Wednesday, May 14, 2008

Click Crime

I seldom write about articles that I read, preferring to share them in my Google Reader or put the link in my Twitter. But I'll make an exception here:

Mark Rasch gives a very good description on "criminal honeypots" some of it's possible implications worldwide if implemented on a larger scale. The difference between setting up a trap and entrapment is talked about here also.

From the web application security perspective, it would be possible to frame someone else not only by using social engineering, but also even attacks like this:

  1. Create javascript code in a site that you control that exploits CSRF weaknesses in the criminal honeypot. Wait for the target to access your site and "click" the link automatically.
  2. Create a site that's linked to your target somehow, and get many many people to click on the link (to the criminal honeypot) that you put in the site. The FBI sees the referrals from that site, and traces it to your victim.

No comments: