Hi,
I'm working on a case in which a company is accused of falling for a phishing scam. Basically, the bank alleges that the user must have clicked on the link and logged in to the phony sight.
I have the alleged victim's drive and am looking for
- Emails with the bank's name(or bankname.com with a phony HREF)
- Internet traffic(from the index.dat) that shows redirects or other info with the bank's name
Any other ideas?
Thanks,
A
The primary source for phishing schemes that I've run across, when examining a victim's drive, is their Internet history. ProDiscover provided the ability to populate the Internet history easily. Another method is to view the contents of the Temp Internet Files directories based on a timeframe, if you have one.
What you should expect to see is URLs that contain the bank's name, but not at the root. Also, many phishing scams make use of PHP vulnerabilities to get set up, so look for .php or CGI-style extensions to files.
HTH
I agree with Harlan’s comment “phishing scams make use of PHP vulnerabilitiesâ€
I've seen several incidents where a hidden Iframe with a zero by zero image tag had an href that was used to redirect the victim. In a few of these cases, the exploit occurred not on the “banks†site, but one that the victim had been browsing prior.
Chris