Hi List,
I've noticed a lot of phishing spam tries to obfuscate the URI with the
following form:
http://www.mybank.com.phish.cn
and I've been thinking about trying to write a generic rule to detect
this approach.
I haven't had much success yet for dot com's, but UK domains seem pretty
easy. I can't think of a valid reason to see .co.uk.whatever in a URI
(.uk.com and .uk.net are valid, but not preceded by .co), so this rule
seems to work pretty well for UK phishing (banks etc):
uri LOCAL_URI_PHISH_UK m{https?://.{1,40}\.co\.uk\.\w}i
Likewise, this approach could easily be expanded to include government
and academic domains, .gov.uk and .ac.uk, respectively.
uri LOCAL_URI_PHISH_UK m{https?://.{1,40}\.(ac|co|gov)\.uk\.\w}i
Feedback on these rules would be appreciated.
For dot com's it gets a little more complicated as there are plenty of
valid tld's that can follow .com (e.g, example.com.au, .com.br, .com.cn
etc).
So could a dot com variant be as simple as checking for a minimum of 3
word characters following .com.
uri LOCAL_URI_PHISH m{https?://.{1,40}\.com\.\w{3,}}i
But even then it wouldn't catch things like:
http://www.mybank.com.x.y.z.phish.cn so it may be necessary to parse the
full domain string and match the 2 or 3 letter tld on the end:
uri LOCAL_URI_PHISH m{https?://.{1,40}\.com\..{1,60}\.[a-z]{2,3}\b}i
but maybe this is now too relaxed and may generate FPs?
BTW, some of these phishing domains can be *really* long as in this
recent example of a google adwords phishing attempt (obfuscated by me,
was com68 not example.ru):
http://adwords.google.com.session-39233324133776181464.82036896558794093384.example.ru
Any thoughts?
