Mining Web Server logs
Hi all, after a long break, I am finally back with some spicy news from the world of anti-phishing. This time results from an actual phishing incident analysis which was quite interesting and the results can be quite useful for others too. Here goes the details,
Recently the Internet Banking application of one of our customers was subjected to a Phishing attack. Here is a short step-by-step description of the analysis carried out using referrer logs of their web server to identify the location of the phisher,
Recently the Internet Banking application of one of our customers was subjected to a Phishing attack. Here is a short step-by-step description of the analysis carried out using referrer logs of their web server to identify the location of the phisher,
- Once the phishing site was detected the web server access logs of the last four days were taken for analysis.
- From this log, all the requests which had links to the Phishing site in the referrer field were separated. It was thought that this filtered log may provide a critical information i.e. the IP addresses of the victims of the phishing site. This is because all the users who submitted their login id & password to the phishing site were redirected to the original internet baking application and hence had Phishing site link in the referrer field.
- From the detailed audit trails stored by the Internet Banking application, the login ids which are generally used from the IP addresses identified earlier was listed down. (as a best practice the internet banking application was storing IP address with each login)
- Now a monitoring procedure was initiated to see whether an access attempt is made using these login ids from an IP address which is different from those identified earlier. Since these login ids are compromised and will be available with the phishers, any attempt to login from an IP address which is different from the usual becomes suspicious.
- During monitoring the bank found that a number of login attempts are made from an IP address in UK using the accounts which were compromised. All login using these accounts in the past were from IP addresses in India only.
- The bank is now planning to initiate a legal action. They may also have to contact the ISP in UK to determine the exact user of the suspicious IP address.
3 Comments:
Hey Abhishek..Good to c u after so long.Just saw ur mail on ur blog.Tc
Regs
Arun
Hello Abhishek,
Thanks for posting your experiences. You people carried out a very good excercise.
May be the attacker has some other credentials that he/she hasn't yet used.
The attacked (Victim) bank can be asked to request its customers to change its password asap. The attacked bank can also be asked to send an acknowledgement message to its customers for sometime whenever there is any transaction using Inetrnet Banking.
Thanks and Regards
Sandeep Paul
Sandeep, the attacked bank immediately contacted its customers to change their passwords after the analysis.
One more interesting fact that I wanted to share, this phishing incident was actually reported by one of the customers of the bank. This is the benefit of improving customer awareness :)
Post a Comment
<< Home