Blog

Using Referral Logs to Detect Attacks

posted by: FraudWatch International date: Jun 24, 2015 category: All, Brand Protection, Malware, Phishing comments: Comments Off on Using Referral Logs to Detect Attacks

When someone visits your website, web server software counts and tracks, i.e. “logs”, the visit. This log is kept for a certain period of time and a part of this information is called a “referrer log”. Referral logs can help you analyse the traffic to your site. Each referrer log program provides slightly different data, however some of the more common information includes:

  • What keywords were used to find your site
  • Which pages were accessed the most or the least
  • Average length of time someone remains on your site
  • Average number of user sessions or page views per day
  • Top entry and exit pages
  • Top referring sites
  • Summary of activity by day
  • Server errors
  • Bandwidth of the traffic on the site. The HTTP referer is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking this, you can see where the request originated

 Here’s an example of a log entry:

216.219.177.29 – – [15/May/2015:23:03:36 -0800] “GET /EXAMPLEBANK-logo.jpg HTTP/1.1″ 200 3956 “http://EXAMPLEBANKHERE.COM/Phishingsite-logo.jpg” “AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53”

Let’s break down the information available from the log:

  • The IP address of your visitor — 216.219.177.29
  • The date and time of the visit — [15/May/2015:23:03:36 -0800]
  • The first file requested — “GET /EXAMPLEBANK-logo.jpg HTTP/1.1″
  • The fact that the request was completed — 200
  • The number of bytes that were transferred — 3956
  • Where your visitor came from and the file requested from your site – “http://EXAMPLEBANKHERE.COM/Phishingsite-logo.jpg
  • Browser and operating system of the visitor — “AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53” – In this case, an Apple iPhone browsing to the phishing site via the Safari Web Browser

Fifty percent of phishing sites refer to links and images from the genuine server of the targeted company to make their fake websites look more authentic. Your web server will have a log showing the request from the phishing site URL. Further to that, over ninety percent of phishing attacks will redirect the user through to the legitimate login page after they have successfully been phished, this also generates a referrer log which can be used to detect phishing sites.

Referral Logs are not automatically switched on as a feature of most web server. You need to ask your IT department (or whoever is responsible for web server management) to enable Referral Logs in Combined Log Format on the web server.

One huge benefit of looking at the referral logs is that you can pre-empt an attack. When setting up their phishing sites, hackers have to run tests on the source websites (to ensure that their images are going to work before they initiate their attacks). Suspicious log entries can be found by detecting unusual activity in the referral logs, which in turn could flag a threat before anything malicious is done.

Analysing log files can be a laborious task and this is why most organisations let their log files gather dust. FraudWatch International has developed a proactive log monitoring solution that provides real-time analysis of referrer logs and subsequent detection of phishing sites.

FraudWatch International’s Log Monitoring solution is an appliance server which is installed coexistent with your web servers, and operates 24x7x 365. Once installed, any brand alert incidents triggered during the referrer log analysis are created automatically with no human intervention. The incident is subsequently queued for immediate takedown.

Stay tuned for a full article on FraudWatch International’s Log Monitor, next week!

Comments are closed.