Jump to content

How to detect scam/phishing websites...

1c3d0g

By 1c3d0g
in Chat

Recommended Posts

1c3d0g Advanced Member

1c3d0g

Posted
Posted

For those of you who have been tricked into paying for µTorrent, I really feel your pain. :( Here's a few tips to minimize any future exposure to such scumbag websites.

1.) Use Firefox/Opera etc. instead of Internet Explorer. Most fraudulent websites are filled with code exploits that target Internet Explorer in particular. Just don't use Internet Explorer, there are better alternatives around! ;)

2.) If you're using Firefox, two valueable extensions you can use to identify dubious sites are SpoofStick and Google SafeBrowsing. They're both easy to use. Spoofstick tells you exactly on what website you are, even if a site claims it is www.utorrent.com (for instance). Usually scam/phishing websites have numbers instead of the real name, like http://12.34.56.78, or they have "cleverly" mutated the word utorrent into utorent (lacks an "r") or utorrnet (common misspelling). Google SafeBrowsing allows you to spot a fake site (that Google believes) is run by con artists. Look out for dodgy websites that claim to offer fantastic prices on popular software (or any other merchandise, for that matter). Always check the official home page of the program you're about to buy (if you were looking for µTorrent, this website right here is µTorrent's only official Head Quarters). :)

3.) Be pro-active, not reactive! Educate yourself about scam/phishing by following Wikipedia's entry for scam and phishing. Even M$ has some tips on how to prevent identity theft from phishing scams. Hopefully these types of incidents will reduce with time, and for those foolish enough to participate in these illegal activities, hard jail time shall await you. :D

Link to comment
Share on other sites
1c3d0g Advanced Member

1c3d0g

Posted
  • Author
Posted
Sorry, an error occurred. If you are unsure on how to use a feature, or don't know why you got this error message, try looking through the help files for more information.

The error returned was:

Sorry, but you do not have permission to access the Links System

:|

Link to comment
Share on other sites
silverfire Advanced Member

silverfire

Posted
Posted
1.) Use Firefox/Opera etc. instead of Internet Explorer. Most fraudulent websites are filled with code exploits that target Internet Explorer in particular. Just don't use Internet Explorer, there are better alternatives around! ;)

Or use Internet Explorer 7, since it's an awesome alternative to Internet Explorer 6. Beta 2 is pretty stable, and once vista comes out, there's even a Protected Mode that you can use, that runs it with crippled permissions, essentially trapping IE 7 in a box, and it wouldn't be able to touch your system. In addition, there's additional security for ActiveX objects, and with whitelisting/blacklisting (forgot which), it won't let you install certain ones even if you click OK.

I use both Firefox and IE, so don't call me a M$ zombie or anything :P I only use things when they're useful and I like them.

Link to comment
Share on other sites
jroc Advanced Member

jroc

Posted
Posted

I was in DSL BroadBand Reports more than a year ago and ran into a thread that had different symbols and characters that phishers use. I put the some of the symbols in my ad blocker and it worked like a charm. They had a test site to use to see if ur browser was open to phishing without ur knowledge.

I cant remember most of the symbols. One was %2F. Phishers use %2F instead of / when creating urls. One important one was a small r offset near the bottom of the current line. A couple of sites that have various symbols and characters:

http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_14143

http://www.jimprice.com/jim-asc.htm

When I can find that thread again, those 2 sites will make more sense than they do now....lol. Stay tuned......

Ok im back. This is a test site to see if ur browser is suspect: click on perform test

http://secunia.com/internet_explorer_address_bar_spoofing_test/

Notice the fake site has %00 right after the .com of the url. Also, If u let ur mouse hover over the link at that site, u see the real address. And while hovering, the is a space. The test phish site is kinda old now. But most, if not all browsers shouldnt let u on the site. I click it and it says "Page cannot be displayed" Im using IE6 with all up to date patches.

Will continue to look for that DSL thread.....

P.S. for those that cant see the phish site cuz of secure browsers, it said Microsoft and had the MS colors and fonts. It looked like a real MS site. The DSL thread had a fake Symantec site. It took me a week to get it to stop showing up in my browser. All this I did back a few years ago so hopefully most browsers are more secure.

Ok a lil more info then Im done: http://secunia.com/advisories/10395/ Its from the same site.

An excerpt from the last link:

"This can be exploited to trick users into divulging sensitive information or download and execute malware on their systems, because they trust the faked domain in the two bars. Example displaying only:

"http://www.trusted_site.com" shows in the //----/ bars when the real domain is

"malicious_site.com"

Ex.; "http://www.trusted_site.com%01%00@malicious_site.com/malicious.html"

Ok this is really it til I find that DSL thread: http://www.pc-help.org/obscure.htm

Those diferent urls all say pc-help.org. I just found out my browser blocks all except one (the one with all the different symbols)

I got some work to do.....

An example he used:

"In my example, I have interspersed hex representations with the real letters of the URL. It simply spells out "/obscure.htm" in the final analysis:

/ o %62 s %63 ur %65 %2e %68 t %6D <---part of a phished url

/ o b s c ur e . h t m <--part of a safe url

They both say /obscure.htm.....scary huh......

One more thing: its either the browser and/or the ad blocker thats blocking the fake sites. So when that one url makes it thru my browser, I might can block it using my ad blocker. This is where Norton was good. U can set Norton's ad blocker to block symbols like %60. Now I gotta see if my ad blocker does this.

More phish flaws to test:

http://habaneronetworks.com/viewArticle.php?ID=140

http://www.zapthedingbat.com/security/ex01/vun1.htm

FINALLY!! I found the orig place I saw most of this stuff at. http://www.dslreports.com/shownews/36359

Another lil tip: if u hover over the link and it still looks legit, right click and hold on it to see if it shows a fake site or not in the status bar in IE.

I see most of those test are blocked now. They are old, created around 2003-2004. Buts its still good to make sure u are protected even from old exploits.

This used to be scary cuz the phished a https url. But its blocked now:

http://www.dslreports.com/forum/remark,8751690

**Im saying blocked thru out this post referring to me using IE 6. Your browser may or maynot be safe**

**Last Update**

I had it backwards about the one I couldnt block. He was just visually showing all those different symbols say pc-help.org too. If he woulda did it the other, my browser blocks it.

Link to comment
Share on other sites
splintax Advanced Member

splintax

Posted
Posted

The site that someone was trying to link to earlier was p2pscams.info. It's a useful resource on p2p scam sites.

One important one was a small r offset near the bottom of the current line.

Yep, that's called a homograph spoofing attack. Opera circumvents this exploit by displaying the ASCIIfied domain name instead of the IDN, like xn--torrent-jof.com instead of µtorrent.com...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...