back to article Crooks are using proxy servers to build more convincing phishing sites – new claim

Crooks using phishing pages to grab victims' passwords have apparently upped their game – by using proxy servers rather than static pages to craft legit-looking websites. Normally, thieves recreate a web page – such as a login page for an online shop or webmail – and stick it on a compromised server, then direct marks towards …

  1. Kaltern

    请输入您的信用卡资料到的意见。谢谢

    Card: 4971 2500 3665 9987

    Expiry 02/18

    Postcode: DS1 2TK

    Do I win a prize?

    1. ecofeco Silver badge

      Re: 请输入您的信用卡资料到的意见。谢谢

      Nope.

      "please enter your credit card information to the comments . Thank you ."

  2. depicus

    Hard to mitigate

    I was looking at this a few weeks ago after having a clients page pulled and used as their own to sell advertising. We put in some javascript to check if we were in a frame or not the client domain which solved the problem but I suspect it won't be long before they proxy the page again but then strip the javascript out.

  3. Simon Lacey

    All most phishing sites/mails need is someone that can speak English.

    1. frank ly
      Happy

      ...someone _who_ can speak English.

      1. Martin-73 Silver badge

        Yep, that (who) bugs me too

      2. albaleo

        What was it about the original form that bugged you? It read fine to me. Most usage guides say that either "who" or "that" are used to refer to human subjects. Some note that "that" is more commonly used when denoting a class of people, e.g. "those that prescribe grammar" versus "one who prescribes grammar. But there is no exclusive rule.

        It's different with non-restrictive relative clauses, where "which" and "who" are the normally preferred options, and where "which" is not generally used with people. "Now someone who really annoys me is Albaleo, who bores us to death with his thoughts on grammar." "I know what you mean. He talks all the time about relative clauses, which no one in their right mind gives a fuck about."

    2. Crazy Operations Guy

      Like the 419 scammers, phishers are typically looking for people that are just stupid enough not to notice the errors since they would be stupid enough to fall for other phishing sites as well (And thus reduce your chances of getting caught, since the victim won't know which shady website stole their identity; you also get people that so enticed by what is being offered, that they'll do whatever you want)

      Catch a smart man with a good phish and you'll eat for a day; catch a sucker with a bad phish, and you'll eat for a lifetime.

  4. Crazy Operations Guy

    "legitimate site would find it very difficult to detect these attacks against their customers. "

    Look for multiple customers coming from the same IP, easy peasy.

    1. xj25vm

      Re: "legitimate site would find it very difficult to detect these attacks against their customers. "

      I see. So what happens if you get multiple purchases from a large internal network with a single public IP address? Such as a large company, university, government network? Or how about the fact that most (if not all) 3g mobile operators - in UK at least - use private IP's for their customers. Will you be banning everybody who shops/browses your website from a smartphone or 3G dongle then?

      1. KNO3
        Black Helicopters

        Re: "legitimate site would find it very difficult to detect these attacks against their customers. "

        Saw an ISP try it once. Put 1k users behind the same IP. With IP you only have 65k or so return ports. During peak times took 3 seconds to run out of ports. Router purges the connection for the next in line.

        Then you have the DNS servers blacklisting the IP address because they thought they were being attacked. Try hitting a DNS server with 300 request / retries per second and see what happens. Later I find out the BOFH set it at 100 per second and did not care to inform anyone. Thank you WireShark, See all, tell all.

        Monitoring your inbound IP to your site is a legit way to deal with it. Worked for a bank 10 years ago and they tried it to us. They even had a fake SSL cert. On the customers side, it was 64 bit, with an error (customers always click thru Microsoft errors) and on our side we saw 128 bit. Caught them because they were trying to piggyback the connection to try to crack the session IDs.

        One of those 3 letter guys stopped by their hosting site and took their sever in for a bit of questioning.

        Funny thing was the bad guys also hacked the DNS server to redirect spyware loaders to load their payloads instead.

      2. Crazy Operations Guy

        Re: "legitimate site would find it very difficult to detect these attacks against their customers. "

        I don't expect anyone to use my solution as the only method of fraud detection, merely as a simple filter for more rigorous testing, such as comparing previous postal / country codes used by customers on that IP. Which in your examples, would match or at least be similar.

  5. Crazy Operations Guy

    Just a thought

    This attack would be so much harder to detect and block by utilizing a botnet, simply install the proxy code on a botted machine and rotate which bots are serving up the pages (just have the CnC server communicate constantly update a DNS server operating as the NS server for the phishing site and set the TTL ludicrously low to eliminate lost connections from people shutting off nodes in the bot net.

    Although, come to think of it, a botnet of proxy servers might not actually be a bad thing in the right hands...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like