[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Google Redirect URL actively used for Phishing

The old thread talks about using referers to block malicious users.
That's just not going to work, the malicious types can adapt too
easily.  The redirectors have a different problem to solve.  They want
to detect normal users who are falling victim to phishing scams.  The
redirecting site can afford false negatives, where they occasionally
fail to detect a phishing redirect.  So long as they weed out some
significant portion of the phishing links, they can declare victory.
But they can't afford false positives - if they start detecting
legitimate redirects as phishing redirects, that will cost them time
and money.

I haven't really looked into whether referers are reliable enough to
give a very low false positive rate with an acceptable false negative
rate.  People still use referers to prevent image leeching, which
seems to be a very similar application.

I guess if referers are really too unreliable, they'd have to go for a
white list of acceptable destinations or a black list of phishing
sites.  The black list will be less effective, but might be easier to
maintain.

Regards,
Brian

On 8/22/06, RSnake <rsnake@xxxxxxxxxxxx> wrote: 

Doesn't work.  Check out this old thread where we already discussed
this:  http://seclists.org/webappsec/2005/q1/0417.html

Plus there are plugins like WebDeveloper in Firefox that optionally turn
it off too now.  In my experience, referrer is the second most
spoofed/removed header, right after user agent.

-RSnake
http://ha.ckers.org/

On Tue, 22 Aug 2006, Evert | Rooftop wrote:

> Just a side note,
>
> but wouldn't it be better if for example google did a check of the Referer:
> http header and only redirect if this is correct (and perhaps show a page
> instead if it isn't with a link and explanation)
>
> Evert
>
>
> Brian Eaton wrote:
>> On 8/22/06, Collin Jackson <collinj@xxxxxxxxxxxxxxx> wrote:
>>> This is not new. I've seen phishing sites using this technique for over a
>>> year.
>>
>> I'd like to take a careful look at when new phishing techniques
>> appear, and how long they persist.  Techniques that don't succeed in
>> fooling users will probably go away.  Techniques that tip off spam
>> filters will probably go away.  Techniques that turn out to be
>> effective will persist, at least until somebody figures out how to
>> block those techniques.  Oddly enough, using proper spelling doesn't
>> appear to be a requirement for a phishing e-mail to be successful,
>> since the phishing gangs still haven't started using spell checkers.
>> I'm waiting to see whether that citibusiness web site with the
>> two-factor auth gets phished again.  Maybe 2FA made that phishing run
>> uneconomical?
>>
>> If bouncing redirects through trusted domain names has been going on
>> for over a year, it must be a useful technique to fool people into
>> clicking on links.  Maybe it's time for those well-known domains to
>> step up and remove those redirectors?
>>
>> Regards,
>> Brian
>>
>>
>> ----------------------------------------------------------------------------
>> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
>>
>> The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Brought to you by http://www.webappsec.org
Search this site