Phishing Questions

balaji
By balaji

November 26, 2006

Our series of articles on Phishing - Protection , Detection , and Incident Response evoked several questions. In this issue, we answer three of the most interesting questions we came across. Please keep the questions flowing, thank you!

Our series of articles on Phishing - Protection , Detection , and Incident Response evoked several questions. In this issue, we answer three of the most interesting questions we came across. Please keep the questions flowing, thank you!

1. Which logs should we analyze when we're under a phishing attack?

Here're the logs we have found most useful to review:

  1. Authentication logs of Application
    • Check for large number of successful logins from the same IP
    • Check for large number of failed logins from the same IP
  2. Transaction logs of Application
    • Check for sudden surge in transactions to one destination account
    • Look for transactions in dormant accounts
  3. W3C access logs of web server
    • Check rapid request for login page from the same IP
    • Check requests for images, without earlier request for home page
  4. W3C extended logs of web server
    • Look for suspicious external sites in referrer field
    • Look for IP addresses in referrer field

2. How can I track the activities of the phisher?

Honeytokens for Phishing (a.k.a. Phoneytokens) are one of the best methods to track phishers. Here's how you set them up, say if you were a bank:

  1. Create a few fake user accounts on your banking website
  2. Populate the user account with a few fake transactions
  3. Keep a sizable account balance for these fake logins
  4. Customize the application to alert and log all activities on these accounts
  5. When a phishing attack is detected, respond by feeding the fake user ids at the phisher's site
  6. When the phisher or his cohorts check out the logins, they will try the fake accounts too
  7. That triggers alerts from the application, and the app also logs all the activities of the phisher

Why are phoneytokens a good idea? Many phishers we have seen are very patient and work slowly. Their stealthy approach evades traditional log analysis and fraud detection. At such times, phoneytokens are a reliable method to track the activity pattern of the phisher and his league.

3. How can I find out how many of our users have become victims to a phishing attack?

There are two methods you can try to figure out the approximate number of victims:

  1. Study the phisher's email if it pulls images from your website. If it does, when the email is opened, your web server's log file will show the image being requested, but the referrer field will be blank. [Normally, the referrer field will point to your web site.] The number of blank entries in the referrer field for requests to the image shows the minimum number of users who read that email. [Please note that email clients like Outlook might block the image, but still let the user read the email.]
  2. If the phisher's site requests images from your site, then check the number of times the referrer field in your extended web server logs points to the phisher's site: that tells you the number of visitors to the phisher's site. Every time a visitor reached the phisher's site, there will be referrer entries signaling that.

Tags: Best Practices

About

balaji