... mad about email, sane about security ...
Phishing and Scam Signatures for ClamAV
Home News Blog UsageDownloads Statistics User Quotes Documents Thanks Feedback Donate

PhishBar: EXPERIMENTAL: updated: 12.07.08

I was talking with someone about a month ago, who ran a few small hosted websites and they asked if, using ClamAV, there was a way of seeing if any of their users had phishing sites stored in their home directories/user space.

Here's the result (maybe): PhishBar!

PhishBar is a ClamAV .hdb formatted standalone database containing either:

a) known *genuine* banking jpg/gif/png files;
b) known fraudulent banking jpg/gif/png files

Using this standalone database you scan your users's home areas with the PhishBar database, the idea being that "most" users shouldn't have banking files/graphics in their user areas.

Now, the most important bit... the phishbar.hdb database should not be put in the ClamAV main database directory, as you don't want your emails being scanned with it, otherwise every single PayPal/Ebay/Bank email will be detected as a virus/fraud, even if it's a genuine one.

So, in order to scan your user webspace for banking sites, use this command to do the "one-off" scan:

Example use of using the standalone database:
clamscan \home\users --recursive --infected --database=phishbar.hdb

Example Output:
c:\phishgfx/submit.gif: Sanesecurity_PhishBar_submit.gif FOUND
c:\phishgfx/tips.jpg: Sanesecurity_PhishBar_tips.jpg FOUND

If any user has a matching banking graphics in their area, you can then go off and take a look... and see if there's a bank fraud problem... or it's just that the user has copied the PayPal logo (for example) into their directory to put on their website.

Use the following link to manually download the gzipped phishbar.hdb.

You are advised not to create scripts to automate this process, as the status of this PhishBar project is still experimental:

Manual Download (Linux): SaneSecurity PhishBar Signatures
download here
(Right Click, Save As)

Disclaimer:

Whilst every effort has been made by Sanesecurity to ensure that the signatures don't lead to false positives, we make no warranty that the signatures will meet your requirements, be uninterrupted, complete, timely, secure or error free. You must therefore use them at your own risk.

Commercial use: You can use the SaneSecurity signatures free of charge in commercial products. However, if would be appreciated if you send an email, with information about the name of company and what product the signatures are being used in.

If you feel that you would like to give a donation for your use of these signatures,
or just because you want to support us, please consider making a donation

ClamAV is a registered trademark of Sourcefire, Inc.
 
HOME | NEWS | BLOG | USAGE | DOWNLOADS | STATISTICS | QUOTES | DOCUMENTS | THANKS | FEEDBACK
© sanesecurity.com. All Rights Reserved. Legal Notice ClamAV is a registered trademark of Sourcefire, Inc.