| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <426EC7D2.1050504@immunix.com> Date: Tue, 26 Apr 2005 15:59:30 -0700 From: Crispin Cowan <crispin@...unix.com> To: steven@...ebug.org Cc: incidents@...urityfocus.com, bugtraq@...urityfocus.com Subject: Re: Discovering and Stopping Phishing/Scam Attacks I think that this will just force the phishers to host their own images. As such, this approach is not very interesting unless there actually is a problem for the phishers in hosting their own images. The phishers could even host their own images on virtual domains that are typo-alike to the legitimate domain name. For me personally, I would not notice the difference, as I already have my mail client configured to not load referenced images, because spammers already use hits on their hosted images as web bugs to detect working e-mails, and that just brings more spam down on your head. If you are loading images referenced in e-mails, you probably want to figure out how to turn that off. Crispin steven@...ebug.org wrote: >As we have all noticed, there has increase in the number of phishing/scam >attempts via e-mail that appear to be legitimate. Most of >these e-mails look identical to e-mails that would be sent by the >e-commerce or banking institute. They also frequently link to >fraudulent/hacked webservers that also appear very similar to the website >they are masquerading as. > >I noticed quite some time ago is that most of these websites >and e-mails do not host their own images. From what I have seen, more >often than not, these e-mails and websites link directly to images hosted >by the legitimate website. For example, I just received an eBay scam >asking me to signup to be a PowerSeller. The PowerSeller artwork, logos, >and other images are all linked directly from eBay. So this makes me >realize that there are a few things some of these targeted >websites/businesses can do to detect these scam sites much quicker. I >have made this suggestion to a few banking institutions in the past, and I >have no idea if anyone has actually decided to implement my ideas or not >-- but they seem pretty feasible. > >Since they are linking to the images hosted on the site they are cloning >-- the banking/e-commerce website could just rename their images on >their own webpage every so often (and update their webpages accordingly). >However, at the same time they should keep copies of the images with their >old names. Now they can check their logs to see what webpage(s) are >accessing these old image names. Chances are they will link directly back >to the hacked website purporting to be their page. This would allow for >quicker detection of this phishing and scam websites, providing a slight >leg up for sites trying to fight this. > >Just an idea -- let me know if anyone has any comments. > >Steven >steven@...ebug.org > > > -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Powered by blists - more mailing lists