bugshaw: (Default)
Add MemoryShare This Entry

Poisoning the Lake

posted by [personal profile] bugshaw at 10:41am on 21/10/2008
I receive a lot of phishing scam emails through my cix account. I use a text-only reader, and hyperlinks are displayed in a different colour so they stand out. These emails typically include a lot of links to images and such on a bank's bona fide site, presumably to add an air of legitimacy to a spam filter and/or to keep the email small by not including the images as jpgs.

Somewhere in the email is a link to the phishing domain, usually hidden beneath something that looks initially plausible in a browser or so that you cannot see where the link leads. Like these examples:
<a href="http://phishers.com/www.realbank.co.uk/">https://plausible-looking-login-url.realbank.co.uk/</a>
<a href="http://phishers.com/realbankcustomers.php" target=_blank type=hidden>Restore Your Realbank Account Access</a>

Given the reliance on hotlinking to elements on real bank sites, would it be a useful measure for banks to adapt their images so that if displayed other than through one of their known sites it appears as a phishing warning message?

Yes, scammers would soon find a way around this but it might throw a light on the scope of the problem for a few days, especially to the less technically savvy/suspicious.
There are 8 comments on this entry. (Reply.)
ext_8103: (Default)

(no subject)

posted by [identity profile] ewx.livejournal.com at 10:14am on 21/10/2008
Err, don't the fake sites just have their own copies of the images?
[link] [reply]
 

(no subject)

posted by [identity profile] bellinghman.livejournal.com at 10:38am on 21/10/2008
Probably they sometimes do. But the majority of the ones I see use the real site for as much as they possibly can - so link throughs, images, anything except the single fraudulent link that they hope won't get noticed.
[link] [parent] [reply]
 

(no subject)

posted by [identity profile] bugshaw.livejournal.com at 10:40am on 21/10/2008
Some phishes include the privacy policy link because they're having a laugh!
[link] [parent] [reply]
 

(no subject)

posted by [identity profile] bugshaw.livejournal.com at 10:39am on 21/10/2008
Once you click through, I expect they do, but the HTML emails rely on links to the real site. Or is this the problem, that the bank couldn't tell whether a mail client accessing the image was doing so through an official bank communication or through a phishing email? Meh.
[link] [parent] [reply]
ext_8103: (Default)

(no subject)

posted by [identity profile] ewx.livejournal.com at 11:15am on 21/10/2008

Oh, I see. I tend not to see linked images in emails so that part of the question hadn't occurred to me.

Here's an example of the HTTP request my mailer makes when it does download embedded images:

GET http://www.apple.com/euro/enews/images/spacer.gif HTTP/1.1
Host: www.apple.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.14eol) Gecko/20080724 Thunderbird/1.5.0.14eol
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive

The only thing there that comes from the message is the image URL; a fraudster could just copy that and there'd be no way to tell what the content of the rest of the email was.

[link] [parent] [reply]
fanf: (Default)

(no subject)

posted by [personal profile] fanf at 12:10pm on 21/10/2008
That is quite a good idea. However banks are HOPELESS at anti-phishing security. For example, their use of domain name branding so you don't know which domains are legit marketing exercises and which are fraudulent look-alikes. A recent real example of a bank using phishing techniques in legitimate email was <a href="www.barclayswealth.com">www.stockbrokers.barclays.co.uk</a>. So I don't have much confidence in them implementing useful security techniques.
[link] [reply]
 

(no subject)

posted by [identity profile] del-c.livejournal.com at 01:14pm on 21/10/2008
And they're not thrilled by everyone knowing they're hopeless, which makes "throw a light on the scope of the problem for a few days" the last thing they want to do, if it isn't going to do anything else.
[link] [parent] [reply]
 

(no subject)

posted by [identity profile] james-r.livejournal.com at 07:00pm on 22/10/2008
Surely rather than sending out a 'warning' image if a non recognised referrer is used (which the fraudsters would just stop using banks official websites for images straight away), it would be better to silently use that information to mark up the fraud probability warning on a given transaction initiated from that user (which they already do if they've half a clue).
[link] [parent] [reply]

September

SunMonTueWedThuFriSat
  1
 
 2
 
 3
 
 4
 
 5
 
 6
 
7
 
 8
 
 9
 
 10
 
 11
 
 12
 
 13
 
14
 
 15
 
 16
 
 17
 
 18
 
 19
 
 20
 
21
1
 22
 
 23
 
 24
 
 25
 
 26
 
 27
 
28
 
 29
 
 30