I stumbled on a new (to me) technique to defend against phishing attacks today.
A little background. Spoof sites use the same images as the sites they are spoofing. Sometimes those images are stored on the same server as the spoof site, and sometimes they are hot-linked to the target site directly. When image are hot-linked they are pulled from the target site and displayed on the phishing site.
Check out this spoof of Royal Bank of Canada we saw today.
Notice the WARNING! FRAUDULENT SITE! image at the top left? That image has been hot-linked so that it has been pulled directly from the RBC web site. Normally, the image at that URL is the RBC logo, but in this case, the RBC web site is serving an alternative image in an attempt to warn users about the danger. To reiterate – RBC is serving a warning image when their logo is displayed at this phishing site but display their normal logo when served on their own site. Cool!
Here’s how they are (probably) doing this:
When a browser requests an image from a web server, the request includes something called a referer – the browser tells the server the URL that referred the user to the image. It looks like RBC is serving different images based on the referer that the browser is sending. RBC may be serving the warning logo anytime someone hot-links their logo, or they may be doing it just for specific referers (known phishing sites). I don’t know and don’t have plans to test.
This technique is interesting though I don’t know how effective it is. Its trivial for phishers to serve local copies of images instead of hot-linking them, so there is a simple work-around for phishers.