Ask your users to report phishing websites On Thu, Dec 13, 2012 at 4:25 PM, Brian Erdelyi <[email protected]>wrote:
> Thank you everyone. > > Once detected, there are many ways of dealing with a spoofed website such > as contacting system owners, ISPs, publishing advisories and reporting URLs > to various blacklists. > > I'm investigating options on how to be more proactive at detecting > phishing websites. > > 1. Placing emails online in the hopes of it being harvested by an attacker > (phishing the phisher if you will) > 2. Monitoring web server logs for attempts by an attacker to copy all the > data from our site > 3. Monitoring web server logs for images that are retrieved with an HTTP > referrer of a URL different from what is expected > 4. Google searches that look for something that would likely be copied by > a phisher to a spoofed website? > > I'm not saying these techniques are perfect or effective. Are there any > other techniques you can think of (or sites that provide details on doing > the above... Or provide tools to automate the above)? Anything more a web > admin can do? Is there anything a developer of an web app can do to > improve detection of phishing attempts? Is there any kind of configuration > can be done that prevents images from being referenced by a phishing > website (or load different images)? > > Brian > > Sent from my iPad > > On Dec 12, 2012, at 11:27 PM, Bill Swearingen <[email protected]> > wrote: > > I have found that an email to the hosting company to be very successful, > even in other countries. > On Dec 12, 2012 7:14 PM, "allison nixon" <[email protected]> wrote: > >> As a web app developer, I'm not sure how your responsibilities would >> apply to dealing with phishing sites. Are you maintaining a website and >> people are creating phishing sites mimicking yours? If so, pls read the >> following wikipedia entry: >> http://en.wikipedia.org/wiki/Backscatter_(email) >> >> also, phishers typically dump people onto the real website after they >> have fallen for the scam so it would be wise to locate some of the phishing >> pages imitating your site, "falling" for the scam yourself, and looking at >> the pattern of traffic that ends up going to your site. Other IPs with the >> same pattern of traffic could have their accounts compromised. Finally, >> once you've found the site, you could file dmca complaints, and you would >> have good standing to do so, but it probably wouldn't help you anyways. >> Phishing websites are disposable. I have seen people attempt to fill in >> the phishing site with lots and lots of garbage info to make the operation >> unprofitable, as well as locating the caches of stolen credentials on the >> server, but that begins to fall into a very grey area and you can make your >> own decisions on the matter. You could also create fake accounts and enter >> them into known phishing sites, and track the activity of any IP that >> attempts to log into those accounts. Typically the attacker attempts to >> log in with many usernames from its stolen credential cache, and you might >> even want to lower your login security to allow for many different logins >> from one IP, so they don't need to recycle IPs and are easier to track. >> >> Of course, do what makes sense for your situation. >> >> -Allison Nixon >> >> On Wed, Dec 12, 2012 at 1:25 PM, xgermx <[email protected]> wrote: >> >>> Check for encoded javascript/php, check any redirects, check for any 1x1 >>> iframes, etc >>> wget/curl scripting can really do a lot for you and if you want to roll >>> up your scripting sleeves, you can leverage the VirusTotal API. >>> https://www.virustotal.com/documentation/public-api >>> >>> >>> On Wed, Dec 12, 2012 at 8:43 AM, Brian Erdelyi >>> <[email protected]>wrote: >>> >>>> Good morning everyone, >>>> >>>> I'd like to create a guide and checklist for detecting phishing >>>> attacks. I want to focus on server side. What can a website admin do to >>>> detect phishing attacks and spoofed websites? What can a web app developer >>>> do to make it easier to detect phishing attacks and spoofed websites? >>>> >>>> Brian >>>> >>>> Sent from my iPhone >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> >> -- >> _________________________________ >> Note to self: Pillage BEFORE burning. >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
