Friday, August 25, 2006

"MarkAlert" for Domain Monitoring

Domaintools, a website providing registry and whois services, launched an interesting service called MarkAlert. MarkAlert is a free service and can be used for domain monitoring. In the context of Phishing, domain monitoring involves tracking domain registrations to identify any suspicious domains which is similar sounding or using the same name or trademark as the oraganization which is being targetted.

Here is how the service works. When you register for this service you can select the keywords that want to be monitored. Once that is done any domain registration which contains that keyword will generate an alert and an email will be sent to the user who registered for this service for further action. Currently DomainTools can monitor domain registration in the following top level domains or TLDs -.com, .net, .org, .info, .biz, .us.

A sample email from MarkAlert, monitoring the keyword "Kotak" is shown in the figure below,


Click to enlarge

Saturday, August 19, 2006

Toolbars galore - Which one to choose? Part 2

Here is part two of the Anti-Phishing toolbar evaluation results. In addition to the five toolbars selected in my earlier evaluation, this time I also included Google Toolbar. However in this evaluation I focused on only one parameter and that is accuracy in detecting phishing sites. I basically tried to evaluate the comprehensiveness of the blacklist database of these tools and the speed with which the blacklist gets updated.

I picked up a set of 11 reported phishing sites from multiple sources such as Millermiles, Castlecops and few that I received in my mail box :). Since time is essence in protection against phishing attacks, only the phishing sites reported during the last few days were picked up for evaluation. The image below shows the results along with URL which were used during testing,

Click to enlarge

From the results it is clear that Netcraft and Google toolbars are the most accurate Anti-Phishing toolbars as of now. However this feature of Google toolbar is only available for Firefox.

Also for the first time I also saw Microsoft Phishing Filter in action and it is quite good. It detected 7 phishing sites and in fact it even detected one site which was missed by Netcraft and Google toolbar.

For all other toolbars it is a mixed result. In my next evaluation I am thinking of including some commercial Anti-Phishing toolbars and I would also focus on any smart features built into the toolbars which would enable them to detect suspicious sites based on URL and content of web page.

Wednesday, August 09, 2006

Tools wishlist for an Anti Phisher

At times you may be required to carry out an analysis of a phishing attack, especially if you are working as a security admin. So I thought I'll list down tools which may be useful in carrying out a detailed analysis of a Phishing attack. Listed below are a few tools and what they can be used for,

1. Type - Web Proxy Tool

Available Tools - Paros, Web Scarab, Achilles


Description - A web proxy tool can be used to analyze the content and behaviour of a Phishing website. Basically these tools allows you to trap and view http/s data. Hence the http data sent by a Phishing website, in web server response and client requests can be effectively analyzed as well as recorded for future reference. You can download Paros here.

2. Type - Whois Analysis Tool

Available Tools - SamSpade, www.domaintools.com


Description - A whois query can be used to extract detailed information about a Phishing website such as Geographical Location, IP Address, Registrar etc. This information can be used to follow up further action against the Phishing site. The online whois query facility provided by DomainTools website is very informative.

3. Type - Email Header Analysis Tool

Available Tools - eMailTrackerPro


Description - Email header anaysis can be helpful in locating the source of a Phishing email. Email headers can be analyzed even without any tool but a manual analysis is time consuming and can be difficult if the mail has been routed through a number of mail servers. An analysis of email headers using a tool is easier and faster. You can try the online demo of eMailTrackerPro here and learn more about analyzing Email headers here.

4. Type - Web Server Log Analysis Tool

Available Tools - AWStats, SawMill


Description - Web server log analysis tool helps in processing and analyzing webserver 'access' logs. Often phishing site pick up content from the actual website, hence that web server logs may contain traces of a Phisher. A web server log analysis tool can help in analysing the 'referer' entries in access logs to identify a Phisher. You can read more on Referer analysis in my previous post here.

So go ahead, arm yourself with all these tools and land up a big fish. And drop me a line if you come across some better tools.