By know just about everyone has heard of the 20,000 hijacked e-mail accounts due to a potentially long-lived phishing attack. This, according to a Computerworld interview with the Anti-Phishing Working Group Chairman, Dave Jevans. As we imagined, this has kicked off quite a lot of discussion in the industry. The Washington Post offered some good background earlier this week.
The threat of phishing is becoming even more prevalent as hackers test both the savvy of users and defenses of websites and email providers. In fact, Slashdot just reported on the largest phishing bust to-date (the original we think came from IT Pro in this article).
The average person deserves some credit for perpetuating phishing of course, as TechCrunch illustrates in their plea for help. People have been sounding off in forums like Neowin and on blogs like Gizmodo. So does Google, Yahoo!, Hotmail and the other effected providers share some responsibility here? Each of these must have a WAF in place – we assume and hope J – so why didn’t the WAF identify, flag and prevent the outbound spamming?
Phishing is in essence an attack on the user and not on the web server, however, the operator of a web application can do various things with their WAF to at least make it harder to carry out phishing attacks.
In phishing, the attacker attempts to direct the user of a legit web application to a fake website. If the user has entered data on the phishing site, he will normally be directed from there to links on the legit site, rendering the attack undetected for as long as possible. Phishing sites also often directly embed icons, graphics and other content from the legit site. Here is where the WAF comes into play (or in Art of Defence’s case, hyperguard).
hyperguard will detect the linking of third party websites to the legit web application and initiate counter-measures. This detection can also be carried out dynamically – only blocking access once a specific number of requests have occurred.
From a technical point of view, the WAF checks the HTTP referrer header of requests using a whitelist, blacklist, graylist or a combined approach to do this.