Re: Discovering and Stopping Phishing/Scam Attacks

Oh, I'm not advocating adjusting images. To me it seems like a
headache - not to mention, how do you inform people of the changes?

I agree that tracking referrers is a great idea. Aside from that,
there's not much one can do from a prevention standpoint.

byte_jump

On 4/26/05, Thomas Adams <tgadams@bellsouth.net> wrote:
> The problem comes in making changes to production servers during production.
> Most people don't want to take the chance of doing that. Not too mention
> high targeted companies receive hundreds of attacks a day. There is your
> headache waiting to happen.
> Just go with what is already set up. Referrer logs are easy to turn on(may
> be default on most webservers now). Very easy to watch them and you are
> definitely in a proactive stance by doing so.
> The phishers change just as fast as you can change your server. For
> instance, we just setup a new layout for our webserver. A few hours later,
> we noticed new updated phishing kits to reflect our changes.
>
> Thomas Adams, CISSP
>
> -----Original Message-----
> From: byte_jump [mailto:bytejump@gmail.com]
> Sent: Tuesday, April 26, 2005 6:56 PM
> To: thomas adams
> Cc: incidents@securityfocus.com
> Subject: Re: Discovering and Stopping Phishing/Scam Attacks
>
> It's really not that bad to change images or refer to a different
> image, or even add an image. If you are tracking referrers to special
> files such as images (there are others too, depending on your site)
> the fraudster will have to host the images himself in order to avoide
> being detected. Once he does that, he gives the legitimate site the
> ability to take proactive action such as adding images to the site,
> changing them, etc., though that doesn't buy a whole lot unless you
> can get the word out to your customers.
>
> byte_jump
>
> On 27 Apr 2005 04:42:14 -0000, thomas adams <tgadams@bellsouth.net> wrote:
> > In-Reply-To: <1312.128.173.146.141.1114545545.spork@webmail.lovebug.org>
> >
> > I have actually worked with another guy in coding a small app that will
> watch the referrer logs. If the referrer is not in a list of 'known
> referrers' an email will be sent to the admin. This actually helps in
> spotting phishing sites fairly early, because we can see the site being
> made. Doesnt catch them all, but you can bet if they use this method we will
> see them.
> > Changing the images could get to be a massive headache.
> > I think the referrer method is much easier than what you are suggesting.
> >
> > Thomas Adams, CISSP
> >
> > > As we have all noticed, there has increase in the number of phishing/scam
> > > attempts via e-mail that appear to be legitimate.  Most of
> > > these e-mails look identical to e-mails that would be sent by the
> > > e-commerce or banking institute.  They also frequently link to
> > > fraudulent/hacked webservers that also appear very similar to the website
> > > they are masquerading as.
> > >
> > > I noticed quite some time ago is that most of these websites
> > > and e-mails do not host their own images.  From what I have seen, more
> > > often than not, these e-mails and websites link directly to images hosted
> > > by the legitimate website.  For example, I just received an eBay scam
> > > asking me to signup to be a PowerSeller.  The PowerSeller artwork, logos,
> > > and other images are all linked directly from eBay.  So this makes me
> > > realize that there are a few things some of these targeted
> > > websites/businesses can do to detect these scam sites much quicker.  I
> > > have made this suggestion to a few banking institutions in the past, and
> I
> > > have no idea if anyone has actually decided to implement my ideas or not
> > > -- but they seem pretty feasible.
> > >
> > > Since they are linking to the images hosted on the site they are cloning
> > > -- the banking/e-commerce website could just rename their images on
> > > their own webpage every so often (and update their webpages accordingly).
> > > However, at the same time they should keep copies of the images with
> their
> > > old names.  Now they can check their logs to see what webpage(s) are
> > > accessing these old image names.  Chances are they will link directly
> back
> > > to the hacked website purporting to be their page.  This would allow for
> > > quicker detection of this phishing and scam websites, providing a slight
> > > leg up for sites trying to fight this.
> > >
> > > Just an idea -- let me know if anyone has any comments.
> > >
> > > Steven
> > > steven@lovebug.org
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------