Jungsonn has only been a member of the forums for one day and he hits big with IP encoding that evades Firefox’s anti-phishing filter. This isn’t the first time I’ve seen this sort of thing, but it’s the first time I’ve seen it in a commercial browser. What Firefox is doing is doing a direct compare against the URL. Using the IP obfuscation calculator you can create IP addresses that don’t match what is in the anti-phishing list. But it’s worse than Jungsonn reported even.
That’s right, go to any phishing site and add in a QUERY_STRING to the end of the URL and poof, no more popup. What a bummer. I was really hoping they would do something a little smarter with this. Unfortunately with this knowledge it is extremely easy to defeat the anti-phishing detection built into Firefox’s newest browser.
The QUERY_STRING issue is a tough one to solve, because where do you know to compare against? The IP address issue that Jungsonn came up with really bothers me. Why would you use the URI field to do comparisons instead of the IP address that it is normalized to? Is it an oversight? Oh well, I hope they fix this soon.
This is kinda scary. Phishing sites have been using IP obfuscation tricks for quite some time. Just roughly guessing, I would say that around 10-20% of the phish that I saw on PIRT were using some form of simple IP obfuscation.
No comments:
Post a Comment