[WEB SECURITY] Google Redirect URL actively used for Phishing

[Brian Eaton]

The old thread talks about using referers to block malicious users.
That's just not going to work, the malicious types can adapt too
easily.  The redirectors have a different problem to solve.  They want
to detect normal users who are falling victim to phishing scams.  The
redirecting site can afford false negatives, where they occasionally
fail to detect a phishing redirect.  So long as they weed out some
significant portion of the phishing links, they can declare victory.
But they can't afford false positives - if they start detecting
legitimate redirects as phishing redirects, that will cost them time
and money.

I haven't really looked into whether referers are reliable enough to
give a very low false positive rate with an acceptable false negative
rate.  People still use referers to prevent image leeching, which
seems to be a very similar application.

I guess if referers are really too unreliable, they'd have to go for a
white list of acceptable destinations or a black list of phishing
sites.  The black list will be less effective, but might be easier to
maintain.

Regards,
Brian

On 8/22/06, RSnake <rsnake at shocking.com> wrote:
>
> Doesn't work.  Check out this old thread where we already discussed
> this:  http://seclists.org/webappsec/2005/q1/0417.html
>
> Plus there are plugins like WebDeveloper in Firefox that optionally turn
> it off too now.  In my experience, referrer is the second most
> spoofed/removed header, right after user agent.
>
> -RSnake
> http://ha.ckers.org/
>
> On Tue, 22 Aug 2006, Evert | Rooftop wrote:
>
> > Just a side note,
> >
> > but wouldn't it be better if for example google did a check of the Referer:
> > http header and only redirect if this is correct (and perhaps show a page
> > instead if it isn't with a link and explanation)
> >
> > Evert
> >
> >
> > Brian Eaton wrote:
> >> On 8/22/06, Collin Jackson <collinj at cs.stanford.edu> wrote:
> >>> This is not new. I've seen phishing sites using this technique for over a
> >>> year.
> >>
> >> I'd like to take a careful look at when new phishing techniques
> >> appear, and how long they persist.  Techniques that don't succeed in
> >> fooling users will probably go away.  Techniques that tip off spam
> >> filters will probably go away.  Techniques that turn out to be
> >> effective will persist, at least until somebody figures out how to
> >> block those techniques.  Oddly enough, using proper spelling doesn't
> >> appear to be a requirement for a phishing e-mail to be successful,
> >> since the phishing gangs still haven't started using spell checkers.
> >> I'm waiting to see whether that citibusiness web site with the
> >> two-factor auth gets phished again.  Maybe 2FA made that phishing run
> >> uneconomical?
> >>
> >> If bouncing redirects through trusted domain names has been going on
> >> for over a year, it must be a useful technique to fool people into
> >> clicking on links.  Maybe it's time for those well-known domains to
> >> step up and remove those redirectors?
> >>
> >> Regards,
> >> Brian
> >>
> >>
> >> ----------------------------------------------------------------------------
> >> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
> >>
> >> The Web Security Mailing List Archives:
> >> http://www.webappsec.org/lists/websecurity/archive/
> >> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >>
> >
> >
> > ----------------------------------------------------------------------------
> > The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]