[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Google Redirect URL actively used for Phishing

From: RSnake <rsnake@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
Date: Wed, 23 Aug 2006 09:41:32 -0700 (PDT)


Yes, interrupting the flow is an option (requiring a user to interact
with the website) but it doesn't really solve your problem in a way
unless your messaging says "We don't trust the link you're about to
click on" or some otherwise scary wording, because if they saw the link
and it said Google, clearly they are already trusting that the link is
safe, so Google would have to tell them otherwise to add any additional
protection.

Incorrect referrers wouldn't work in Firefox in the case where someone
inputs:

<A HREF="http://rsnake/";>rsnake</A>

Which uses the "I'm Feeling Lucky" function in Google (redirection).  Or
you'd be alerting a people in situations that don't matter anyway.

And lastly, no, that was a side comment about the two most
spoofed/removed HTTP headers and the comment was in regards to user
agents. Spoofing User Agents requires no attack, to be a false
positive.  People often mask or spoof user agents.
https://addons.mozilla.org/firefox/59/ (Nearly half a million downloads
of this tool alone)

On Tue, 22 Aug 2006, Evert | Rooftop wrote:

I guess in the case of no referer at all you could have the informative fallback, telling you where it would link to...

or.. if you would only check for 'incorrect' referers, you could at least prevent attacks for people who are using webmail..

And spoofing.. wouldn't that be only possible in combination with a different attack?
Evert
RSnake wrote:
Doesn't work.  Check out this old thread where we already discussed
this:  http://seclists.org/webappsec/2005/q1/0417.html
Plus there are plugins like WebDeveloper in Firefox that optionally turn
it off too now.  In my experience, referrer is the second most
spoofed/removed header, right after user agent.
-RSnake
http://ha.ckers.org/
On Tue, 22 Aug 2006, Evert | Rooftop wrote:
Just a side note,
but wouldn't it be better if for example google did a check of the Referer: http header and only redirect if this is correct (and perhaps show a page instead if it isn't with a link and explanation)
Evert
Brian Eaton wrote:
On 8/22/06, Collin Jackson <collinj@xxxxxxxxxxxxxxx> wrote:
This is not new. I've seen phishing sites using this technique for over a year.
I'd like to take a careful look at when new phishing techniques
appear, and how long they persist.  Techniques that don't succeed in
fooling users will probably go away.  Techniques that tip off spam
filters will probably go away.  Techniques that turn out to be
effective will persist, at least until somebody figures out how to
block those techniques.  Oddly enough, using proper spelling doesn't
appear to be a requirement for a phishing e-mail to be successful,
since the phishing gangs still haven't started using spell checkers.
I'm waiting to see whether that citibusiness web site with the
two-factor auth gets phished again.  Maybe 2FA made that phishing run
uneconomical?
If bouncing redirects through trusted domain names has been going on
for over a year, it must be a useful technique to fool people into
clicking on links.  Maybe it's time for those well-known domains to
step up and remove those redirectors?
Regards,
Brian
---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
--
www.rooftopsolutions.nl
----------------------------------------------------------------------------
The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

-R

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] Google Redirect URL actively used for Phishing
  - From: Jeremiah Grossman
- Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
  - From: Ryan Barnett
- Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
  - From: Collin Jackson
- Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
  - From: Brian Eaton
- Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
  - From: Evert | Rooftop
- Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
  - From: RSnake
- Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
  - From: Evert | Rooftop

Prev by Date: [WEB SECURITY] WiKID 2.1.1 released
Next by Date: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Previous by thread: Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
Next by thread: [WEB SECURITY] WiKID 2.1.1 released
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site