Phishers getting a free pass

Yesterday I received a phishing email with an HTML attachment. The HTML contained a form containing banking details which would be POSTed to a particular URL. (eg: http://somedodgysite.com/carddetails.php) After filling in the form with junk and posting it, I noticed that the response redirected my browser to a genuine banking page.

I reported the site to several phishing alert sites and was quite surprised to receive a few responses that basically said “URL not accepted – this URL redirects to a non-phishing site”.

What?

That logic makes it impossible to block dodgy target URLs. A phisher merely needs to redirect to a genuine banking URL to have their page whitelisted. There are two simple things that can be done to avoid this:

  • Security sites should allow a reporter to include further information when reporting the URL. Some do but even the mighty Google give you just a small text box to add a few lines of info to your report
  • Security sites should not automatically assume a URL is safe if it redirects to a genuine site. If several reports are made about the same URL then it should be considered bad with an option for the URL owner to appeal – much like an SMTP RBL

Are there other ways this “malicious URL” reporting could be improved?


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">