A new effective method to detect phising website

Networking/Security Forums -> Anonymity // Privacy // Spam

Author: dyc.chien PostPosted: Tue Nov 04, 2008 1:05 pm    Post subject: A new effective method to detect phising website
I have developed a new method that can detect phishing website more effectively. It is checking website IP address against an IP address based White List.
Every website has an IP address. IP address must be legitimate, routable, reachable, and cannot fake. If a website fakes its IP address, the data will be routed to the fakes IP address site instead. So no one can reach this website. For example, a phishing website can mimic BankOfAmerica. But it cannot use BankOfAmerica IP address (range) as its IP address. If it does, all network traffic will be route to BankOfAmerica instead.
We can build an IP address based White List that has all legitimate finical institution IP address that phishing website is targeting.
When visiting a website, we can check its IP address against White list. If the website’s IP address is not in the White List, then it may be a phishing site.
How to build this White List? We can ask America Bank Association (or alike) for help. Or we can Google it and check it against WHOIS (which I have done). More important, most companies do not change their IP address often. This is due to (1) IPV4 are almost allocated. (2) Internet backbone routing table updates and testing is a major task. So the White List will be small, stable, and easy to maintain.
Advantages of this method are:
1. Can detect new phishing website immediately without being report first.
2. Don’t have to maintain historical phishing sites information
3. Don’t need to check URL, web pages content etc.
4. Spoofed phishing Email will not work
5. It is immune to DNS pharming (poisoning) attack
6. White List is easy to maintain and can store locally
7. There is no need to take down a phishing website
More important, we can expand this method to identify trustworthy websites. White List can include online E-commerce companies like Ebay.
I do have a Firefox extension that can check IP address. My White List has 600 IP addresses (mainly US banks).

Daniel C.

Author: ron.vanza PostPosted: Tue Nov 04, 2008 9:20 pm    Post subject:
Great tip bro i really liked it and hope all members have an look at it

Also mcafee site adviser is an really effective thing

but what firefox extension you are talking abou? how to use it and how to get it pls guide me the whole process


Author: AdamVLocation: Leeds, UK PostPosted: Tue Nov 04, 2008 11:42 pm    Post subject:
I don't quite get how this works.
So I try to go to bankofamerica.fakesite.ru and the IP for that site is not in the white list so I can't get to the site.
So far so good.
Then I try to go to perfectly.normal.company.website.com for some random web site that I turn up through a search engine for something. I don't know, something like www.security-forums.com for example. And their IP is not on your white list - does that mean I can't go there?

If I have to do anything at all to check the site - turn on an extension, paste the URL into a box on a webpage, the idea just failed. If I think long enough to do any of that, I already knew enough about phishing to think before I visit the site.
The time it takes to do any of that means I could simply type in my normal web address for my bank, or ebay or whatever, rather than using some dodgy link I have been emailed. First line of defence is always type a well known address (same applies if you get a text message to phone your bank on some number, call them on their usual number instead so you know who you are talking to when they ask all those security questions)

Author: dyc.chien PostPosted: Wed Nov 05, 2008 10:25 am    Post subject: A new effective method to detect phising website
Firefox extension is an icon/button on the toolbar. When click, it will get the current webpage’s IP address, compare it with the white List (that is stored on your local machine), then advise you about this site. This program does not block any access to the website. So when visiting a website/webpage that asking your personal information (like id, pw, SS#, CC#), before entering any data, you should check if this site is legitimate by click this icon/button to get advice. You are the one to make final decision.

One more important fact about DNS pharming attack, even with correct URL (not IP address), it still can take you to the phishing website. This program can be used to detect a phishing site during DNS poisoning attack.

BTW, do we have an office FTP site that I can post my program?

Author: dyc.chien PostPosted: Thu Nov 13, 2008 7:45 am    Post subject: A new effective method to detect phising website
Finally, I got this to work for Firefox version 3.
It is a Green Button on the toolbar. When you visiting a website, before entering you account and password, you may want to click this button. It will tell you if this website is trusted or not (on the White List).
If you are interesting on my program, send email to dan_chien@hotmail.com.


Author: PhiBerLocation: Your MBR PostPosted: Thu Nov 13, 2008 7:06 pm    Post subject:
So how is this different than using EV/SSL Certificates to get the "green" bar in Firefox or Internet Explorer 7 (e.g. Phishing Filter / protection)?

Take this scenario - A large Bank changes it's IP address and your 'whitelist' is not updated accordingly. What happens next? Do customers largely avoid the site because they don't see the green bar? How much business would be lost?

Certificates are a much more reliable way of confirming site identity anyways.

Author: dyc.chien PostPosted: Sun Nov 16, 2008 8:51 am    Post subject: A new effective method to detect phising website
First, I think we (consumers and banks) should work together to maintain this white list. The more accurate we maintain this list, the better protection we get. It is good for consumers and the bank.

As for changing IP address, for IPV4, most addresses have been allocated already. It is not easy to find a free block of IP addresses to change to. The white list can include all IP addresses that allocated to this Bank so it is OK to change IP within it range. Also, we should minimize the impact of changing IP address.

As EV/SSL, it is on IE 6/7/8. But most people do not understand or pay attention to it. The other drawback is that some websites do not engage SSL early enough. For example, SSL will only take place after you have entered ID and password.


Author: PhiBerLocation: Your MBR PostPosted: Mon Nov 17, 2008 9:27 pm    Post subject:
How would someone know whether the phishing site is a fake or not? You mentioned that no one pays attention to the EV/SSL bar in IE7/8 (also works for Firefox 2 & 3 afaik), what is your method of grabbing the users attention?

Author: dyc.chien PostPosted: Tue Nov 18, 2008 7:54 am    Post subject: A new effective method to detect phising website
My method/program creates a button on the Firefox toolbar. Before you enter your account, password, social security number or credit card number, you may want to click this button to make sure this website is on the list.

I think this is a better way than EV/SSL.

I think one of the reason people do not pay attention to SSL is that they don't know what EV/SSL is for.

Another example, check login.live.com website, it does not use SSL for this page, but it is a good website. SSL check will not work in this case.

Networking/Security Forums -> Anonymity // Privacy // Spam

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group