoring web server logs for attempts by an attacker to copy all the
> data from our site
> 3. Monitoring web server logs for images that are retrieved with an HTTP
> referrer of a URL different from what is expected
> 4. Google searches that look for something that would likely be copied by
> a phisher to a spoofed website?
>
> I'm not saying these techniques are perfect or effective.  Are there any
> other techniques you can think of (or sites that provide details on doing
> the above... Or provide tools to automate the above)?  Anything more a web
> admin can do?  Is there anything a developer of an web app can do to
> improve detection of phishing attempts?  Is there any kind of configuration
> can be done that prevents images from being referenced by a phishing
> website (or load different images)?
>
> Brian
>
> Sent from my iPad
>
> On Dec 12, 2012, at 11:27 PM, Bill Swearingen <hevnsnt () i-hacked com>
> wrote:
>
> I have found that an email to the hosting company to be very successful,
> even in other countries.
> On Dec 12, 2012 7:14 PM, "allison nixon" <elsakoo () gmail com> wrote:
>
> > As a web app developer, I'm not sure how your responsibilities would
> > apply to dealing with phishing sites.  Are you maintaining a website and
> > people are creating phishing sites mimicking yours?  If so, pls read the
> > following wikipedia entry:
> > http://en.wikipedia.org/wiki/Backscatter_(email)
> >
> > also, phishers typically dump people onto the real website after they
> > have fallen for the scam so it would be wise to locate some of the phishing
> > pages imitating your site, "falling" for the scam yourself, and looking at
> > the pattern of traffic that ends up going to your site.  Other IPs with the
> > same pattern of traffic could have their accounts compromised.  Finally,
> > once you've found the site, you could file dmca complaints, and you would
> > have good standing to do so, but it probably wouldn't help you anyways.
> >  Phishing websites are disposable.  I have seen people attempt to fill in
> > the phishing site with lots and lots of garbage info to make the operation
> > unprofitable, as well as locating the caches of stolen credentials on the
> > server, but that begins to fall into a very grey area and you can make your
> > own decisions on the matter.  You could also create fake accounts and enter
> > them into known phishing sites, and track the activity of any IP that
> > attempts to log into those accounts.  Typically the attacker attempts to
> > log in with many usernames from its stolen credential cache, and you might
> > even want to lower your login security to allow for many different logins
> > from one IP, so they don't need to recycle IPs and are easier to track.
> >
> > Of course, do what makes sense for your situation.
> >
> > -Allison Nixon
> >
> > On Wed, Dec 12, 2012 at 1:25 PM, xgermx <xgermx () gmail com> wrote:
> >
> > > Check for encoded javascript/php, check any redirects, check for any 1x1
> > > iframes, etc
> > > wget/curl scripting can really do a lot for you and if you want to roll
> > > up your scripting sleeves, you can leverage the VirusTotal API.
> > > https://www.virustotal.com/documentation/public-api
> > >
> > >
> > > On Wed, Dec 12, 2012 at 8:43 AM, Brian Erdelyi <brian_erdelyi () yahoo com>wrote:
> > >
> > > > Good morning everyone,
> > > >
> > > > I'd like to create a guide and checklist for detecting phishing
> > > > attacks.  I want to focus on server side.  What can a website admin do to
> > > > detect phishing attacks and spoofed websites?  What can a web app developer
> > > > do to make it easier to detect phishing attacks and spoofed websites?
> > > >
> > > > Brian
> > > >
> > > > Sent from my iPhone
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > _________________________________
> > Note to self: Pillage BEFORE burning.
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com