SSD - Server side Detection - (updated 2007-07-29)
|
Protection against... |
Detection... |
Ease to install |
User usage
(green=easy) |
| |
funds transfert |
simple phishing |
MITM phishing |
ISP pharming |
trojan keylogger |
advanced trojan |
before-fraud |
after-fraud |
| |
|
N/A |
N/A |
N/A |
N/A |
N/A |
By Corp |
N/A |
|
N/A |
Goal : helping SOC to identify a future phishing.
Installed by : business lines
We install a link on a transparent 1x1 pixel
image at the bottom of the page.
This link will never be followed except for attackers downloading the whole website (or the main page)
Usually, the attacker of a phishing site will have to crawl on this page and download the warning.php (see script) page
Here, one can take a special action that would be triggered by the download of this page
You 'll have to adapt this source code to the server-side language you are using on your own Web site.
My opinion: you can only react to a fraud, but cannot prevent it, if
you're acting too late, or if your Web site has been mirrored, and the
phishing site is a copy.
At best, it can only be useful to launch prosecution against an attacker because you MAY have caught him in your logs
Solution 1
In httpd.conf (if you're using Apache as a reverse proxy, or directly as a Web server), insert the following lines
# Special file extension
AddHandler warning .war
Action warning /php/warning.php
In your main login page, you must insert a line such as the one below, at the bottom of the page
<a href=page.war><img src="pixel.png"></a>
Write a small PHP script (or your prefered server-side scripting language) and insert it in a file such as /php/warning.php
<?
$data_collected = "Source Address : ";
$data_collected =. $_SERVER['REMOTE_ADDR'];
$data_collected =. " tried to reach ";
$data_collected =. $_SERVER['SERVER_NAME'];
$data_collected =. " ( ";
$data_collected =. $_SERVER['SERVER_ADDR'];
$data_collected =. " ) ";
$data_collected =. " using the URI : ";
$data_collected =. $_SERVER['REQUEST_URI'];
$data_collected =. " with user-agent : ";
$data_collected =. $_SERVER['HTTP_USER_AGENT'];
$data_collected =. " and referer ";
$data_collected =. $_SERVER['HTTP_REFERER'];
//CHANGE the destination email address and from address
mail("warning@yourbank.com","POSSIBLE PHISHING PREPARATION","Source address : ,"From : crawler-detector@yourbank.com");
?>
Solution 2
In your main login page, you must insert a line such as the one below, at the bottom of the page
<a href=php/warning.php><img src="pixel.png"></a>
Write a small PHP script (or your prefered server-side scripting language) and insert it in a file such as /php/warning.php
<?
$data_collected = "Source Address : ";
$data_collected =. $_SERVER['REMOTE_ADDR'];
$data_collected =. " tried to reach ";
$data_collected =. $_SERVER['SERVER_NAME'];
$data_collected =. " ( ";
$data_collected =. $_SERVER['SERVER_ADDR'];
$data_collected =. " ) ";
$data_collected =. " using the URI : ";
$data_collected =. $_SERVER['REQUEST_URI'];
$data_collected =. " with user-agent : ";
$data_collected =. $_SERVER['HTTP_USER_AGENT'];
$data_collected =. " and referer ";
$data_collected =. $_SERVER['HTTP_REFERER'];
//CHANGE the destination email address and from address
mail("warning@yourbank.com","POSSIBLE PHISHING PREPARATION","Source address : ,"From : crawler-detector@yourbank.com");
?>
