Educause Security Discussion mailing list archives
Re: FYI: Another round of spear Phishing
From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Thu, 12 Jun 2008 10:32:10 -0400
Clyde, I think a few of us share your pain. Search the archives for some good suggestions, the topic has come up a couple times this year. In general there hasn't been a really good answer to how to handle these problems since we can't effectively block the phishing attacks. Matt's suggestion for blocking the DNS name is a good one and it's something I do here. Also, take a look at malwaredomains.com for a good list "bad" domains. I've been testing that here. Only problem so far is a small number of false positives, plus advertising sites getting blocked. I think opendns.com runs a similar service. I wouldn't feel too bad that you haven't been able to stop the email phishing responses. The response rate here varies from campaign to campaign, but in general user education efforts have been ineffective. The only thing I've found effective is directly emailing folks who respond. I've yet to see anyone respond twice, but it would be nice if people paid attention to the mass mails instead of just the individual ones. As far as the email phishing attacks there have been a few suggestions on how to mitigate this: 1) Automated checking of mail queues for large influxes of outgoing mail. Indicates an account compromise.... or college email campaign. 2) Install an outbound phishing filter. This won't block outgoing spam as much as you'd like, but it will have good features for blocking email recipients, which you use to block the return address as soon as you see a phishing attack. You can also search for people who have replied to a phishing attack and force them to change their passwords. I think you can do these things directly on the mail server if you don't have funds to purchase an outbound filter, but I found it easier technically and politically to just buy an outbound spam filter. Barracuda makes reasonably priced machines. 3) Direct emails to offenders. Most people don't respond to me when I send them a message informing them they fell for a scam, but I've yet to see anyone do it twice. 4) If we see a particularly clever email that's getting lots of responses, we'll send out an email alert telling people not to respond. That helps some, but sometimes I think it mostly makes the HelpDesk feel better. 5) Switch to google mail and let it be someone else's problem =) The biggest problem for me is we have students who forward their mail and then respond to these attacks from their gmail or hotmail accounts. From there I can't tell if they've responded, so I have to wait to detect those when they start getting used to send spam. HTH, Zach
Clearly I and my team haven't been effective. I need fresh input. I would be interested in hearing your strategies to Prevent, Detect and Respond to these Phishing attacks - in particular the attacks aimed at hijacking Web Mail accounts. --- Clyde Hoadley Director of Information Security Metropolitan State College of Denver Campus Box 96, P.O. Box 173362, Denver Co 80217-3362 303-556-5074 | CELL 720-232-4737
-- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
Current thread:
- FYI: Another round of spear Phishing Clyde Hoadley (Jun 11)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing Paul Kendall (Jun 11)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jun 12)
- Re: FYI: Another round of spear Phishing Zach Jansen (Jun 12)
- Re: FYI: Another round of spear Phishing Basgen, Brian (Jun 12)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 12)
- Re: FYI: Another round of spear Phishing Gregg, Christopher S. (Jun 12)
- Re: FYI: Another round of spear Phishing Koerber, Jeff (Jun 12)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 12)
- Re: FYI: Another round of spear Phishing Paul Russell (Jun 12)
- Re: FYI: Another round of spear Phishing Robin Polak (Jun 17)
- Re: FYI: Another round of spear Phishing ram smith (Jun 17)
- Re: FYI: Another round of spear Phishing Gary Warner (Jun 17)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 18)
(Thread continues...)