A recent blog post about the Google Blacklist brought up a thought I had a while ago about reducing the effectiveness of phishing. In his post Micheal says that “The pages are generally exact replicas of the original web page and generally pull graphics (*.jpg, *.gif, etc.) from the legitimate web site.” This has been my experience as well. The phishing page actually includes graphics from the legitimate site.
I can see a couple reasons for this.
- The phishers have some concern about bandwidth usage or disk space usage on their hosts
- When the page is loading, some browsers will say “waiting for www.paypal.com” which helps to make the site appear more legitimate.
- Phishers are lazy and don’t want the added work of changing the source and uploading more files to their web host
In any case, the fact that these phishing sites are pulling graphics from the legitimate site provides an easy way for the target site to identify phishing sites. On 90% (or more) of browsers, when the browser requests a graphic, it sends an HTTP_REFERRER header that tells the web server which page included the graphic.
For example, if you are hitting my site now, your browser requested this graphic:
When your browser requested it, it also told my web server which page the request originated from. This is the default behavior for all major browsers. The request in my Apache log looks like this:
220.127.116.11 – - [05/Jan/2007:09:59:58 -0500] “GET /wp-content/themes/cordobo-green-park-09-beta-09/images/h3_bg.gif HTTP/1.1″ 200 1581 “http://www.brandonchecketts.com/wp-content/themes/cordobo-green-park-09-beta-09/style.css” “Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:18.104.22.168) Gecko/20061204 Firefox/22.214.171.124″
Basically, your web browser told my server to request the graphic, and that the page that instructed it to do that was the “style.css” file.
The phishing targets (PayPal, eBay, Bank of America, etc) could easily look through their logs to identify those phishing sites that are including their graphics.
Or, better yet, instead of just displaying the static images, they could program their web server to look at the HTTP_REFERRER field on each request. If it comes from a legitimate source, then display the normal graphic. If it comes from an unknown source, then display an alternate graphic that says “THIS IS NOT THE REAL PAYPAL SITE!”
Who knows why they haven’t done this yet. I could whip up a script to do it in about an hour!