Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: How to detect phishing and spoofed websites
From: allison nixon <elsakoo () gmail com>
Date: Thu, 13 Dec 2012 20:39:45 -0500

Ask your users to report phishing websites

On Thu, Dec 13, 2012 at 4:25 PM, Brian Erdelyi <brian_erdelyi () yahoo com>wrote:

Thank you everyone.

Once detected, there are many ways of dealing with a spoofed website such
as contacting system owners, ISPs, publishing advisories and reporting URLs
to various blacklists.

I'm investigating options on how to be more proactive at detecting
phishing websites.

1. Placing emails online in the hopes of it being harvested by an attacker
(phishing the phisher if you will)
2. Monitoring web server logs for attempts by an attacker to copy all the
data from our site
3. Monitoring web server logs for images that are retrieved with an HTTP
referrer of a URL different from what is expected
4. Google searches that look for something that would likely be copied by
a phisher to a spoofed website?

I'm not saying these techniques are perfect or effective.  Are there any
other techniques you can think of (or sites that provide details on doing
the above... Or provide tools to automate the above)?  Anything more a web
admin can do?  Is there anything a developer of an web app can do to
improve detection of phishing attempts?  Is there any kind of configuration
can be done that prevents images from being referenced by a phishing
website (or load different images)?

Brian

Sent from my iPad

On Dec 12, 2012, at 11:27 PM, Bill Swearingen <hevnsnt () i-hacked com>
wrote:

I have found that an email to the hosting company to be very successful,
even in other countries.
On Dec 12, 2012 7:14 PM, "allison nixon" <elsakoo () gmail com> wrote:

As a web app developer, I'm not sure how your responsibilities would
apply to dealing with phishing sites.  Are you maintaining a website and
people are creating phishing sites mimicking yours?  If so, pls read the
following wikipedia entry:
http://en.wikipedia.org/wiki/Backscatter_(email)

also, phishers typically dump people onto the real website after they
have fallen for the scam so it would be wise to locate some of the phishing
pages imitating your site, "falling" for the scam yourself, and looking at
the pattern of traffic that ends up going to your site.  Other IPs with the
same pattern of traffic could have their accounts compromised.  Finally,
once you've found the site, you could file dmca complaints, and you would
have good standing to do so, but it probably wouldn't help you anyways.
 Phishing websites are disposable.  I have seen people attempt to fill in
the phishing site with lots and lots of garbage info to make the operation
unprofitable, as well as locating the caches of stolen credentials on the
server, but that begins to fall into a very grey area and you can make your
own decisions on the matter.  You could also create fake accounts and enter
them into known phishing sites, and track the activity of any IP that
attempts to log into those accounts.  Typically the attacker attempts to
log in with many usernames from its stolen credential cache, and you might
even want to lower your login security to allow for many different logins
from one IP, so they don't need to recycle IPs and are easier to track.

Of course, do what makes sense for your situation.

-Allison Nixon

On Wed, Dec 12, 2012 at 1:25 PM, xgermx <xgermx () gmail com> wrote:

Check for encoded javascript/php, check any redirects, check for any 1x1
iframes, etc
wget/curl scripting can really do a lot for you and if you want to roll
up your scripting sleeves, you can leverage the VirusTotal API.
https://www.virustotal.com/documentation/public-api


On Wed, Dec 12, 2012 at 8:43 AM, Brian Erdelyi <brian_erdelyi () yahoo com>wrote:

Good morning everyone,

I'd like to create a guide and checklist for detecting phishing
attacks.  I want to focus on server side.  What can a website admin do to
detect phishing attacks and spoofed websites?  What can a web app developer
do to make it easier to detect phishing attacks and spoofed websites?

Brian

Sent from my iPhone
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




--
_________________________________
Note to self: Pillage BEFORE burning.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
_________________________________
Note to self: Pillage BEFORE burning.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]