We determine the phishing sites "by eye"
Phishing sites are common, especially for services such as Vkontakte, Odnoklassniki and webmail. It is more dangerous when you get to such a site as a result of pharming - substitution in the HOSTS file or changes in DNS information. Then, when the user dials this address, he will get to the phishing site. And later he will find out from friends that such strange messages come from his account :) However, in some cases, you can determine the phishing site "by eye" using 2 simple Firefox plugins.
As a rule, phishing sites are registered on nominees, and physically can be located on web servers almost worldwide. This feature can be used as a sign. For example, if the website of the Russian social network is located on a web server in China, Peru or Zimbabwe, this is a reason to doubt the legality of such a website even to the most inexperienced user. You can determine the country in which the web server of the visited website is located by using, for example, the Flagfox extension for the Mozilla Firefox browser. The figure shows a page of a phishing site that mimics the social networking site "V Kontakte". Malware Trojan.BAT.QHost.fy has redirected to this site. At the same time, the Flagfox extension demonstrates that the web server of this site is located in China. If you don’t remember all the flags, it’s enough to hover the mouse over the flag image so that the decryption with the full name of the country appears in the pop-up window.
This method is simple, but it will allow you to identify signs of a phishing site, even if you manipulate information on a remote DNS server. Of course, if the attacker's site is located in the same country as the original site, it will not be possible to identify a fake in this way. Another feature of pharming attacks is that, as a rule, several sites are subjected to redirection at once, for example, sites of different banks or popular social networks. In this case, physically, all fake websites, again in most cases, are located on a single web server. Therefore, if you see the same IP address on the Odnoklassniki and Vkontakte website, this is a clear sign of malicious redirection. So Trojan.Win32.QHost.mcc redirects users to the fake social networking sites Odnoklassniki, Vkontakte, mail services Yandex.Pochta, Ramber.Pochta. At the same time, all these sites are located on the same IP address, which is easy to identify using the “ Show IP ” extension to the Firefox browser (see figure)
')
The described methods are quite simple, do not require any costs :). Other ways to protect + methods of implementing pharming attacks can be found in a special review article .
As a rule, phishing sites are registered on nominees, and physically can be located on web servers almost worldwide. This feature can be used as a sign. For example, if the website of the Russian social network is located on a web server in China, Peru or Zimbabwe, this is a reason to doubt the legality of such a website even to the most inexperienced user. You can determine the country in which the web server of the visited website is located by using, for example, the Flagfox extension for the Mozilla Firefox browser. The figure shows a page of a phishing site that mimics the social networking site "V Kontakte". Malware Trojan.BAT.QHost.fy has redirected to this site. At the same time, the Flagfox extension demonstrates that the web server of this site is located in China. If you don’t remember all the flags, it’s enough to hover the mouse over the flag image so that the decryption with the full name of the country appears in the pop-up window.
This method is simple, but it will allow you to identify signs of a phishing site, even if you manipulate information on a remote DNS server. Of course, if the attacker's site is located in the same country as the original site, it will not be possible to identify a fake in this way. Another feature of pharming attacks is that, as a rule, several sites are subjected to redirection at once, for example, sites of different banks or popular social networks. In this case, physically, all fake websites, again in most cases, are located on a single web server. Therefore, if you see the same IP address on the Odnoklassniki and Vkontakte website, this is a clear sign of malicious redirection. So Trojan.Win32.QHost.mcc redirects users to the fake social networking sites Odnoklassniki, Vkontakte, mail services Yandex.Pochta, Ramber.Pochta. At the same time, all these sites are located on the same IP address, which is easy to identify using the “ Show IP ” extension to the Firefox browser (see figure)
')
The described methods are quite simple, do not require any costs :). Other ways to protect + methods of implementing pharming attacks can be found in a special review article .
Source: https://habr.com/ru/post/73294/
All Articles