Cloned Web Content Tracing

The most successful phishing scams include the construction of a virtually identical website to the targeted organisation. Most of the content is usually cloned from the original legitimate website. A recent paper discusses measures that can be taken to help identify the source of the cloned content for fraud investigations.

Companies with well-known brands have always had to battle to maintain their trademarks and brands in the physical world. Here's a takeaway shop using the London Underground logo:

But what about the online world? How do you identify the person who stole your assets including designs and content? Farmers have been long-term users of tagging and tattooing to track animal movements, record health information or even to help find the mother for a lost lamb at this time of the year.

There are even proposals to use electronic ID tags for sheep. But web application content can't be tagged physically in the same way.

Gunter Ollman's paper Anti-Fraud Image Solutions reviews the subject, outlines and compares the techniques and limitations of adding traceable markers to web application content. These include steganography, watermarking, image meta data, mosaic layouts, semagrams, file names and hidden graphics. If you are lucky, the marker will be identifiable in the cloned phishing site, giving information on the possible source.

Gunter reminds us that no technique is infallible and the identification of the source of the cloned site by no means indicates the true perpetrator.

This type of tracing may also be useful for marking non-production, archived or backup web application source code and media, to assist with leak source identification. In this scenario, the thief (or accident-prone employee) does not necessarily have the goal of reproducing the original website and therefore the perpetrators may not be looking for hidden tracers to remove.