NEWS FROM THE LAB - Wednesday, January 3, 2007

How to locate new phishing sites Posted by Mikko @ 13:55 GMT

Phishing sites are easy to locate once the bad boys start spamming out thousands of mails linking to their site. But how can such sites be found before that?

Here's an example.

You can subscribe to alert services that will let you know when a new domain with certain keywords has been registered. Domaintools is one such service.

Here's an email from yesterday, letting us know that a one new domain with the word "bankofamerica" in it has been registered:


Looking at detailed domain information, we can see the domain was registered on the 1st of January:


The domain name has a live web server running. Front page looks like this:


The folder "OnlineID" sounds suspicious. Lets follow it.


And three folders deeper we'll find the real phishing site.


At the time of posting this entry, none of the common browsers (IE, Firefox, Opera) detected this site as a phishing site with their built-in filters. Soon they will.

Hopefully we'll be able to shut down this site before the bad boys actually start using it.