Referer Analysis - Mining for a Phisher’s Traces

Web server logs can provide valuable information to detect a phishing attack, especially the referer entries. But before we dive into the details, and for those who are not familiar with web server logs, here is a brief introduction to referer.

A referer is the URL of the previous web page from which a link was followed. Similarly when an image is being picked up from within a HTML page, the referrer is the URL of the page within which the image is being requested. Referer log is generally used to identify from which websites users are visiting this website whose logs are being monitored.

This is how a referer appears in an apache log (referrer field highlighted in blue):

127.0.0.1 - "GET /bank/demo/bank/images/line2.gif HTTP/1.1" 200 "http://localhost/bank/demo/bank/demo.html"

You can read more details on referer logs here.

Having understood the referer logs, let us see how referer logs be used to detect a phisher. An analysis of phishing sites has revealed that they very often link content such as images or texts from the actual web site instead of embedding it within the fake website. When the fake website page loads on the user’s browser the images are fetched from the original server. This leaves information about the phishing website on the actual web server in the form of referer entries in web server logs. If the web server logs are analyzed for suspicious referer entries then we may detect a phisher. Given below are two examples of what can be a suspicious referer entry:

Presence of numeric IP addresses – In the past many phishing web sites have been hosted on a URL which are identified by IP address instead of domain name. If the phishing site does not have a domain name, then the referrer entries will contain numeric IP address of the fake website.

Presence of organization name – Also many phishing websites generally use a URL which contain the name of the targeted organization. For example, if ABC bank is victim of a phishing attack then the phisher’s URL may look like: http://sorstyle.com/ABC.com/us/cgi-bin/index.php. So if the request is coming from such a website, then the referer entries will have the name of the organization.

If referer entries are analyzed regularly for presence of numeric IP addresses or name of the organization, then a phishing attack may be detected.

Look out for the next post on referrer analysis where we use a log analysis tool to identify suspicious referrer entries.