NEWS FROM THE LAB - Sunday, April 16, 2006

Image stealing by phishers Posted by Mikko @ 09:51 GMT

Lazy phishers are often simply making a copy of the original bank site with some malicious modifications. As an example, take a look at this currently active phishing site targeting Chase Bank.

Chase phishing site

This phishing site is running on an infected home computer in Spain. Only the html is hosted there; all the images are actually loaded directly from a real chase.com server.

Now, activity like this could be detected by the website of the bank automatically. How about modifying the logic of the bank web server to do something along these lines:

If somebody

  a) loads my images but
  b) does not load the corresponding html file and
  c) has http referrer -values outside of my domain

then, for this user, lets change this image:

Chase logo before

to this image:

Case logo after

This could be activated only after the activity has happened from, say, 10 different IP addresses, to make it harder for the attackers to spot it until it's too late.

And, in most cases the REFERRER fields would directly point the bank staff to the real phishing site which they could now start closing down.

Eventually, attackers would move to host their own images, but for now they still typically don't.