A recent blog post about the Google Blacklist brought up a thought I had a while ago about reducing the effectiveness of phishing. In his post Micheal says that “The pages are generally exact replicas of the original web page and generally pull graphics (*.jpg, *.gif, etc.) from the legitimate web site.” This has been my experience as well. The phishing page actually includes graphics from the legitimate site.
I can see a couple reasons for this.
- The phishers have some concern about bandwidth usage or disk space usage on their hosts
- When the page is loading, some browsers will say “waiting for www.paypal.com” which helps to make the site appear more legitimate.
- Phishers are lazy and don’t want the added work of changing the source and uploading more files to their web host
In any case, the fact that these phishing sites are pulling graphics from the legitimate site provides an easy way for the target site to identify phishing sites. On 90% (or more) of browsers, when the browser requests a graphic, it sends an HTTP_REFERRER header that tells the web server which page included the graphic.
For example, if you are hitting my site now, your browser requested this graphic:
http://www.brandonchecketts.com/wp-content/themes/cordobo-green-park-09-beta-09/images/h3_bg.gif
When your browser requested it, it also told my web server which page the request originated from. This is the default behavior for all major browsers. The request in my Apache log looks like this:
11.22.33.44 – – [05/Jan/2007:09:59:58 -0500] “GET /wp-content/themes/cordobo-green-park-09-beta-09/images/h3_bg.gif HTTP/1.1” 200 1581 “http://www.brandonchecketts.com/wp-content/themes/cordobo-green-park-09-beta-09/style.css” “Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1”
Basically, your web browser told my server to request the graphic, and that the page that instructed it to do that was the “style.css” file.
The phishing targets (PayPal, eBay, Bank of America, etc) could easily look through their logs to identify those phishing sites that are including their graphics.
Or, better yet, instead of just displaying the static images, they could program their web server to look at the HTTP_REFERRER field on each request. If it comes from a legitimate source, then display the normal graphic. If it comes from an unknown source, then display an alternate graphic that says “THIS IS NOT THE REAL PAYPAL SITE!”
Who knows why they haven’t done this yet. I could whip up a script to do it in about an hour!
After being torn apart on a comment I posted on Michael Sutton’s blog that I referenced, I was torn apart there.
Nick pointed out this Washington Post article
http://blog.washingtonpost.com/securityfix/2006/08/using_images_to_fight_phishing.html
that explains that e-Gold actually did this for some time (not sure if they still do). After reading the Washington Post article, I think that the targets may
have more to gain by letting the phishers continue to link to their images. At least that way they can identify the ‘unprofessional’ phishers and work to shut them down.
Since most phishing attacks end up sending the user back to the legitimate site, I think the idea of checking the referrer at that point against a list of known phishing sites still has some merit. Even if the referrer is a known
redirector, it could still raise flags. This could potentially alert the legitimate user that their personal information may have been stolen, or deny large withdrawls from the user’s account until the customer’s identity has been further verified.