Re: FYI: Another round of spear Phishing

[Zach Jansen <zjanse20 () CALVIN EDU>]

Clyde,
I think a few of us share your pain. Search the archives for some good suggestions, the topic has come up a couple 
times this year. In general there hasn't been a really good answer to how to handle these problems since we can't 
effectively block the phishing attacks. Matt's suggestion for blocking the DNS name is a good one and it's something I 
do here. Also, take a look at malwaredomains.com for a good list "bad" domains. I've been testing that here. Only 
problem so far is a small number of false positives, plus advertising sites getting blocked. I think opendns.com runs a 
similar service. 

I wouldn't feel too bad that you haven't been able to stop the email phishing responses. The response rate here varies 
from campaign to campaign, but in general user education efforts have been ineffective. The only thing I've found 
effective is directly emailing folks who respond. I've yet to see anyone respond twice, but it would be nice if people 
paid attention to the mass mails instead of just the individual ones. 

As far as the email phishing attacks there have been a few suggestions on how to mitigate this:
1) Automated checking of mail queues for large influxes of outgoing mail. Indicates an account compromise.... or 
college email campaign. 
2) Install an outbound phishing filter. This won't block outgoing spam as much as you'd like, but it will have good 
features for blocking email recipients, which you use to block the return address as soon as you see a phishing attack. 
You can also search for people who have replied to a phishing attack and force them to change their passwords. I think 
you can do these things directly on the mail server if you don't have funds to purchase an outbound filter, but I found 
it easier technically and politically to just buy an outbound spam filter. Barracuda makes reasonably priced machines. 
3) Direct emails to offenders. Most people don't respond to me when I send them a message informing them they fell for 
a scam, but I've yet to see anyone do it twice. 
4) If we see a particularly clever email that's getting lots of responses, we'll send out an email alert telling people 
not to respond. That helps some, but sometimes I think it mostly makes the HelpDesk feel better. 
5) Switch to google mail and let it be someone else's problem =)

The biggest problem for me is we have students who forward their mail and then respond to these attacks from their 
gmail or hotmail accounts. From there I can't tell if they've responded, so I have to wait to detect those when they 
start getting used to send spam. 

HTH,

Zach


> Clearly I and my team haven't been effective.  I need fresh input.  I would 
> be
> interested in hearing your strategies to Prevent, Detect and Respond to 
> these
> Phishing attacks - in particular the attacks aimed at hijacking Web Mail 
> accounts.
>
> ---
> Clyde Hoadley
> Director of Information Security
> Metropolitan State College of Denver
> Campus Box 96, P.O. Box 173362, Denver Co 80217-3362
> 303-556-5074 | CELL 720-232-4737
-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550