Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Phishing
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 13 May 2004 08:42:42 +0200

The other thing about using short URL's is that the path should preferably be short (and simple - i.e. no punctuation) as well, reducing the total amount of information that the user has to process. If you are directing users to a user-specific message, I guess that might complicate things (https://secure.bank.com/message?myhashedreference or https://secure.bank.com/message?email=discard () dawes za net) for example start to look quite messy again :-(

It might also be a thought to get useragents (MUA or browsers) to prompt when following links that have "passwords" in them:

"You have clicked a link to 'nefarious.fraud.net', with username 'secure.bank.com' and password '********'. Do you want to continue? Ask me next time (x)"

I guess this could be a password dialogue, with the username and password filled in, similar to the current basic auth password dialogs.

Just a thought, and one that would take a long time to take effect, if ever.


Griffiths, Ian wrote:

Some good ideas there Rogan.  I to feel educating users is a large part of this but how far can you go?  Consider this 
(ficticious) URL:
https://secure.bank.com:/logon/12345 () nefarious fraud net/ Fairly easy to set up, completely compliant with protocol, starting with the right thing, looks genuine to the untrained eye and yet completely unscrupulous. I've actually seen something similar in the wild and I'm completely sure it works, spotting this takes more than a passing exposure to knowledge of URL composition. Ian

-----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Wed 12/05/2004 13:59 To: Griffiths, Ian Cc: Amit Sharma; webappsec () securityfocus com Subject: Phishing

        Make the site name as short as possible, and as obvious as possible, to
        reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com",
        try to use something short and simple like "secure.bank.com", and use it
        consistently for all servers supporting a particular application. That
        way there is less confusion for users, and less likelihood that a
        scammer will get away with using a slightly different domain name.

Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]