lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 26 Apr 2005 13:13:58 -0700 (PDT)
From: Randy <rho@...net.edu>
To: steven@...ebug.org
Cc: incidents@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: Discovering and Stopping Phishing/Scam Attacks


Seems like a maintenance nightmare waiting to happen.

~randy

  On Tue, 26 Apr 2005 steven@...ebug.org 
wrote:

> As we have all noticed, there has increase in the number of phishing/scam
> attempts via e-mail that appear to be legitimate.  Most of
> these e-mails look identical to e-mails that would be sent by the
> e-commerce or banking institute.  They also frequently link to
> fraudulent/hacked webservers that also appear very similar to the website
> they are masquerading as.
>
> I noticed quite some time ago is that most of these websites
> and e-mails do not host their own images.  From what I have seen, more
> often than not, these e-mails and websites link directly to images hosted
> by the legitimate website.  For example, I just received an eBay scam
> asking me to signup to be a PowerSeller.  The PowerSeller artwork, logos,
> and other images are all linked directly from eBay.  So this makes me
> realize that there are a few things some of these targeted
> websites/businesses can do to detect these scam sites much quicker.  I
> have made this suggestion to a few banking institutions in the past, and I
> have no idea if anyone has actually decided to implement my ideas or not
> -- but they seem pretty feasible.
>
> Since they are linking to the images hosted on the site they are cloning
> -- the banking/e-commerce website could just rename their images on
> their own webpage every so often (and update their webpages accordingly).
> However, at the same time they should keep copies of the images with their
> old names.  Now they can check their logs to see what webpage(s) are
> accessing these old image names.  Chances are they will link directly back
> to the hacked website purporting to be their page.  This would allow for
> quicker detection of this phishing and scam websites, providing a slight
> leg up for sites trying to fight this.
>
> Just an idea -- let me know if anyone has any comments.
>
> Steven
> steven@...ebug.org
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ