Network News

X My Profile
View More Activity

Using Images to Fight Phishing

So-called "phishing" Web sites set up by scammers to mimic financial institutions and swindle unwitting consumes often "inlink" or borrow logos and other images directly from the targeted institution's Web sites as a way of making their scam pages look more legitimate (or maybe because the crooks are just lazy). Security experts have long suggested that banks turn the tables on phishing sites that use this technique by creating a short whitelist of sites that are permitted to use those images, and then simply swapping out the real image with one that reads "THIS IS A SCAM SITE" for any sites not on the whitelist.

For whatever reason (likely out of fear that an innocent site may set off alarm bells and scare customers away from online banking) most banks have ignored this advice, or if they are using such techniques I've never seen them employed by any major finanicial institution against phishing attacks. That is, until today, when a good friend forwarded me a link to this phishing site that tries to impersonate, a digital currency used by millions of people around the globe (for a more thorough explainer of how e-gold works, check out this Wikipedia entry). While e-gold may not come to mind for many people when talking about major financial institutions, the company has been a frequent target of phishing attacks.

If you visit the scam site -- or better yet, just click on the included screenshot to see what I'm talking about here -- you'll notice the stop signs and a big honking alert in the center of the screen where this image used to be, which now says "THIS IS A FAKE -- FRAUDULENT WEB SITE". I contacted e-gold about this and they confirmed that their Web site techies did indeed "have a little phun with the images" on their site. Very slick.

A variation on this technique is also useful in another way to help -- if not prevent phishing attacks -- then at least give e-gold a way to alert users who may have just fallen for a phishing scam targeting its site. That's because it's fairly standard practice for phishing sites to redirect users to the real financial institution's Web site after the scammers have tricked the user into giving away his or her personal and financial data. By using a blacklist of known phishing sites, banks could serve customers referred from those scam pages a warning that urges them to pick up the phone and contact their customer service department.

It's worth noting that Netcraft's anti-phishing toolbar detected this site as malicious and tried to prevent me from visiting it, as it is designed to do. I have to say that I've visited countless phishing sites in the past few months, and Netcraft's toolbar has done its job almost unfailingly.

By Brian Krebs  |  August 31, 2006; 10:45 AM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Anti-Virus Testing and Consumer Reports
Next: Study Analyzes 16 Months of Data Breaches


CallingID also reported site as High Risk

Posted by: Bill Wallbank | August 31, 2006 12:10 PM | Report abuse

While I like this idea, I believe that one of the leading reasons many large organizations haven't followed the advice as has is simply ROI. The effort to whitelist anyone who has access to "proper" images and site presentation data, and redirect all others isn't huge, but neither is it a trivial effort. However, all a phisher has to do is wget the actual website and they have local copies of the latest and greatest images to serve up with their phishing scams. It's nice to see the image of that phishing site, and while I think it's a valuable option, it's simply one tool in what *should* be a toolbox of many, many responses to phishing.

Posted by: | August 31, 2006 12:22 PM | Report abuse

A similar technique was used over 2 years ago against a phishing site seeking donations to the Kerry campaign:,1759,1630161,00.asp

But you're right, even the most common phishing targets like PayPal seem reluctant to do this.

Posted by: Larry Seltzer | August 31, 2006 12:34 PM | Report abuse

zencoder's right, as soon as one or two major institutions do this, the phishers will start caching the images. That doesn't mean I think it shouldn't be done, but it is not going to help very much, either.

Posted by: The Cosmic Avenger | August 31, 2006 12:50 PM | Report abuse

I would go farther and say this is completely pointless. It's no effort at all for the phisher to host the images on the phishing site.

Posted by: antibozo | August 31, 2006 12:57 PM | Report abuse

But what they're doing now is hotlinking from the main website, so that if you check the image's properties, it reads the "correct" URL - thereby giving an unsuspecting user the idea that it's a legit site. They already have the option to save the image and upload it to their servers, but they don't because they think a user will notice that the image is saved on the "wrong" server; preventing hotlinking will force sites to stop that kind of misleading practice.

Posted by: Anonymous | August 31, 2006 1:03 PM | Report abuse

forcing the phisher to host their own version of the images removes that load from the legitimate owners bandwidth bill - however big or small it might be. who wants to pay to host a phishing web site attacking themselves :)

Posted by: jrw | August 31, 2006 1:07 PM | Report abuse

Alot of discussion about the sites failing when people start caching the images, thsi could be resolved by making the site images dynamic, say a clock or perhaps even some recognition of the user from a cookie, and have this served as an image. Then when sites dont present the cookie or new users come to the phishing site, warnings can be served.

Of course, this can be defeated too, but you are getting to need a true man-in-the-middle attack which has its own difficulties.

Posted by: DBH | August 31, 2006 2:54 PM | Report abuse

IE 7's (RC1) phishing filter also picked up this site with a "Suspicious website" warning.

Posted by: Gregg Keizer | August 31, 2006 3:14 PM | Report abuse

More or less all of the tips and warnings are directed to users who are suspicious, thorough and aware of the problem. We preach to the already believing so to speak.

Whatever we say or try to educate people about to become more aware of the dangers we find our efforts more or less of no effect. The basic problem is not technique, it's the fact that common people won't realize that they are in danger as "it won't happen to me" . A common human behaviour is the urge to stay believing that matters are True, people are basicly honest, "bank emails" are sent by banks and when connecting to their web site they have been connected to the true site. People lack interest, they are lazy and unwilling to even read this blog being "far to technical." How could we otherwise explain the weird practice to give away all our 16 digits on the credit card, the CVV2 code on backside and the SSN to the "black Hole" during eShopping? How? Of course we know Boris might sit there collecting it, but we want to believe it's True.
We simply trust the website! This is my profession and I never ever eShop or use Online Banks until security is worth its name.

We will never ever be able to change a majority of people's attitudes in this respect, just for some of us, an increasing part of us maybe but so very far from 100%. Education is a well known problem as people don't comply. (Just take a look at the utmost reports by Gartner, Forrester and Phonemon).

When two commercial aircrafts are in the direction to collide to each other and the Captains make the wrong move the systems take over the decisions and make it up by themselves. We will never win against the crooks as long as we don't let the machines do the login job.

We need endpoint tokens securely authenticating both ends, VPN tunnels even for consumers and keystroking outside the infected computer area. An evidence is that the costs of online frauds increased from $40 bln 2004 to $67 bln in 2006 US only and in UK the increase of online banking losses raised 362% Q1,Q2 / 2004 to Q1,Q2 / 2005 (APACS). The criminals are just laughing at us discussing rather than doing our homework while they silently invent unbelievably smart solutions.

Posted by: William Palmborg,SecuraSystem Corp. | August 31, 2006 3:22 PM | Report abuse

Vanguard will soon be using images in a different way. You'll first enter your user name, which opens a new page. That page contains a password prompt and a personal picture that you've previously uploaded. If you don't see your picture, you would know not to put in the password.

Posted by: Jeff | August 31, 2006 3:41 PM | Report abuse

Good trick. Might be we should consider the Law of Unintended Consequences though. Namely, that servers hosting phishing sites will not have the bank's Intellectual Property in their cache and enforcement will be limited to shutting the site down.

Posted by: GTexas | August 31, 2006 5:10 PM | Report abuse

None of these measures is proof against a slightly clueful phisher. Dynamic images, personal images, referrer checking, etc. can all be trivially defeated by using a proxy on the phisher's site to pass all requests on to the institution's site, while logging input fields in the process--i.e. a true man-in-the-middle attack.

Posted by: antibozo | August 31, 2006 5:42 PM | Report abuse

Here's a page that has the Kerry campaign phishing story with image captures of it:,1895,1838622,00.asp

Click on the thumbnail images to see the full ones.

Posted by: Larry Seltzer | September 1, 2006 7:05 AM | Report abuse

Ironicially, my company's web filters allow me to the phishing site, but not

Posted by: AE | September 1, 2006 2:22 PM | Report abuse

Most large-scale phishing attacks use their own locally-available images. Furthermore, while it's a good way (in theory) to dissuade attackers from phishing against a particular site, by allowing phishers to directly (and successfully) link to those images, the phished site is at a much greater advantage of detecting the phish by comparing various events in their web-server access logs (i.e., if you see an inordinate amount of hits against any particular image/html file, then you can more easily/readily take action against perpetraters).

Posted by: Michael | September 1, 2006 3:29 PM | Report abuse

Paypal, do you copy ?
Of all the phishing attempts I've seen, *all* images were included from the Paypal website.
Every amateur gallery website prevents "hotlinking" images these days, yet Paypal still allows it.
I don't see any reason to allow hotlinking images from Paypal except "Buy now" buttons.

Posted by: Henker | September 1, 2006 6:13 PM | Report abuse

Okay, I get the idea of a man in the middle attack,

But surely it's common sense to block/divert such supicious activity from phishers.
If it was a dynamic, so that the data passed back and forth is also dynamically changing the information and watching for the man in the middle stuff then it would stick out like a sore thumb and the user's could be warned via some sort of pass back

Posted by: Mhadf | September 3, 2006 3:58 PM | Report abuse

Mhadf> But surely it's common sense to block/divert such supicious activity from phishers.
Mhadf> If it was a dynamic, so that the data passed back and forth is also dynamically changing the information and watching for the man in the middle stuff then it would stick out like a sore thumb and the user's could be warned via some sort of pass back

Mhadf, I'm not sure what you are suggesting the bank could do, from a technical standpoint. The MITM attack is indistinguishable from normal traffic from the financial institutions's perspective. The only thing I can think of a financial institution might do is watch for many unrelated logins issuing from a single IP. And that's easy to work around for the phisher as well, given that these guys control large numbers of zombie systems.

Posted by: antibozo | September 3, 2006 5:18 PM | Report abuse

ING Direct is a major financial institution that recently started using a unique image system where each customer chooses an image and keyword used to authenticate the web site during the login process.

Posted by: thw2001 | September 5, 2006 11:06 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company