Anti Phishing Tools

 

NBL - Network Block Location - (updated 2007-07-29)

 
 
Protection against... Detection... Ease to install
User usage
(green=easy)
  funds transfert simple phishing MITM phishing ISP pharming trojan keylogger advanced trojan before-fraud after-fraud
 
N/A
N/A
N/A
N/A
N/A
N/A
By user
 
 

Goal : warning user on his last access
Installed by : business lines

The solution here, is to warn the user about his previous connection date, time, and location. This user may become suspicious, if he discovers that the previous login was performed from another country, or at a time when he was not in front of a computer.
This sample script is written in PHP, so you will have to adapt it in your prefered application server language.
Two methods can be used to easily translate an IP address into the country is comes from: either the "whois" application, and or a local database.
I personaly use "php-whois" from sourceforge.net to get a Web application "whois" client. "php-whois" is available here. Nevertheless, I advise you to modify the whois list as some ccTLD are missing. You'll find a more complete list here
If you intend to use a local database (which is the prefered way since the whois servers may ban you if you are launching too many requests), then you can go to an "IP-to-Country" database (see here).



PHP Page using whois

//We will use a mysql connection for simple script understanding to store user data. Our database (mydatabase) design include a field (previous_ip_field) in a table (previous_login_table)
//$user_id is a variable we can use on the page refering to the loged user

//Use phpwhois to get whois.main.php
include('whois.main.php');
$whois = new Whois();

<?
$mysql_link=mysql_connect("server_location","user1", "password");
mysql_select_db("mydatabase",$mysql_link);
$query="SELECT previous_ip_field FROM previous_login_table WHERE user_id=".mysql_real_escape_string($user_id)." limit 1 ";
$result=mysql_query ($query,$mysql_link);
if (mysql_num_rows($result)){
  $whois_result = $whois->Lookup($result);
  $location_from=strstr(strstr($whois_result,"country"), " ");
  print " Your last connection occured from ".$location_from;
}else{
  //no match
}
mysql_close($mysql_link);
?>


PHP Page using ip-to-country database

//We will use a mysql connection for simple script understanding to store user data. Our database (mydatabase) design include a field (previous_ip_field) in a table (previous_login_table)
//$user_id is a variable we can use on the page refering to the loged user

// We use the local ip-to-country file. We have inserted in a table(begin_ip,end_ip, country2,country3, country) with
// LOAD DATA INFILE 'ip-to-country.csv' INTO TABLE ip-to-country-table FIELDS TERMINATED BY ',';

<?
$mysql_link=mysql_connect("server_location","user1", "password");
mysql_select_db("mydatabase",$mysql_link);
$query="SELECT previous_ip_field FROM previous_login_table WHERE user_id=".mysql_real_escape_string($user_id)." limit 1 ";
$result=mysql_query ($query,$mysql_link);
if (mysql_num_rows($result)){
  $decimal=0
  $multi=16777216; //256 ^3
  for ($octet=strok($result,".");$octet!="";$octet=strok($result){
    $decimal=$decimal+($octet*$multi);
    $multi=$multi / 256;
  }
  $query="SELECT country FROM ip-to-country-table WHERE $decimal > begin_ip AND $decimal < end_ip"
  $country=mysql_query ($query,$mysql_link);
  print " Your last connection occured from ".$country;
}else{
  //no match
}
mysql_close($mysql_link);
?>

You may also extend this script in order to use it act as an indicator for alerting customers (by phone or else) when someone is trying to transfer money from a foreign country.
You may also insert a message telling when was the last time, the user logged in.
You can also use this script to begin defining an authentication risk based approach. Some commercial solutions (such as those from RSA efraud) already use this risk approach. Another information which can be interested in collecting is the "accept-language" method from the client browser. Indeed, the accept-language may be the fraudster language (not a usual one).
Again, it could be possible to use SEC (Simple Event Correlator) to define some rules identifying languages and network block and deciding whether the combination is a good one or not.
We could also have a system working as the following scheme : when network block is different from the server country, then, we generate a random code and ask a vocal server to make phone call to the user phone and give the code. If the user is expecting the phone call, he enters the code and is authenticated, otherwise, he ignores it.