Tuesday, March 13, 2007
The Economics of Phishing Emails, and Corporate Logos
Disclaimer: This is all idle speculation. I have no inside info to support my claims.
This evening, I spent some time browsing through Phish Tank - A fantastic live reference for phishing websites.
A shockingly large number of the websites include images from Paypal, Ebay and other .com's own web servers. That is, instead of making a local copy of the image, and hosting it on the server which run the phishing site, they instead include the image directly off Ebay's webserver. Not only does Ebay get phished, but they have to pay the bandwidth costs for the graphics displayed to the victim.
It's almost like the tale of a twisted dictator shooting someone, and then sending the victim's family a bill for the bullet.
This got me thinking.
Paypal, Bank of America, and others know exactly where their graphics should be shown on the web. A general, and reasonable rule would be, anytime a website at Paypal.com loads our logo, let it happen. If someone at evilphisher.com tries to load our image, load up a big warning image instead. This could easily be done by checking the referrer passed by the browser.
This would be trivial to implement. The question then, is why isn't Paypal doing this already?
As crazy as it may be, the answer is probably something like this:
1. Bandwidth is cheap, at least in the huge quantities that Paypal is purchasing.
2. Phishers are often hosting their sites on zombie/hacked machines, so they don't pay for the bandwidth themselves.
3. If Paypal starts checking the referrer string sent by a browser, phishing website designers will simply save a local copy of the image, and host them on their own websites.
Simply put, Paypal doesn't really gain much by disallowing the phishers from using Paypal.com to host their images, and in fact, loses quite a bit.
As things stand right now, Paypal can analyze their logs, and see exactly which websites are causing people to load their images. Paypal probably has a team of people, or several scripts hitting each one of these websites to see if they are indeed a phishing site. If Paypal cuts off the flow of images, and forces phishers to host their own image files, they will immediately lose this valuable source of intelligence.
In this case - it seems that the enemy you know is far better than the enemy you've forced underground.