lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 27 Apr 2005 10:37:10 -0400
From: "Scovetta, Michael V" <Michael.Scovetta@...com>
To: <incidents@...urityfocus.com>, <bugtraq@...urityfocus.com>
Subject: RE: Discovering and Stopping Phishing/Scam Attacks


Steven,
  Actually, it's even easier than that. They can simply redirect the
user to a junk image when the HTTP "referer" isn't a local site. This of
course doesn't prevent users from grabbing a particular image, but I
don't think there's a way to have a user viewing site X to automatically
send a referer header other than X.

Slightly more intensive would be to create sessions when users hit the
site the first time, and then check for a valid session when requesting
images.


I don't think this would slow them down for more than a week or so--
they **could** just copy the images to their site if they wanted to.

M

--
Michael Scovetta
Computer Associates
Senior Application Developer

-----Original Message-----
From: steven@...ebug.org [mailto:steven@...ebug.org] 
Sent: Tuesday, April 26, 2005 3:59 PM
To: incidents@...urityfocus.com; bugtraq@...urityfocus.com
Subject: Discovering and Stopping Phishing/Scam Attacks

As we have all noticed, there has increase in the number of
phishing/scam
attempts via e-mail that appear to be legitimate.  Most of
these e-mails look identical to e-mails that would be sent by the
e-commerce or banking institute.  They also frequently link to
fraudulent/hacked webservers that also appear very similar to the
website
they are masquerading as.

I noticed quite some time ago is that most of these websites
and e-mails do not host their own images.  From what I have seen, more
often than not, these e-mails and websites link directly to images
hosted
by the legitimate website.  For example, I just received an eBay scam
asking me to signup to be a PowerSeller.  The PowerSeller artwork,
logos,
and other images are all linked directly from eBay.  So this makes me
realize that there are a few things some of these targeted
websites/businesses can do to detect these scam sites much quicker.  I
have made this suggestion to a few banking institutions in the past, and
I
have no idea if anyone has actually decided to implement my ideas or not
-- but they seem pretty feasible.

Since they are linking to the images hosted on the site they are cloning
-- the banking/e-commerce website could just rename their images on
their own webpage every so often (and update their webpages
accordingly). 
However, at the same time they should keep copies of the images with
their
old names.  Now they can check their logs to see what webpage(s) are
accessing these old image names.  Chances are they will link directly
back
to the hacked website purporting to be their page.  This would allow for
quicker detection of this phishing and scam websites, providing a slight
leg up for sites trying to fight this.

Just an idea -- let me know if anyone has any comments.

Steven
steven@...ebug.org




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ