Thank you everyone. Once detected, there are many ways of dealing with a spoofed website such as contacting system owners, ISPs, publishing advisories and reporting URLs to various blacklists.
I'm investigating options on how to be more proactive at detecting phishing websites. 1. Placing emails online in the hopes of it being harvested by an attacker (phishing the phisher if you will) 2. Monitoring web server logs for attempts by an attacker to copy all the data from our site 3. Monitoring web server logs for images that are retrieved with an HTTP referrer of a URL different from what is expected 4. Google searches that look for something that would likely be copied by a phisher to a spoofed website? I'm not saying these techniques are perfect or effective. Are there any other techniques you can think of (or sites that provide details on doing the above... Or provide tools to automate the above)? Anything more a web admin can do? Is there anything a developer of an web app can do to improve detection of phishing attempts? Is there any kind of configuration can be done that prevents images from being referenced by a phishing website (or load different images)? Brian Sent from my iPad On Dec 12, 2012, at 11:27 PM, Bill Swearingen <[email protected]> wrote: > I have found that an email to the hosting company to be very successful, even > in other countries. > > On Dec 12, 2012 7:14 PM, "allison nixon" <[email protected]> wrote: >> As a web app developer, I'm not sure how your responsibilities would apply >> to dealing with phishing sites. Are you maintaining a website and people >> are creating phishing sites mimicking yours? If so, pls read the following >> wikipedia entry: >> http://en.wikipedia.org/wiki/Backscatter_(email) >> >> also, phishers typically dump people onto the real website after they have >> fallen for the scam so it would be wise to locate some of the phishing pages >> imitating your site, "falling" for the scam yourself, and looking at the >> pattern of traffic that ends up going to your site. Other IPs with the same >> pattern of traffic could have their accounts compromised. Finally, once >> you've found the site, you could file dmca complaints, and you would have >> good standing to do so, but it probably wouldn't help you anyways. Phishing >> websites are disposable. I have seen people attempt to fill in the phishing >> site with lots and lots of garbage info to make the operation unprofitable, >> as well as locating the caches of stolen credentials on the server, but that >> begins to fall into a very grey area and you can make your own decisions on >> the matter. You could also create fake accounts and enter them into known >> phishing sites, and track the activity of any IP that attempts to log into >> those accounts. Typically the attacker attempts to log in with many >> usernames from its stolen credential cache, and you might even want to lower >> your login security to allow for many different logins from one IP, so they >> don't need to recycle IPs and are easier to track. >> >> Of course, do what makes sense for your situation. >> >> -Allison Nixon >> >> On Wed, Dec 12, 2012 at 1:25 PM, xgermx <[email protected]> wrote: >>> Check for encoded javascript/php, check any redirects, check for any 1x1 >>> iframes, etc >>> wget/curl scripting can really do a lot for you and if you want to roll up >>> your scripting sleeves, you can leverage the VirusTotal API. >>> https://www.virustotal.com/documentation/public-api >>> >>> >>> On Wed, Dec 12, 2012 at 8:43 AM, Brian Erdelyi <[email protected]> >>> wrote: >>>> Good morning everyone, >>>> >>>> I'd like to create a guide and checklist for detecting phishing attacks. >>>> I want to focus on server side. What can a website admin do to detect >>>> phishing attacks and spoofed websites? What can a web app developer do to >>>> make it easier to detect phishing attacks and spoofed websites? >>>> >>>> Brian >>>> >>>> Sent from my iPhone >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> >> >> -- >> _________________________________ >> Note to self: Pillage BEFORE burning. >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
