- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
April 11, 2006 | Comments: (0)
Feedback on Hacker Takedown Article
Feedback to my Hacker Takedown Article
My latest article http://www.infoworld.com/article/06/04/07/77154_15OPsecadvise_1.html is generating feedback.
----------------
It was nice to see the dynamic DNS services getting some press in your security adviser newsletter. I've run DtDNS for seven years, providing dynamic DNS on free hosts as well as full domain names. While I'm one of the smaller services, I participate in DNSBL, one of the "informal groups" that you mentioned, to share information with many of the other players in the dynamic DNS market, as well as a handful of security firms. We receive daily reports and lists of confirmed malware, phishing, and other nasty sites that are quickly taken down after investigation. We also share domain names that are known to be "bad" and collectively deny service to them. It is an ongoing battle to keep the services clean and useful, but we will keep fighting the good fight.
Justin D. Scott
DtDNS Administrator
www.dtdns.com
----------------
From Robert:
Great article! I just joined the Anti-phishing working group and articipate in MWP, DA, Botnets, etc lists. And I can vouch for how hard Paul/Castlecops has been working. They've been posting PIRT alerts like crazy. And their integrated approach to reporting is an inspiration for a lot of what I'm working on. heir reports aggregate all the information that might be useful in getting the site taken down. (WHOIS, DNS, headers, etc) I'm hoping to get an incident responders portal up that ties together with my malware registration server and malicious urls workflow site. I've also been working with what I'm calling malware analysis frameworks.
The dynamic dns stuff is definitely an issue. I've been seeing some of the botnet operators start running their own dns servers.And they are using rackspace they pay for instead of hacked boxes. I also might have identified a dynamic dns provider that is part of a criminal organization. Crazy stuff and its getting more out of hand every day. Also I see you mentioned how proactive MS was on the last 0day. I hadn't realized they had done all that takedown work. Very cool. Their slew of lawsuits against phishers worldwide is pretty cool too. A good cause to use all those boatloads of money for and could have a bigger impact on their users than a new firewall or some such. I'm attaching the 0day we were working at the ISC yesterday. We submitted it for takedown as well. It handed out a different exploit based on useragent string.
--------------
From: Carol Anne Ogdin
Dear Roger:
The problem with rampant phishing is apathy. If more people would take the step of responding to the ISPs of phishers, the practice would stop.
Here's what I have been doing for a few months when I receive an obvious "phishing" message:
1. I look at the HTML code behind the message and find the bogus URL
that the phisher is using. I go to that site; if it's not there, then it's been removed and I take no further action.
2. I use the Windows "tracert" command to trace the route to the entire bogus URL. The last several lines will usually identify the routers of vendors supplying access to that site. If the site is in countries I know to be uncooperative (e.g., China, Russia, Romania), I stop at this point.
3. I forward the message to the last two vendors on the list before the final line. I address the message to "abuse@
"postmaster@
the subject line to "Your Customer is PHISHING," giving them four pieces of information:
a. The bogus URL in the message (so they don't have to search for it),
b. The IP address to which it resolves,
c. The last five lines of the tracert text, so they can see for
themselves the route to the site, and
d. The original (forwarded) message I received 4. I conclude my
message with a polite request that they investigate and stop the phisher from preying on Internet users.
In about 75% of cases, when I look back in a day or so, the site is
gone. In about 25% of cases, I get cordial "Thank you" notes from one or both of the ISPs I've notified.
If more of us would take the five minutes is takes to forward the
message with diagnostic information to the people who's reputations
could be harmed, these sites would get shut down within minutes of the
first phishing eMail being sent.
As for the temporal nature of phishing sites: Yes, they move. And, often move to other domains. But, they tend to stick with the same IAP/ISP, because changing that usually incurs cost (save for Yahoo, and their ilk, who both make it easy to remain anonymous, and don't seem particularly interested in policing their membership)
Phishers can build a set of bogus pages and reuse them. They can have DNS access to dozens of domain names. But they have to have an account with some hosting service, and that (usually) costs money to set up, so it remains constant.
What's interesting to me is how many of these phishers create absolutely broken HTML (often in Word!), and end up sending the victim to the "real" site anyway! Phishing seems to be the mark of the "get rich quick" mindset, without much appreciation of proper or idiomatic English, or good design.
I install SpoofStick on all my clients' browsers, and teach them how to use it. When I see it turned off, it's a sign I need to engage in a little educational persuasion; it's seldom off a second time.
Carol Anne Ogdin
Deep Woods Technology, Inc
Posted by Roger Grimes on April 11, 2006 08:52 AM
RATE THIS ARTICLE:
-
- COMMENTS
