<div dir="ltr"><div>Sounds more like an addon to me. Also, sometimes websites use CDNs to workaround the max parallel download limit per domain that would trigger the heuristic as their URLs tend to be quite similar.<br><br>
</div>Regards,<br><br>Hernán<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 6, 2014 at 12:38 PM, David G <span dir="ltr"><<a href="mailto:davidg@kixeye.com" target="_blank">davidg@kixeye.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>A phishing email message was recently sent to many people where I work, requesting people change their password on one of our internal services. The "bait-and-switch" was somewhat cleverly crafted. The visible text of the link correctly named one of our services: (e.g.) "<a href="http://service.hostname.abclxyz.com" target="_blank">service.hostname.abclxyz.com</a>", however the link actually sent users to "<a href="http://service.hostname.abc1xyz.com" target="_blank">service.hostname.abc1xyz.com</a>". For safety, I've not used the real names of our internal system, these two are made up examples, but they do demonstrate the problem. The hostnames are almost identical: a letter 'l' has changed to a number '1'. The malicious target was then crafted to look exactly like our internal system.<br>
<br></div><div>Would it be possible to include a heuristic that spots things like this. What comes to mind is the same algorithm as the file comparison tool diff(1), but acting on individual letters. If the two strings, visible text and hostname, have fewer than (say) 5% differences, flag the link as suspicious.<br>
</div></div>
<br>_______________________________________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank">https://mail.mozilla.org/listinfo/firefox-dev</a><br>
<br></blockquote></div><br></div>