Phishing is a very common means of social engineering in these days. Despite the increased efforts by Banks and other organizations, there is still a good number of people fall victims of the phishing attacks. Some of the attacks are very targeted to some people and some others are for a wider audience. Those who fall victim, often loose their online identity to the attackers.
When setting up a phishing site, attackers often use either a phishing kit readily available or build a custom one which fakes the real web page. In many cases, the phishing site will have the following characteristics
The entry page: This is the page the phishing attackers communicate to its potential victims. This page comes up to the end users as the channel to the fake site, by means of email or malware or even instant messages
The data capturing page (s): This page is used by the attackers for collecting the data such as usernames and passwords, credit card number and associated information, social security numbers etc. The submit button in the final page often would be a server side script like .php. sending the captured information to the attacker.
The exit page: At times, the attackers redirect the users to genuine website to leave an impression with the user indicating that the user was actually on a real website.
So how do you detect phishing, with this information?
In most cases, the images and style sheet files are fetched from the original website. If you are using any dynamic images, they are also often referred from the original site. Web servers often record the logs of events and give detailed information on who accessed the site from where. there are many configurable parameters such as referrer logs. analysing the referrer logs of the webserver can provide detailed insights of the sites from the web traffic is originated. For example, if the image at the url www.example.com/a.jpg is referred from www.ciso.in/example.html then the webserver log at www.example.com would show www.ciso.in/example.html as the referrer. If you have a log management system to capture and do the log analysis, you can filter out the most common referrers and identify the potential phishing sites.
This is only one among many ways to detect the potential phishing attacks. Hope this tip would help you in detecting the phishing sites very early.