I know of some financial institutions that have done this (for I helped implement it) and it works quite well. They have proactively shut down phishing sites while they were still in "test mode". byte_jump On 4/26/05, steven@xxxxxxxxxxx <steven@xxxxxxxxxxx> wrote: > As we have all noticed, there has increase in the number of phishing/scam > attempts via e-mail that appear to be legitimate. Most of > these e-mails look identical to e-mails that would be sent by the > e-commerce or banking institute. They also frequently link to > fraudulent/hacked webservers that also appear very similar to the website > they are masquerading as. > > I noticed quite some time ago is that most of these websites > and e-mails do not host their own images. From what I have seen, more > often than not, these e-mails and websites link directly to images hosted > by the legitimate website. For example, I just received an eBay scam > asking me to signup to be a PowerSeller. The PowerSeller artwork, logos, > and other images are all linked directly from eBay. So this makes me > realize that there are a few things some of these targeted > websites/businesses can do to detect these scam sites much quicker. I > have made this suggestion to a few banking institutions in the past, and I > have no idea if anyone has actually decided to implement my ideas or not > -- but they seem pretty feasible. > > Since they are linking to the images hosted on the site they are cloning > -- the banking/e-commerce website could just rename their images on > their own webpage every so often (and update their webpages accordingly). > However, at the same time they should keep copies of the images with their > old names. Now they can check their logs to see what webpage(s) are > accessing these old image names. Chances are they will link directly back > to the hacked website purporting to be their page. This would allow for > quicker detection of this phishing and scam websites, providing a slight > leg up for sites trying to fight this. > > Just an idea -- let me know if anyone has any comments. > > Steven > steven@xxxxxxxxxxx > > -------------------------------------------------------------------------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > -------------------------------------------------------------------------- > >
