[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1119873381.2071.62.camel@grendel>
Date: Mon, 27 Jun 2005 07:56:21 -0400
From: Chris Brenton <cbrenton@...isbrenton.org>
To: bugtraq@...urityfocus.com
Subject: Phishing Solutions (was: Phishing - feature or flaw)
On Fri, 2005-06-24 at 18:38, Secure Science Corporation Bugtraq wrote:
>
> Are these really features, or are they flaws now because of the phishing
> threat vector. Originally javascript/DHTML/DOM is pretty powerful and
> can do a lot of nasty stuff if someone were inclined. But phishing has
> caused us to take a look at the once dubbed features of DHTML, and
> possibly put responsibility onto the browser vendors for fixing these
> now dubbed "flaws".
Regarding fixes, I'm curious what people are doing to solve this
problem. Attacking it at the browser level is not exactly efficient,
especially if you have a large network.
Personally, I've been messing around with MailScanner and I'm pretty
impressed with its ability to detect and neutralize phishing attacks.
For example:
Jun 25 04:09:49 mail MailScanner[2158]:
/var/spool/MailScanner/incoming/2158/./j5P89ZEp006346/msg-2158-2.html:
HTML.Phishing.Pay-25 FOUND
Jun 25 07:47:18 mail MailScanner[2096]: Found ip-based phishing fraud
from 202.71.230.67 in j5PBlCed008230
Jun 25 09:54:45 mail MailScanner[8385]: Found phishing fraud from
mail.yahoo.com claiming to be www.yahoo.com in j5PDsaTH009054
Jun 25 14:13:38 mail MailScanner[10527]: Found phishing fraud from
webserver.osdepym.com.ar claiming to be www.paypal.com in j5PIDRkJ010804
Obviously the Yahoo entry is a false positive, but you can simply add it
to a white list to keep it from being flagged in the future. Once
detected, you can delete the e-mail, neutralize the URL and pass it
through with a warning banner, ignore it, or what ever you want. Pretty
cool stuff.
Just curious if others have run across similar solutions out there and
whether you think they are effective or not.
Cheers,
Chris
Powered by blists - more mailing lists