mailing list archives
Re: Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sun, 02 Apr 2006 11:01:55 +1200
Dave Korn to Jasper Bryant-Greene:
Phishing scams are public in nature. They aren't trying to avoid
detection :) ...
Actually, that depends on the scam.
Some phishers go to elaborate lengths to hide the real location of
their phishing sites, using fast-changing DNS entries with multiple
host (A) records for their bogus domains, quickly rotating the domain
through sizable chunks of widely distributed IP address space across
their vast botnets. The bots at the business end of these setups act
as HTTP proxies to the "real" phishing site, but are incredibly
difficult to "catch in the act" and analyse (and doing so requires a
level of inter-ISP, etc cooperation you're unlikely to find in
Why they go to that much trouble unless they are trying to avoid
detection of the real scam site's location I cannot imagine.
... and the IP address would of course be spoofed.
No it wouldn't. IP address spoofing is easy over UDP but incredibly
difficult over TCP.
BUT, it can be "practically" implemented -- i.e. the same end result
(the phisher's real location remaining unknown) can be achieved with
readily available means...
There's nothing to prevent a phishmonger who is running a botnet much
like that described above to also distribute the "check the supplied
login credentials" effort across the botnet, rate-limiting the requests
to a specific target banking site from each bot to "a few per hour",
such that each bot might look, to any traffic or other pattern
monitoring at the banking site, much like an "Internet cafe" or other
similar public access node. And don't forget that, unlike the actual
spamming of such phishing schemes, the total traffic involved here
would be quite small anyway, as normally only a very small proportion
of the phishing scam recipients will actually get as far as visiting
the phish site _and then_ entering login data (in fact, this response
rate is probably so low that the checking could be done by the bot
proxying the current victim's HTTP traffic to the real scam site).
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Re: [HV-PAPER] Anti-Phishing Tips You Should NotFollow Nick FitzGerald (Apr 01)