• series of hacking for phishing attacks against Belgian sites

    and the list goes on and on

    many different pages with different phish

    seems the same technique

    also for variants in .eu domain

    more research coming soon




  • Top 10 phishers april 2008 according to

    Phishing URLs

    In February, 925 phishes (6% of valid phishes that month) used an IP address (i.e. and 15,602 (or 94%) used a domain name (i.e.

    Top 10 Domains (valid phishes)
    1 (549)
    2 (409)
    3 (271)
    4 (171)
    5 (116)
    6 (113)
    7 (99)
    8 (92)
    9 (79)
    10 (74)
    Top 10 IPs (valid phishes)
    1 (1,715)
    2 (1,627)
    3 (1,355)
    4 (1,033)
    5 (817)
    6 (790)
    7 (649)
    8 (635)
    9 (437)
    10 (271)
  • is a heaven for phishing

    In phishtank you will find one hacked subaccount after another that is being used for phishing. or those two Ip adresses and

  • Another way how banks make it easy for phishers

    The thing that always surprises me when I look at code from phished pages from banks and so on is how many times those images are loaded directly from the server of the instution itself.

    I can't believe they don't have the money to buy a system that would monitor such links and alert if someone is loading images directly from their logon page. There is even quite cheap anti-leeching software that is being used by professional designers and photobanks to stop most forms of leeching.

    And even with iframes you can stop this kind of incoming connections to your page on your application-defense, which I suppose you may have as a bank.

    You would oblige the phishers to hack into sites or to crosslink and this would leave more traces and would make it easier to handicap those sites (by focusing on the sites where are the images rather than the phished sites themselves if those were too difficult to bring down immediately).

    You can also try the other technique and hide an image in an image or on the page after the logon so that you are only alerted once you have a real phishsite or operation.

    Another way is to let people choose several pictures they can choose from a database as double authentification. You will have to close down the access to this database to one particular loginpage. There is no way a phisher can have exactly the same database of pix and symbols a bank has - especially if users can chose and upload one of for example 3 themselves.

    THis can't be the final solution, but the more difficult it may become to set up a phish site, the better.

  • How banks are making it easy for phishers

    If we take the same phish example one step further we will see why banks and others make it sometimes simple for phishers, confusing for customers and very difficult for the ITsecurity people around here.

    So we have parted from the phishsite to the normal site of the bank of Scotland and we have arrived at

    but the main site of the bank is 

    and there are  other links on the site (if you got a question - which you may have if you are participating or being defrauded by a phish operation)


    this is a lot of sites not to be confused - it is also not clear that all transactions will only go through one site and through no other - if that is the case. But this would be the best scenario to track what is happening and who is trying to defraud your customers and you (because in most of the cases you will have to pay compensation).

  • One way for a bank to discover phishing sites

    This is on the phishsite - for example the one from

    Your Customer Number

    Please enter your Customer Number. This is your date of birth (ddmmyy) followed by your unique number which identifies you to the Bank.
    Forgotten your customer number?

    Customers With A New Activation Code

    Only individuals who have a Royal Bank of Scotland account and authorised access to Digital Banking should proceed beyond this point. For the security of customers, any unauthorised attempt to access customer bank information will be monitored and may be subject to legal action.
    well the link in forgotten your customer number goes directly to the site of the bank itself. So as a frontman of security - you could log incoming links to pages that are FAQ, re-register and so on and in the names of the links you will see if it was a phished site or not
    You can even go further and redirect all those clicks to a 404 PHISH Alert site and set a takedown procedure into motion.