Discuss: Phishing Questions
by Roshen Chandran, CISSP
Hi Roshen,
Just a quick query on question 3-point 1.
============================================
The number of blank entries in the referrer field for requests to the image shows the minimum number of users who read that email.
============================================
Wouldnt this not reflect the complete picture? What I'm saying is: Phisher X uses Bank ABC's logo in a phishing mail. User A opens the mail(the mail client doesnt block the image) , and a request hence goes to BankABC's website and pulls the image , thus reflecting a "blank Referrer"...am I right so far?
So now if BankABC itself sends out a mail to all its clients , naturally using the same logo which Phisher X used by Email. So again user A , B .... n open the Email and an image request goes through with a "blank Referrer"...only this time it was a valid Email.
So my point is , is this method of detection foolproof? Wouldnt the logs get confused with "VALID" and "PHISHED" requests both with "Blank Referrers"? As in it wouldnt exactly be the minimum requests , ofcourse there would be a section of those logs which belong to the phishing site.
Is my understanding correct or have I missed something very obvious?? Apologies if I have :)
Cheers
Arvind
Good point, Arvind. Yes, if the bank has themselves send a valid mail with an img src tag pointing to the logo on the homepage of the bank, then those mails will also get counted in the blank referrer.
If you have the rough time window of a phishing attack, then you could count blank referrers in that time window only for more accuracy. Of course, if the bank sent mails during the same window, that would further reduce the accuracy :)
Thanks for pointing out.