Detecting Proxy-Based Phishing

Posted by Spencer on January 21st, 2016

I recently learned about a new sophisticated type of phishing scheme. Traditionally, a scammer looking to steal information from someone has to go through the effort of building a fake website to spoof the target site. These spoof sites aren’t usually very good copies, so a victim can spot that something is amiss and leave. The new trend, however, is to load the target site through a proxy server. The victim is, for the most part, interacting with the real target site, with a couple catches.

  • The scammer can monitor whatever is submitted through forms on the site.
  • The scammer can modify any content as they see fit.

Wow, scary right? A scammer could be hijacking your user’s info and you may never even be aware that the proxy exists.

Once you learn your site is being proxied, there are of course steps you can take to defeat them. You can file an abuse report with their registrar, their host, and with Google if the proxy has been indexed. On your end, you can configure a firewall to block their IP. But how can you find out if your site is being proxied, without waiting for someone to tell you?

Luckily, you can figure this out using javascript. A window.location.hostname mismatch could indicate proxying. Here’s an example using jQuery.

<script>
$(document).ready(function() {
    var host = window.location.hostname;

    if (host != 'spencerponte.com') {
        // do something
    }
});
</script>

That’s a start. At this point we could alert the victim that they’re on the wrong site- but we won’t do that. If we alert the user, we’d be alerting the attacker, and it would be trivial for them to strip this code. Instead we’ll only alert ourselves, so we can take appropriate countermeasures.

<script>
$(document).ready(function() {
    var host = window.location.hostname;

    if (window.location.hostname != 'spencerponte.com') {
        $.ajax({
                url:'https://spencerponte.com/ping',
                data: { host: host}
        });    
    }
});
</script>

The destination URL, “ping”, would need to be created of course. Just use the backend tools of your choice to sanitize and log the hostname that your site is being served with.

Posted in Uncategorized