Comments on: The Tank is bubbling http://www.phishtank.com/blog/2007/04/11/the-tank-is-bubbling/ A blog about and from PhishTank, a collaborative clearinghouse for data about phishing. Thu, 21 Aug 2008 06:44:54 +0000 http://wordpress.org/?v=2.0.4 by: MASA http://www.phishtank.com/blog/2007/04/11/the-tank-is-bubbling/#comment-16542 Fri, 20 Apr 2007 01:01:07 +0000 http://www.phishtank.com/blog/2007/04/11/the-tank-is-bubbling/#comment-16542 Why don't you detect the strings that are sent, and if one of the strings has a hostname match with one in the database, then red flag it. Simply: www.googlephishingsite.com/lalalalalala/dieusers/index.html is in the database The phisher sets up another phishing site that is like: www.googlephishingsite.com/lala2/losers/haha/index.html User visits the second url, and it is sent to phishtank (if they use SiteChecker [:)]). PT says, hmm...it's close to this result which is a phish, and tells the software that it is a phish. The phishing site is blocked. Why don’t you detect the strings that are sent, and if one of the strings has a hostname match with one in the database, then red flag it.

Simply:

www.googlephishingsite.com/lalalalalala/dieusers/index.html is in the database

The phisher sets up another phishing site that is like:
www.googlephishingsite.com/lala2/losers/haha/index.html

User visits the second url, and it is sent to phishtank (if they use SiteChecker [:)]). PT says, hmm…it’s close to this result which is a phish, and tells the software that it is a phish. The phishing site is blocked.

]]>