Poisoning the Lake

[bugshaw]

I receive a lot of phishing scam emails through my cix account. I use a text-only reader, and hyperlinks are displayed in a different colour so they stand out. These emails typically include a lot of links to images and such on a bank's bona fide site, presumably to add an air of legitimacy to a spam filter and/or to keep the email small by not including the images as jpgs.

Somewhere in the email is a link to the phishing domain, usually hidden beneath something that looks initially plausible in a browser or so that you cannot see where the link leads. Like these examples:
<a href="http://phishers.com/www.realbank.co.uk/">https://plausible-looking-login-url.realbank.co.uk/</a>
<a href="http://phishers.com/realbankcustomers.php" target=_blank type=hidden>Restore Your Realbank Account Access</a>

Given the reliance on hotlinking to elements on real bank sites, would it be a useful measure for banks to adapt their images so that if displayed other than through one of their known sites it appears as a phishing warning message?

Yes, scammers would soon find a way around this but it might throw a light on the scope of the problem for a few days, especially to the less technically savvy/suspicious.

Comments

[ewx.livejournal.com]

Err, don't the fake sites just have their own copies of the images?

[bellinghman.livejournal.com]

Probably they sometimes do. But the majority of the ones I see use the real site for as much as they possibly can - so link throughs, images, anything except the single fraudulent link that they hope won't get noticed.

[bugshaw.livejournal.com]

Some phishes include the privacy policy link because they're having a laugh!

[bugshaw.livejournal.com]

Once you click through, I expect they do, but the HTML emails rely on links to the real site. Or is this the problem, that the bank couldn't tell whether a mail client accessing the image was doing so through an official bank communication or through a phishing email? Meh.

[ewx.livejournal.com]

Oh, I see. I tend not to see linked images in emails so that part of the question hadn't occurred to me.

Here's an example of the HTTP request my mailer makes when it does download embedded images:

GET http://www.apple.com/euro/enews/images/spacer.gif HTTP/1.1
Host: www.apple.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.14eol) Gecko/20080724 Thunderbird/1.5.0.14eol
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive

The only thing there that comes from the message is the image URL; a fraudster could just copy that and there'd be no way to tell what the content of the rest of the email was.

[fanf]

That is quite a good idea. However banks are HOPELESS at anti-phishing security. For example, their use of domain name branding so you don't know which domains are legit marketing exercises and which are fraudulent look-alikes. A recent real example of a bank using phishing techniques in legitimate email was <a href="www.barclayswealth.com">www.stockbrokers.barclays.co.uk</a>. So I don't have much confidence in them implementing useful security techniques.

[del-c.livejournal.com]

And they're not thrilled by everyone knowing they're hopeless, which makes "throw a light on the scope of the problem for a few days" the last thing they want to do, if it isn't going to do anything else.

[james-r.livejournal.com]

Surely rather than sending out a 'warning' image if a non recognised referrer is used (which the fraudsters would just stop using banks official websites for images straight away), it would be better to silently use that information to mark up the fraud probability warning on a given transaction initiated from that user (which they already do if they've half a clue).