Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Discovering and Stopping Phishing/Scam Attacks

from [byte_jump] Network Security [Permanent Link]
Subject: Re: Discovering and Stopping Phishing/Scam Attacks
Date: Tue, 26 Apr 2005 23:59:42 +0000 
Like I said, I've implemented something as simple as a Perl script
that is controlled by cron and had it be very, very effective at
grabbing sites while they were still in development. The greatest
difficulty is maintaining a list of known, good referrers, but as long
as you train your web development guys this isn't too bad. All the
implementations I've been involved with have had very few false
positives.

byte_jump

On 4/26/05, Michael J. Pomraning <mjp-incidents-ml@securepipe.com> wrote:


Steven,

You may not even need honeytoken resources.

If you can detect "deeplinking" or unusual navigational patterns
associated with your web app login, you may have a malicious third
party at play.  Was 'process-login.asp' fetched from an offsite
Referer?  Was that the first hit the client's session?

Yes, there would be tuning and false positives (search engines may
want your images) and profiling (what does a typical login look
like?).  Scam sites that are completely self-contained, or that
cleverly interleave themselves in an otherwise ordinary browsing
(e.g., a convincing login popovers) would remain undetected.  Some
folks might be behind proxies that strip Referer strings, etc.

However, I share your belief that a good number of these phishing
sites create incidental traffic that could be detected -- at least
until attackers get more sophisticated.

Has anyone tried to detect in more-or-less realtime through log (or
wire capture) analysis?

Regards,
Mike
--
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Network Security

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Discovering and Stopping Phishing/Scam Attacks, byte_jump
Next by Date:  Re: Discovering and Stopping Phishing/Scam Attacks, byte_jump
Previous by Thread:  Re: Discovering and Stopping Phishing/Scam Attacks, Michael J. Pomraning
Next by Thread:  Re: Discovering and Stopping Phishing/Scam Attacks, Crispin Cowan
Indexes:  [Date] [Thread] [Top] [All Lists]