February 12, 2008

Cutting the phishing rod

These days I've been involved in developing some countermeasures against an intensive phishing attack. The IT team of the offended bank is rather skilled when it comes to security, but was simply helpless against such an attack. It seems there are no defenses, since they're hitting the user, the soft spot. But yet, we had to think of some way to, at least, mitigate the attack.
So, here you are some ideas for proactive "server side" (not involving client interaction) defenses against phishing: I've got a couple more, but I have to develope them a little.

  • Pollute aggressor's data: we generated thousands of fake credentials from hundreds of proxies. The attackers will have an hard time filtering out the fakes, since they're not even logging the ip the request came from.

  • Lay traps:if you manage to have the attackers take the bait and use a fake login, you can modify your application and try to mine useful informations from their browser. Things like javascript local IP grabbing, evil java applets and such can help against the anonymous proxy they will likely be using

  • Do content tampering: if the attackers left some images with src pointing to your website, change the links in your website and switch their pictures in something else to warn the user. A huge red alert banner will do. If they were clever enough to download the images too, change yours. It won't be a huge gain, but every little bit...

  • Do image proofing: have an artist design 365 small images, one for every day. It is not easy to copy someone' style, and if the users are used to see something changing in a regular fashion they will be able to spot anomalies easily. The point is: most banks (and big stores too) websites are static in content, thus an easy prey for phishers.


The next thing I'm thinking about is automatic detection of phishing websites using a proxy. Imagine a squid component able to warn you whenever you hit a phishing site... without the need to mantain a blacklist. Blacklists are a quick, easy way out. Unfrotunately, they just don't work: most hits will take place in the hours close to the phishing attempt, when the blacklist won't be updated.That's why we need more creative, out of the box solutions.