Mining Web Server logs
Hi all, after a long break, I am finally back with some spicy news from the world of anti-phishing. This time results from an actual phishing incident analysis which was quite interesting and the results can be quite useful for others too. Here goes the details,
Recently the Internet Banking application of one of our customers was subjected to a Phishing attack. Here is a short step-by-step description of the analysis carried out using referrer logs of their web server to identify the location of the phisher,
Recently the Internet Banking application of one of our customers was subjected to a Phishing attack. Here is a short step-by-step description of the analysis carried out using referrer logs of their web server to identify the location of the phisher,
- Once the phishing site was detected the web server access logs of the last four days were taken for analysis.
- From this log, all the requests which had links to the Phishing site in the referrer field were separated. It was thought that this filtered log may provide a critical information i.e. the IP addresses of the victims of the phishing site. This is because all the users who submitted their login id & password to the phishing site were redirected to the original internet baking application and hence had Phishing site link in the referrer field.
- From the detailed audit trails stored by the Internet Banking application, the login ids which are generally used from the IP addresses identified earlier was listed down. (as a best practice the internet banking application was storing IP address with each login)
- Now a monitoring procedure was initiated to see whether an access attempt is made using these login ids from an IP address which is different from those identified earlier. Since these login ids are compromised and will be available with the phishers, any attempt to login from an IP address which is different from the usual becomes suspicious.
- During monitoring the bank found that a number of login attempts are made from an IP address in UK using the accounts which were compromised. All login using these accounts in the past were from IP addresses in India only.
- The bank is now planning to initiate a legal action. They may also have to contact the ISP in UK to determine the exact user of the suspicious IP address.