RE: Discovering and Stopping Phishing/Scam Attacks

From: Calder, James (EXP) (james.calder_at_lmco.com)
Date: 04/27/05

  • Next message: Florian Weimer: "Re: Netcraft Phishing Pheed"
    Date: Wed, 27 Apr 2005 11:45:02 -0400
    To: Krul Thomas <Thomas.Krul@psepc-sppcc.gc.ca>, Alex <incidents@alex.gotdns.org>, incidents@securityfocus.com
    
    

    Notice that the images on that site are actually hosted locally, rather
    than being pulled from rbc.com.

    And as I was refreshing the page to compare it to rbc.com, the page
    disappeared, 404 FNF.

    That didn't take long.

    J.

    -----Original Message-----
    From: Krul Thomas [mailto:Thomas.Krul@psepc-sppcc.gc.ca]
    Sent: April 27, 2005 10:31 AM
    To: 'Alex'; incidents@securityfocus.com
    Subject: RE: Discovering and Stopping Phishing/Scam Attacks

    I received a phishing scam email for RBC Bank literally moments ago. The
    Web site is based in the Czech Republic with very little in the way to
    disguise the address of the site. (At last check, the site was still up
    at:
    http://updatestatus.webz.cz/rbc/cgi-bin/rbaccess/login.html)

    Odd, either there are some newbie phishers out there, or they are
    starting to realise that no matter how much they disguise their sites
    someone will be having them shut down soon enough so catching the
    uninformed in the few moments they have is paramount. Will we be seeing
    an increase in the diversity of referring addresses in a flooding
    attempt to catch the last remaining moms and pops who don't know better
    versus well-crafted addresses that don't arouse suspicions?

    -----Original Message-----
    From: Alex [mailto:incidents@alex.gotdns.org]
    Sent: Tuesday, April 26, 2005 7:51 PM
    To: incidents@securityfocus.com
    Subject: Re: Discovering and Stopping Phishing/Scam Attacks

    I agree that checking by referer addresses is a powerful way to detect
    phishing sites, but such logs can easily be adverted?

    Doesn't some anti-popup software remove referer fields?

    Simple use of javascript can allow a page to fetch anything without
    showing
    up in referer logs.

    While we are on the subject, has anyone come across commercial and/or
    government websites being (illegally?) mirrored?

    For example, I recently came a website located on a (Asian?) hosting
    provider where the content of the website was EXACTLY that of a
    well-known
    US govt website. (It appeared that they ran the equivalent of a
    recursive
    "wget" on the real site and hosted the files). It appeared to be
    several
    layers deep.

    Why would anyone want to do that?

    -Alex

    ------------------------------------------------------------------------

    --
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------
    --
    ------------------------------------------------------------------------
    --
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------
    --
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Florian Weimer: "Re: Netcraft Phishing Pheed"