lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1119873381.2071.62.camel@grendel>
Date: Mon, 27 Jun 2005 07:56:21 -0400
From: Chris Brenton <cbrenton@...isbrenton.org>
To: bugtraq@...urityfocus.com
Subject: Phishing Solutions (was: Phishing - feature or flaw)


On Fri, 2005-06-24 at 18:38, Secure Science Corporation Bugtraq wrote:
>
> Are these really features, or are they flaws now because of the phishing 
> threat vector. Originally javascript/DHTML/DOM is pretty powerful and 
> can do a lot of nasty stuff if someone were inclined. But phishing has 
> caused us to take a look at the once dubbed features of DHTML, and 
> possibly put responsibility onto the browser vendors for fixing these 
> now dubbed "flaws".

Regarding fixes, I'm curious what people are doing to solve this
problem. Attacking it at the browser level is not exactly efficient,
especially if you have a large network.

Personally, I've been messing around with MailScanner and I'm pretty
impressed with its ability to detect and neutralize phishing attacks.
For example:

Jun 25 04:09:49 mail MailScanner[2158]:
/var/spool/MailScanner/incoming/2158/./j5P89ZEp006346/msg-2158-2.html:
HTML.Phishing.Pay-25 FOUND
Jun 25 07:47:18 mail MailScanner[2096]: Found ip-based phishing fraud
from 202.71.230.67 in j5PBlCed008230
Jun 25 09:54:45 mail MailScanner[8385]: Found phishing fraud from
mail.yahoo.com claiming to be www.yahoo.com in j5PDsaTH009054
Jun 25 14:13:38 mail MailScanner[10527]: Found phishing fraud from
webserver.osdepym.com.ar claiming to be www.paypal.com in j5PIDRkJ010804

Obviously the Yahoo entry is a false positive, but you can simply add it
to a white list to keep it from being flagged in the future. Once
detected, you can delete the e-mail, neutralize the URL and pass it
through with a warning banner, ignore it, or what ever you want. Pretty
cool stuff.

Just curious if others have run across similar solutions out there and
whether you think they are effective or not.

Cheers,
Chris




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ