01/13/2009

series of hacking for phishing attacks against Belgian sites

http://www.phishtank.com/phish_detail.php?phish_id=609266&frame=site http://www.53.com.prodrv.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609268&frame=site http://www.53.com.prodl.be/wps/smaintenance/portal/cbform?form

http://www.phishtank.com/phish_detail.php?phish_id=609264&frame=site http://www.53.com.modes11.be/wps/smaintenance/portal/cbform?

http://www.phishtank.com/phish_detail.php?phish_id=609234 http://www.53.com.mode1s.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609253&frame=site http://www.53.com.mnrtf.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609247  http://www.53.com.dirmode.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609239 http://www.53.com.mhtri.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609236 http://www.53.comrtbs.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609225 http://www.53.com.gthk.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609163 http://www.53.commode-1s.be/wps/smaintenance/portal/cbform

http://www.phishtank.com/phish_detail.php?phish_id=609158 http://www.53.com.rtbs.be/wps/smaintenance/portal/cbform?formid

http://www.phishtank.com/phish_detail.php?phish_id=609139 http://www.53.com.idsrv.be/wps/smaintenance/portal/cbform?formid

and the list goes on and on

many different pages with different phish

seems the same technique

also for variants in .eu domain

more research coming soon

 

 

 



Permalink | |  Print |  Facebook | | | | Pin it! |

05/22/2008

Top 10 phishers april 2008 according to phishtank.com

Phishing URLs

In February, 925 phishes (6% of valid phishes that month) used an IP address (i.e. http://12.34.56.78) and 15,602 (or 94%) used a domain name (i.e. http://example.com).

Top 10 Domains (valid phishes)
1     fj.cn (549)
2     altervista.org (409)
3     bankofamerica.com (271)
4     by.ru (171)
5     jl.cn (116)
6     dlltechusnfotk93.cn (113)
7     zj.cn (99)
8     filestack07.net (92)
9     xj.cn (79)
10     9k.com (74)
Top 10 IPs (valid phishes)
1     212.174.25.241 (1,715)
2     62.233.145.45 (1,627)
3     218.92.205.246 (1,355)
4     85.105.182.6 (1,033)
5     212.0.85.6 (817)
6     193.33.61.2 (790)
7     217.119.57.19 (649)
8     209.172.59.193 (635)
9     89.255.3.132 (437)
10     192.138.181.110 (271)

Permalink | |  Print |  Facebook | | | | Pin it! |

04/17/2008

altervista.org is a heaven for phishing

In phishtank you will find one hacked subaccount after another that is being used for phishing.

altervista.org or those two Ip adresses 78.129.167.30 and 87.117.228.151

Permalink | |  Print |  Facebook | | | | Pin it! |

02/19/2008

Another way how banks make it easy for phishers

The thing that always surprises me when I look at code from phished pages from banks and so on is how many times those images are loaded directly from the server of the instution itself.

I can't believe they don't have the money to buy a system that would monitor such links and alert if someone is loading images directly from their logon page. There is even quite cheap anti-leeching software that is being used by professional designers and photobanks to stop most forms of leeching.

And even with iframes you can stop this kind of incoming connections to your page on your application-defense, which I suppose you may have as a bank.

You would oblige the phishers to hack into sites or to crosslink and this would leave more traces and would make it easier to handicap those sites (by focusing on the sites where are the images rather than the phished sites themselves if those were too difficult to bring down immediately).

You can also try the other technique and hide an image in an image or on the page after the logon so that you are only alerted once you have a real phishsite or operation.

Another way is to let people choose several pictures they can choose from a database as double authentification. You will have to close down the access to this database to one particular loginpage. There is no way a phisher can have exactly the same database of pix and symbols a bank has - especially if users can chose and upload one of for example 3 themselves.

THis can't be the final solution, but the more difficult it may become to set up a phish site, the better.

Permalink | |  Print |  Facebook | | | | Pin it! |

02/18/2008

How banks are making it easy for phishers

If we take the same phish example one step further we will see why banks and others make it sometimes simple for phishers, confusing for customers and very difficult for the ITsecurity people around here.

So we have parted from the phishsite to the normal site of the bank of Scotland and we have arrived at

https://www.rbsdigital.com/help.aspx?id=CN1

but the main site of the bank is http://www.rbs.co.uk/ 

and there are  other links on the site (if you got a question - which you may have if you are participating or being defrauded by a phish operation)

http://www.rbsgotaquestion.co.uk/

and http://www.rbsmarkets.com/ 

this is a lot of sites not to be confused - it is also not clear that all transactions will only go through one site and through no other - if that is the case. But this would be the best scenario to track what is happening and who is trying to defraud your customers and you (because in most of the cases you will have to pay compensation).

Permalink | |  Print |  Facebook | | | | Pin it! |

One way for a bank to discover phishing sites

This is on the phishsite - for example the one from smsonweb.be

Your Customer Number

Please enter your Customer Number. This is your date of birth (ddmmyy) followed by your unique number which identifies you to the Bank.
Forgotten your customer number?

Customers With A New Activation Code

Only individuals who have a Royal Bank of Scotland account and authorised access to Digital Banking should proceed beyond this point. For the security of customers, any unauthorised attempt to access customer bank information will be monitored and may be subject to legal action.
----------------------------------------------------------------
well the link in forgotten your customer number goes directly to the site of the bank itself. So as a frontman of security - you could log incoming links to pages that are FAQ, re-register and so on and in the names of the links you will see if it was a phished site or not
You can even go further and redirect all those clicks to a 404 PHISH Alert site and set a takedown procedure into motion.

Permalink | |  Print |  Facebook | | | | Pin it! |