Yesterday I received a phishing email with an HTML attachment. The HTML contained a form containing banking details which would be POSTed to a particular URL. (eg: http://somedodgysite.com/carddetails.php) After filling in the form with junk and posting it, I noticed that the response redirected my browser to a genuine banking page.
I reported the site to several phishing alert sites and was quite surprised to receive a few responses that basically said “URL not accepted – this URL redirects to a non-phishing site”.
That logic makes it impossible to block dodgy target URLs. A phisher merely needs to redirect to a genuine banking URL to have their page whitelisted. There are two simple things that can be done to avoid this:
- Security sites should allow a reporter to include further information when reporting the URL. Some do but even the mighty Google give you just a small text box to add a few lines of info to your report
- Security sites should not automatically assume a URL is safe if it redirects to a genuine site. If several reports are made about the same URL then it should be considered bad with an option for the URL owner to appeal – much like an SMTP RBL
Are there other ways this “malicious URL” reporting could be improved?