Fighting Spoofing

[Travis Owens <openbook@linuxmds.com>]

Hello all!

Recently, I received a very deceiving, but convincing email that
referred to a locked account due to being compromised and that I should
"update" my information. At first glance, my "spidey-sense" was alerted
and I looked everything over (so I thought) and it looked legit. Upon
further inspection, I found out it was spoofing the originating site
with extremely clever validity.

I did my research through various tools and tracked down tons of info on
the machine, network, company and such in question. I will be submitting
it to the originating website's security team, as well as the feds.
(this is hard-core ID theft practicing)

Now in this case, they're not "spoofing" (i.e. proxying/anonymizing) the
originating website, but rather using extremely well made web pages
which give the illusion of being on the real site. However, this is
really a "man-in-the-middle" style of attack and it got me thinking
about how to fight/combat the "proxying" software used in those attacks.
I have done a bit of googling for this aspect, but haven't come up with
anything concrete in the way of connecting to the "spoofing" server and
discovering what type of software they're using to "spoof" the real
site--thus providing a basis for discovering flaws/holes in it to be
exploited and shut down. Kinda like "reverse hacking a hacker" ;)

Does anyone know of such a tool? I'm thinking this would be similar to
the technology used by Net Craft to learn what server software is used
on any given webserver.

Since we're on a larger topic anyway, why don't I just throw the door
wide open and let anything related to
Spam/Spoofing/Fishing/Man-in-the-Middle/DDOS/trojans/rootkits/ID
Theft/etc... come on in! :)

Thanks!
-- 
Travis Owens <openbook@linuxmds.com>


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.