Re: Discovering and Stopping Phishing/Scam Attacks

From: Crispin Cowan (crispin_at_immunix.com)
Date: 04/27/05

  • Next message: Thomas Adams: "RE: Discovering and Stopping Phishing/Scam Attacks"
    Date: Tue, 26 Apr 2005 15:59:30 -0700
    To: steven@lovebug.org
    
    

    I think that this will just force the phishers to host their own images.
    As such, this approach is not very interesting unless there actually is
    a problem for the phishers in hosting their own images. The phishers
    could even host their own images on virtual domains that are typo-alike
    to the legitimate domain name.

    For me personally, I would not notice the difference, as I already have
    my mail client configured to not load referenced images, because
    spammers already use hits on their hosted images as web bugs to detect
    working e-mails, and that just brings more spam down on your head. If
    you are loading images referenced in e-mails, you probably want to
    figure out how to turn that off.

    Crispin

    steven@lovebug.org wrote:

    >As we have all noticed, there has increase in the number of phishing/scam
    >attempts via e-mail that appear to be legitimate. Most of
    >these e-mails look identical to e-mails that would be sent by the
    >e-commerce or banking institute. They also frequently link to
    >fraudulent/hacked webservers that also appear very similar to the website
    >they are masquerading as.
    >
    >I noticed quite some time ago is that most of these websites
    >and e-mails do not host their own images. From what I have seen, more
    >often than not, these e-mails and websites link directly to images hosted
    >by the legitimate website. For example, I just received an eBay scam
    >asking me to signup to be a PowerSeller. The PowerSeller artwork, logos,
    >and other images are all linked directly from eBay. So this makes me
    >realize that there are a few things some of these targeted
    >websites/businesses can do to detect these scam sites much quicker. I
    >have made this suggestion to a few banking institutions in the past, and I
    >have no idea if anyone has actually decided to implement my ideas or not
    >-- but they seem pretty feasible.
    >
    >Since they are linking to the images hosted on the site they are cloning
    >-- the banking/e-commerce website could just rename their images on
    >their own webpage every so often (and update their webpages accordingly).
    >However, at the same time they should keep copies of the images with their
    >old names. Now they can check their logs to see what webpage(s) are
    >accessing these old image names. Chances are they will link directly back
    >to the hacked website purporting to be their page. This would allow for
    >quicker detection of this phishing and scam websites, providing a slight
    >leg up for sites trying to fight this.
    >
    >Just an idea -- let me know if anyone has any comments.
    >
    >Steven
    >steven@lovebug.org
    >
    >
    >

    -- 
    Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
    CTO, Immunix          http://immunix.com
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Thomas Adams: "RE: Discovering and Stopping Phishing/Scam Attacks"

    Relevant Pages

    • Discovering and Stopping Phishing/Scam Attacks
      ... attempts via e-mail that appear to be legitimate. ... these e-mails look identical to e-mails that would be sent by the ... and e-mails do not host their own images. ... by the legitimate website. ...
      (Incidents)
    • Discovering and Stopping Phishing/Scam Attacks
      ... attempts via e-mail that appear to be legitimate. ... these e-mails look identical to e-mails that would be sent by the ... and e-mails do not host their own images. ... by the legitimate website. ...
      (Bugtraq)
    • Re: Discovering and Stopping Phishing/Scam Attacks
      ... > attempts via e-mail that appear to be legitimate. ... > and e-mails do not host their own images. ... > by the legitimate website. ...
      (Incidents)
    • Re: attn. buzzy...red x....first draft....
      ... A number of people have complained that they cannot see the images ... who have suffered from this problem viewing your website!!! ... be recorded in server logs and used/manipulated by website-owners.] ... The referrer header tells the server from which page your request ...
      (uk.politics.misc)
    • Re: Images with hidden external links
      ... The most of the pictures i copy are from the official websites of the hotels ... website for a given term. ... Removing them will be a nightmare because of the way Publisher works. ... In future if you're gonna "lift" images for reuse, ...
      (microsoft.public.publisher.webdesign)