Referer Analysis - Mining for a Phisher’s Traces

Web server logs can provide valuable information to detect a phishing attack, especially the referer entries. But before we dive into the details, and for those who are not familiar with web server logs, here is a brief introduction to referer.

A referer is the URL of the previous web page from which a link was followed. Similarly when an image is being picked up from within a HTML page, the referrer is the URL of the page within which the image is being requested. Referer log is generally used to identify from which websites users are visiting this website whose logs are being monitored.

This is how a referer appears in an apache log (referrer field highlighted in blue):

127.0.0.1 - "GET /bank/demo/bank/images/line2.gif HTTP/1.1" 200 "http://localhost/bank/demo/bank/demo.html"

You can read more details on referer logs here.

Having understood the referer logs, let us see how referer logs be used to detect a phisher. An analysis of phishing sites has revealed that they very often link content such as images or texts from the actual web site instead of embedding it within the fake website. When the fake website page loads on the user’s browser the images are fetched from the original server. This leaves information about the phishing website on the actual web server in the form of referer entries in web server logs. If the web server logs are analyzed for suspicious referer entries then we may detect a phisher. Given below are two examples of what can be a suspicious referer entry:

Presence of numeric IP addresses – In the past many phishing web sites have been hosted on a URL which are identified by IP address instead of domain name. If the phishing site does not have a domain name, then the referrer entries will contain numeric IP address of the fake website.

Presence of organization name – Also many phishing websites generally use a URL which contain the name of the targeted organization. For example, if ABC bank is victim of a phishing attack then the phisher’s URL may look like: http://sorstyle.com/ABC.com/us/cgi-bin/index.php. So if the request is coming from such a website, then the referer entries will have the name of the organization.

If referer entries are analyzed regularly for presence of numeric IP addresses or name of the organization, then a phishing attack may be detected.

Look out for the next post on referrer analysis where we use a log analysis tool to identify suspicious referrer entries.

Phishing via Cross Site Scripting at Paypal

Netcraft reports a very convincing phishing attack on Paypal, exploiting a Cross Site Scripting vulnerability on the Paypal site.

The phishers exploit a XSS vulnerability on the original Paypal site. They automatically re-direct the user to the Phisher's site after they are induced to visit the original site. Netcraft has step-by-step screen shots of the attack.

Paypal has fixed the vulnerability.

This seems to be the first appearance of phishing tied to XSS. Expect to see more of this in the coming months!

Phishregistry - free service to monitor your site

Heard via the Bankers Online Anti-phishing blog, that CipherTrust is offering a free service called PhishRegistry to monitor if your website is being duplicated.

According to the site:

"PhishRegistry.org monitors the content of your Website and alerts you when attempts to duplicate it have been detected. By registering your site on Phishregistry.org, you are able to receive notifications of online fraud attempts, and increase your Website’s visibility with CipherTrust and our anti-fraud partners."

The site asks you for the URLs to your home page, the login page and your logo.

The service was launched in March 2006, but I couldn't find more technical details of how the service works.

Scamsters attack ISACA

Recently phishers targeted ISACA, the organization behind the coveted CISA certification. A website with the name www.cisaca.org was created and tricked users into buying study material or register for CISA exam. The phishers may be after the credit card numbers of the users.

A quick check with Netcraft toolbar revealed the location as China. The domain name of the website is quite interesting; the use of words such as isaca, cisa, ca can be misleading to an unsuspecting user.

Another thing to note in this attack is the shift in focus from a banking or financial institute to other organizations which can be equally vulnerable. Organizations such as ISACA are attractive targets, as they will have users in multiple countries. Users accessing these websites may also be a little less alert than when they are accessing something more sensitive, say Internet Banking. These factors may increase the overall chances of a successful Phishing attack.

We may see more such attacks where non financial organizations are targeted in the future.