Friday, January 11, 2008 2:10 AM
cmosby
Symantec Security Response Weblog: "Referer" Field Used in the Battle Against Online Fraud
"Referer" Field Used in the Battle Against Online Fraud
The "referer" [sic] header is generally used to track back-links in order to understand how a certain Web site is being reached by its visitors (hyperlinks on other Web sites, search engines, etc.) According to the RFC2616, “...the Referer request-header field allows the client to specify, for the server's benefit, the address (URI) of the resource from which the Request-URI was obtained (the "referrer", although the header field is misspelled).”
In the online fraud arena, the referrer field can also be used to detect new phishing Web sites. Let’s use as an example the following phishing site (which also happens to be a Rock Phish attack):
(Click for larger image)
If a legitimate user visits this site and submits the form, the phishing site saves the credentials and then redirects the user to the real Internet banking Web site. When the redirection takes place (in this case with a standard HTTP 302 “Moved Temporarily” error), the user’s browser requests the URL included in the “Location” field, including a referrer field in its HTTP request headers, which contains the absolute uniform resource identifier (URI) of the phishing Web site.
On the server side it is trivial to log referrer fields for every HTTP request (just give a look to the documentation of your Web server) and setup a notification system that sends out alerts when an unknown referrer is found. The system would need a bit of fine-tuning initially in order to setup a proper whitelist of legitimate linking Web sites. Many phishing Web sites also load resources from the legitimate Web sites (images, css files, JavaScript files, etc.), which will leave a similar footprint in the logs as well.
This simple early warning mechanism can be easily circumvented by avoiding the loading of resources from the legitimate Web site and then redirecting the user at the end of the phishing "session." However, this is actually almost always done in currently known phishing kits in order to enhance the overall attack credibility.
One additional thing you should think about is that in the majority of cases, when a phisher setups a new fraudulent Web site, what he/she does before sending out the phishing email is to test it. This means two thing to us:
• The first referrer of a new active phishing Web site will probably be produced by an IP used by the phisher, which would allow the financial institution to have good information for law enforcement agencies trying to track and prosecute criminals;
• The financial institution would be able to know about a new phishing Web site even before phishing emails are sent out, allowing a quick trigger of the incident response process, which is something crucial to minimizing losses.
If the phisher is cautious and able to hide (for example, through a hijacked PC or server used as a proxy), this information will not be useful for tracking purposes, but Symantec has noted that most of the time they actually don’t do it. On the other hand, it is fairly simple to tell which IP addresses look suspicious and which don’t.
Finally, counting the number of hits with a referrer field pointing to a verified phishing URL would provide information on how many users have been visiting it and filling out the form. This would provide additional information to help evaluate the risk of each attack, which is something I have already been discussing in the past and a point on which I will return with more details in the near future.
Posted by Andrea Del Miglio on January 10, 2008 05:00 AM