How effective are phishing links that refer to FTP sites?
Some spam phishing links refer to FTP sites. Are these phishing attempts more effective than those that do not incorporate FTP?
The vast majority of phishing
emails still include HTTP links, but we have seen a recent smattering of them that refer to FTP links. That's most likely because the bad guys know that today's malware defenses analyze HTTP links for various forms of tricky URL obfuscation. Various browser and proxy filters scour HTTP URLs, looking for anything malicious or out-of-the-ordinary. Furthermore, network-based defenses, including IDS and IPS tools, analyze HTTP traffic flows for exploits and malware. In many enterprise organizations, however, humble little FTP gets much less scrutiny.
Further compounding the problem, pretty much every browser has built-in FTP client capabilities invoked at the simple click of a link. Just by opening this link, ftp://10.10.10.10/test.html, for example, IE, Firefox and Mozilla browsers will dutifully fetch the test.html file, render its HTML and run any of its scripts (based on the browser's script configuration settings). So, to answer your question directly, FTP links can indeed be more effective in phishing emails because they receive less scrutiny from most organizations. Make sure to carefully inspect FTP URLs, or even block FTP access, if it is not required in your organization.
More information:Learn how cybersquatters and phishers sharpened their tactics just in time for the holiday season.
Ed Skoudis reviews fast-flux botnet tactics and explains how to conduct an investigation of the advanced phishing technique.
This was first published in January 2008