Die IT-Sicherheitsfirma Symantec beschreibt im Security Response Weblog einen Weg, um Phisher zu entlarven. Dazu braucht das Unternehmen nur die Logfiles von Mailprovidern. Denn Phisher lagern ihre geraubten Kreditkartendaten nicht mehr auf gehackten Servern, sondern versenden sie per Email.
The role of the email service provider in this picture seems pretty clear: providing “drop-box” content to financial institutions quickly enough is a key part of helping to prevent fraudulent activities. There is some additional research that shows there’s actually much more available than that: providing additional data, such as the full log of the IP addresses that logged into a drop-box is another incredible source of information. While the analysis of a single log file usually does not prove particularly valuable, the correlation of data coming from different attacks is often enlightening.
Figure 1 illustrates a typical situation. In this analysis, Symantec considered three different attacks that hit a single financial institution in a short period of time. Log data provided by Yahoo and Google (as per our customer’s request) allowed us to plot all of the IP addresses that visited the three drop-boxes since the attack was discovered – the presence of common IPs was immediately evident from the analysis. The common IPs most likely belonged to the phishers and that assumption constitutes the starting point for law enforcement agencies to prosecute those criminals.
Die internetnationale Phisher-Gemeinde bedankt sich herzlich bei Symantec für den Hinweis. Man verspricht in Zukunft mehr darauf zu achten, Proxies zu verwenden oder gar Tor zu nutzen. Und bei der nächsten Betrugswelle werden sie einfach direkt bei Yahoo und Google nach den Zugangsdaten der Kunden fragen.