Yesterday evening I created a small pishing demo for my class tonight. I essentially scraped the ebay login site, and made the POST action on the login form forward to a an aptly named pwnt.html. The idea was to illustrate how a “live” pish attempt in a safe controlled environment. I would pull it up on the screen then attempt to log in, and have the “YOU WERE PWND!” page come up. Then I would back up, and ask students about how they could distinguish it from the real Ebay login.
It all seemed like a great idea in my head. Unfortunately, I didn’t realize just how fast and efficient the anti-pishing league of justice can be these days. Today I visited the site and this is what I saw (click on the thumbnail to see the page)
Flagged and tagged! It appears that Google and Firefox now know about my evil pishing ways. But that’s not all. This is what I found in my email this morning:
Hello,
We were wondering if ***/~maciakl1/ebay/index.htm is part of some project and thus not a phish with criminal intentions. Would you have further information?
Thank you very much in advance.
Best regards,—
Michael MOLSNER
Kaspersky Labs Japan
Anti-Phishing Group
Holly shit! These people work fast! I’m totally impressed. I’m just a little bit upset about being flagged this way, but I guess I can use it as part of the lesson. How do you identify a pishing website? Well, if Firefox haets it – you probably have no business going there! I don’t really use that site for anything other than random classroom stunts like that so I’m not overly concerned. If Terminally Incoherent got flagged this way I would be totally freaking out. That other site – meh. I can live with that. Hopefully I can figure out a way how to get myself off the blacklist – which might be a topic for a whole new post. :P
I wonder if this is the usual turnaround time? I’m suspecting that maybe my site got indexed by Google at some point – or perhaps they are just monitoring Netdrive because of past exploits. Or perhaps some ebay script detected the 2-3 POST sent requests from my site when I was testing and fired an automated pish report? I don’t know, but if they snagged me this fast then it means that a lot of other pishing gets canned this fast too.
I used to think that the lifetime of a pished website may be few days – maybe up to a week or two. Now I see that in some circumstances it might be hours before it gets flagged and visitors get nasty warning messages from their browser or anti-pish software. So I guess pishing ain’t easy – not as easy as it looks. My window of opportunity to do the most damage was maybe 3-4 hours – which is not much. It might be enough to snag few accounts though. After you get flagged the effectiveness of the pish is diminished due to these warnings. Not to mention that once you are on that list, it’s just a matter of time before your host gets enough complaints to take you down.
Which makes me wonder when will I get the angry letter/phone call from the sysadmin. Perhaps he will send minions up to my office on the 3rd floor to set up an ambush and verbally berate me when I arrive this evening. Oh wait, that won’t happen. Both the Sysadmin and the minions – as well as 99% of the University staff fall into Torpor state exactly at 4:05 pm. Which means that they start leavening campus, or burrow deep in their lairs around 3pm. So if you teach (or take) an evening class you will never actually see them. :P
[tags]pishing, pish, ebay, ebay pish, flagged by google, pish filter, kaspersky[/tags]
Sounds like you run a fun class, and one that should probably be more broadly taken. Have you thought about writing up your lessons into a basic computer book, and including the examples on a website the book directs users towards? I think a lot of people could benefit from the stuff you do in your class, and you could make a bundle of money.
And yeah that definitely surprises me that the phishing groups found it so fast. I read a post somewhere a while ago how phishing sites are found. Basically the good guys spider websites running comparisons between the site and common phishing targets (ebay, banks, paypal, etc). Positive matches are published and shared among those protecting against phishing. Maybe a spider found you that fast, but I doubt it.
I know FF has two ways of checking fishing sites – a black list from google, and submitting each visited page to google to test. I prefer the black list (google knows enough about me without having a list of every website I visit), but it could be someone (maybe you?) had the second type of filter on, visited the site, thus the site was submitted to google, and the google phishing filter found substantial similarities between your site and ebay. End result: you got flagged.
Anyhow, good to know the anti-phishers are so johnny on the spot. Now if only I could get some of my users to upgrade to FF or IE 7.
It looks to me as one of your students has reported the site – according to the message on the screen – and not the security firms/IE/FF finding it them self.
Same goes for the email. I am betting someone has click – this is not a phishing site link.
It’s also flagged as dangerous by the Firefox plugins “WOT” and McAfee Site Advisor. All the anti-phishing guys probably pool information, so no big surprise that every defence goes off at once :lol:
Out of interest, what do you tell them in the way of how to recognise such sites?
The obvious one would be the domain not being ebay.com, although that can be hidden more cleverly using subdomains (e.g. http://signin.ebay.com.evilphishers.com, but with a slightly less obvious name than “evilphishers”). Anywhere where ebay would refer to you by name, like in their emails, will be a giveaway when the phishers just call you customer.. the links given in emails you can check the URL of too…
Obviously any mistakes in the reproduction of the real page will be a pretty big flag.
Easiest way to avoid all the crap is to always go to the homepage by typing it in yourself, instead of clicking links in emails – if there’s some important account upgrade they need you to do (not that there ever really is) then it’ll be available from logging into the main page.
You got “woodpecked”! :) Kaspersky is big into 24/7/365 development and updates which you can read about here. Their business model is impressive and it is one of main reasons they keep improving and expanding every year.
On the other hand you are almost dead on when it comes to sys admins…but I would place the cut off to 5:05 PM for most of them.
Dude,
First, its phishing not pishing.
Second, have you shown this to Robila?
Third, according to APWG’s December report the avg lifetime of a phishing site was 3 days where the longest lived site is 31. So half of the worlds phishing sites are taken down in under 3 days of launch.
Good to hear phishing education is continuing there, even after I’m gone.
Hey Luke,
I have a question out of curiosity: What are the add-ons you are using on Firefox? I can reconize the FavicognizeTab, the Fasterfox, the Gmail plugin, the Firebug, and the adblock from your print screen.
What about the others?
Sigh… I didn’t even get to use it yesterday. :(
@jambarama – I never considered that. :P Most of the stuff I do in class is pretty much straight out of the textbook. I don’t remember the title/authors of the top of my head but it is semi-decent. It comes with ppt slides for each chapter which I usually modify, splice and hack into shape.
@coaster – I don’t think that would be the case – considering none of them have seen it yet. I put the site up in the wee hours of the morning and it was already flagged when I got up for work. I didn’t actually show it in class.
@Miloš – heh! Woodpecked! lol You got to give it to them – they are fast.
Btw, Copeland emailed me about 3pm – he was very nice about it, and said I can keep it up but asked to hide it from the outside world so that we don’t get flagged. :)
@ZeWrestler – oh, I always thought it was pishing as in fishing with an f. Go figure. :P
I haven’t seen Robila the whole semester. He apparently is doing “off campus research” on Tuesdays which means I don’t see him at all these days. :(
Oh, and 3-30 days was what I was expecting – I thought i can put it up, early morning, show it in class the same day and then take it down without it being flagged. I did not expect it showing up on black lists mere hours after it hit the internets.
@Ricardo – Hmmm… Let’s see. I use faviconize, Fasterfox, adblock, greasemonkey, stylish, Google notebook, firebug, adsense notifier, and twitterfox
[quote post=”2324″]Btw, Copeland emailed me about 3pm – he was very nice about it, and said I can keep it up but asked to hide it from the outside world so that we don’t get flagged. )[/quote]
You see we have woodpeckers as well. :)
I am actually developing a website that will counter phishing in a whole new way un seen to the internet so far, its too new (and simple) of an idea to post here on your blog, but send me an email I will tell you about it. It will decrease phishing on the internet by at least 20% (a lot of you think about it) if websites give it a chance.
Hello,
This is definitely an interesting project and many of such should be done in order to educate as many people as possible about phishing matters. It is always a surprise to discover “drop files” and to see how many users did input their real credentials:-/
Much to do!
Cheers,
Michael
[KL Japan]
Why would you publish this on the public Internet?
Do you not have a test bed apache (or Xampp) system that sits on a non-routable network block (192.168.x.x, 172.[16-31].x.x, 10.x.x.x) where you can demonstrate to your students without the risk of exposure to the big-bad-interwebbythingy.
You were caught, you deserved to be caught – it’s good to see that the anti-phishing systems work so well.
@Michael Molsner – thanks for all your help. You are doing a great job keeping the interwebs safe. :)
[quote post=”2324″]Do you not have a test bed apache (or Xampp) system that sits on a non-routable network block (192.168.x.x, 172.[16-31].x.x, 10.x.x.x) where you can demonstrate to your students without the risk of exposure to the big-bad-interwebbythingy.[/quote]
Nope. I’m an adjunct. I’m lucky that I get a mailbox on campus. :P
But yeah, you are right – not very smart on my part, and I totally deserved to be caught. I’m not complaining. In fact I’m totally impressed that it happened so fast. :) It’s a good thing!