Re: [WEB SECURITY] Google Redirect URL actively used for Phishing

[Evert | Rooftop <evert@xxxxxxxxxxxxxxxxxxx>]

I guess in the case of no referer at all you could have the informative 
fallback, telling you where it would link to...

or.. if you would only check for 'incorrect' referers, you could at 
least prevent attacks for people who are using webmail..

And spoofing.. wouldn't that be only possible in combination with a 
different attack?

Evert

RSnake wrote:
> Doesn't work.  Check out this old thread where we already discussed
> this:  http://seclists.org/webappsec/2005/q1/0417.html
>
> Plus there are plugins like WebDeveloper in Firefox that optionally turn
> it off too now.  In my experience, referrer is the second most
> spoofed/removed header, right after user agent.
>
> -RSnake
> http://ha.ckers.org/
>
> On Tue, 22 Aug 2006, Evert | Rooftop wrote:
>
> > Just a side note,
> >
> > but wouldn't it be better if for example google did a check of the 
> > Referer: http header and only redirect if this is correct (and 
> > perhaps show a page instead if it isn't with a link and explanation)
> >
> > Evert
> >
> >
> > Brian Eaton wrote:
> > > On 8/22/06, Collin Jackson <collinj@xxxxxxxxxxxxxxx> wrote:
> > > > This is not new. I've seen phishing sites using this technique for 
> > > > over a year.
> > >
> > > I'd like to take a careful look at when new phishing techniques
> > > appear, and how long they persist.  Techniques that don't succeed in
> > > fooling users will probably go away.  Techniques that tip off spam
> > > filters will probably go away.  Techniques that turn out to be
> > > effective will persist, at least until somebody figures out how to
> > > block those techniques.  Oddly enough, using proper spelling doesn't
> > > appear to be a requirement for a phishing e-mail to be successful,
> > > since the phishing gangs still haven't started using spell checkers.
> > > I'm waiting to see whether that citibusiness web site with the
> > > two-factor auth gets phished again.  Maybe 2FA made that phishing run
> > > uneconomical?
> > >
> > > If bouncing redirects through trusted domain names has been going on
> > > for over a year, it must be a useful technique to fool people into
> > > clicking on links.  Maybe it's time for those well-known domains to
> > > step up and remove those redirectors?
> > >
> > > Regards,
> > > Brian
> > >
> > >
> > > ---------------------------------------------------------------------------- 
> > > The Web Security Mailing List: 
> > > http://www.webappsec.org/lists/websecurity/
> > >
> > > The Web Security Mailing List Archives: 
> > > http://www.webappsec.org/lists/websecurity/archive/
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
> > ---------------------------------------------------------------------------- 
> >
> > The Web Security Mailing List: 
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives: 
> > http://www.webappsec.org/lists/websecurity/archive/
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> ---------------------------------------------------------------------------- 
>
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


--
www.rooftopsolutions.nl


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]