Home » Blogs » Kedar Sovani's blog

Phishing continues and so does protection

Submitted by Kedar Sovani
on October 12, 2008 - 5:45am

I have already covered phishing in few of my earlier posts here:

I just received an email from 'security@axisbank.com' indicating me that

--------------------------------------------------------------
Security Alert:

Attention! Your AXIS Online Banking Account has been violated!

Someone with IP Address 81.102.72.19 tried to access your personal account!

In accordance with Axis Online Banking User Agreement and to ensure that
your account has not been compromised, access to your account was limited.

Your account access will remain limited until this issue has been resolved.

Please follow the link below to resolve this problem:
http://somelinkepresenthere

Thank You.
----------------------------------------------------------------

With logo and all completely there... Sounds pretty official. The problem is, I don't have an Axis Bank account :-)

So I thought ofcourse this is phishing. This can immediately be found out by hovering your mouse over the link specified. Usually, the href tag points to the real phishers website, whereas the contents of the "a" tag is the string of your bank's website. It was confirmed this is certainly a phishing site.

Then I thought lets go where they are really pointing me to and see what is happening. As I clicked it, FireFox Phishing Protection kicked-in and informed me that this site is reported for phishing attacks. Now that was good! Protection from some real danger! I wonder what happens when you open the link in IE....

Anyway, this kind of phishing detection is black-listing based phishing detection. It works, as we just saw, but it doesn't work on zero-day attacks. For it to work, people have to report this site to be a phishing site. And there is a window, between the site coming up and people reporting that site. And the window is sufficient for the phishers to gain access to vital account information of many many innocent people.

That reminds me of a project guided by the Dreamz Group by Amey. The project had a browser plugin. They had come up with a bunch of rules or suspicions that you can detect on typical phished websites. If the rules/suspicions match, a warning is displayed. For example, what we did above by hovering the mouse pointer is one such rule. And solutions like these raise the bar quite a lot. I am not sure if there are any commercially available solutions for these. But there certainly should be some around.