Tuesday, March 13, 2007

The Economics of Phishing Emails, and Corporate Logos

Disclaimer: This is all idle speculation. I have no inside info to support my claims.

This evening, I spent some time browsing through Phish Tank - A fantastic live reference for phishing websites.

A shockingly large number of the websites include images from Paypal, Ebay and other .com's own web servers. That is, instead of making a local copy of the image, and hosting it on the server which run the phishing site, they instead include the image directly off Ebay's webserver. Not only does Ebay get phished, but they have to pay the bandwidth costs for the graphics displayed to the victim.

It's almost like the tale of a twisted dictator shooting someone, and then sending the victim's family a bill for the bullet.

This got me thinking.

Paypal, Bank of America, and others know exactly where their graphics should be shown on the web. A general, and reasonable rule would be, anytime a website at Paypal.com loads our logo, let it happen. If someone at evilphisher.com tries to load our image, load up a big warning image instead. This could easily be done by checking the referrer passed by the browser.

This would be trivial to implement. The question then, is why isn't Paypal doing this already?

As crazy as it may be, the answer is probably something like this:

1. Bandwidth is cheap, at least in the huge quantities that Paypal is purchasing.
2. Phishers are often hosting their sites on zombie/hacked machines, so they don't pay for the bandwidth themselves.
3. If Paypal starts checking the referrer string sent by a browser, phishing website designers will simply save a local copy of the image, and host them on their own websites.

Simply put, Paypal doesn't really gain much by disallowing the phishers from using Paypal.com to host their images, and in fact, loses quite a bit.

As things stand right now, Paypal can analyze their logs, and see exactly which websites are causing people to load their images. Paypal probably has a team of people, or several scripts hitting each one of these websites to see if they are indeed a phishing site. If Paypal cuts off the flow of images, and forces phishers to host their own image files, they will immediately lose this valuable source of intelligence.

In this case - it seems that the enemy you know is far better than the enemy you've forced underground.


Sid Stamm said...

One could also argue that it is also possible that (4) Checking the referrer on each image load is more costly (server CPU demand) than serving images to third party sites (bandwidth demand). Or maybe (5) Bank X wants its affiliates y.com z.com, etc., to use the logo but nobody else; referrer-checking is now very very demanding.

It's good to note that the HTTP-REFERER header is not trustworthy, and might not appear at all (even if there is a referrer).

And I think you're right, the referrer logs can help institutions identify the most successful phishing or mirror sites.

(Link to relevant mailing list thread)

Anonymous said...

Referrer strings are sent by the browser, and denying those images to folks who's corporate proxy servers blank out or reset those strings to arbitrary values would cause a negative customer experience.

Also PayPal and other companies send mail to customers that would be read on webmail sites with many different URLs as the "referrer" when they are finally read.

Mike Kretzler said...

RE: "it seems that the enemy you know is far better than the enemy you've forced underground"

That's so often true.