WebApp Sec mailing list archives
Re: Phishing
From: Jordan Dimov <jdimov () nsegcorp com>
Date: Wed, 12 May 2004 17:50:39 +0300
These are good starting points, Rogan. I'd love to see further discussion on this topic.
Make the site name as short as possible, and as obvious as possible, to reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com", try to use something short and simple like "secure.bank.com", and use it consistently for all servers supporting a particular application. That way there is less confusion for users, and less likelihood that a scammer will get away with using a slightly different domain name.
This doesn't really protect against typographical domain name scams (e.g. paypai.com vs. paypal.com) Additionally, there are several known security vulnerabilities in MSIE and other browsers that make it much easier for attackers to hide the true identity of their fake site and mislead the user. -- Jordan Association for Information Security (www.iseca.org)
Current thread:
- Internet based banking applications security Amit Sharma (May 11)
- <Possible follow-ups>
- RE: Internet based banking applications security Griffiths, Ian (May 12)
- Phishing Rogan Dawes (May 12)
- Re: Phishing Jordan Dimov (May 12)
- RE: Phishing Mark Curphey (May 12)
- Re: Phishing Glenn and Mary Everhart (May 12)
- Re: Phishing Antonio Varni (May 12)
- Phishing Rogan Dawes (May 12)