Educause Security Discussion mailing list archives
Re: FYI: Another round of spear Phishing
From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Thu, 12 Jun 2008 11:27:11 -0400
Zach, thanks for the suggestions. Your idea of blocking outbound recipients is a good idea. Because of the way our MTA is configured, I think I can assign any address to an internal account which will be checked before the message is then transferred to the appropriate outside SMTP server. If I create an account for this purpose, forward it to myself, and then add the reply addresses of these phishing e-mails to that account, I could intercept any replies. This assumes I know what the reply addresses are, so I would have to get word of the phishing attempt before others started replying. We call the offenders. We lock their account until the mess is cleaned up and we have done an investigation (typically only an hour) and then we change their password and enable their account. We then call them and explain what happened, telling them not to set the password back to what it was. These phishing attacks could be much worse. Right now mail reputations are going down the tube, but it could be our security reputation. Most organizations now have single sign on to services or users set their passwords the same between services. If someone from an administrative department such as financial aid gives our their account information to one of these attackers, the attacker could use the credentials to login to their systems and gain access to SSNs and other confidential information. If it wasn't for the spam going out these accounts triggering alarms, would many of us know that it had even happened until it was too late? Matt Matthew Jenkins Network/Server Administrator Fairmont State University 304.367.4955 Visit us online at www.fairmontstate.edu <https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Zach Jansen Sent: Thu 6/12/2008 10:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FYI: Another round of spear Phishing Clyde, I think a few of us share your pain. Search the archives for some good suggestions, the topic has come up a couple times this year. In general there hasn't been a really good answer to how to handle these problems since we can't effectively block the phishing attacks. Matt's suggestion for blocking the DNS name is a good one and it's something I do here. Also, take a look at malwaredomains.com for a good list "bad" domains. I've been testing that here. Only problem so far is a small number of false positives, plus advertising sites getting blocked. I think opendns.com runs a similar service. I wouldn't feel too bad that you haven't been able to stop the email phishing responses. The response rate here varies from campaign to campaign, but in general user education efforts have been ineffective. The only thing I've found effective is directly emailing folks who respond. I've yet to see anyone respond twice, but it would be nice if people paid attention to the mass mails instead of just the individual ones. As far as the email phishing attacks there have been a few suggestions on how to mitigate this: 1) Automated checking of mail queues for large influxes of outgoing mail. Indicates an account compromise.... or college email campaign. 2) Install an outbound phishing filter. This won't block outgoing spam as much as you'd like, but it will have good features for blocking email recipients, which you use to block the return address as soon as you see a phishing attack. You can also search for people who have replied to a phishing attack and force them to change their passwords. I think you can do these things directly on the mail server if you don't have funds to purchase an outbound filter, but I found it easier technically and politically to just buy an outbound spam filter. Barracuda makes reasonably priced machines. 3) Direct emails to offenders. Most people don't respond to me when I send them a message informing them they fell for a scam, but I've yet to see anyone do it twice. 4) If we see a particularly clever email that's getting lots of responses, we'll send out an email alert telling people not to respond. That helps some, but sometimes I think it mostly makes the HelpDesk feel better. 5) Switch to google mail and let it be someone else's problem =) The biggest problem for me is we have students who forward their mail and then respond to these attacks from their gmail or hotmail accounts. >From there I can't tell if they've responded, so I have to wait to detect those when they start getting used to send spam. HTH, Zach
Current thread:
- FYI: Another round of spear Phishing Clyde Hoadley (Jun 11)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing Paul Kendall (Jun 11)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jun 12)
- Re: FYI: Another round of spear Phishing Zach Jansen (Jun 12)
- Re: FYI: Another round of spear Phishing Basgen, Brian (Jun 12)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 12)
- Re: FYI: Another round of spear Phishing Gregg, Christopher S. (Jun 12)
- Re: FYI: Another round of spear Phishing Koerber, Jeff (Jun 12)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 12)
- Re: FYI: Another round of spear Phishing Paul Russell (Jun 12)
- Re: FYI: Another round of spear Phishing Robin Polak (Jun 17)
- Re: FYI: Another round of spear Phishing ram smith (Jun 17)
- Re: FYI: Another round of spear Phishing Gary Warner (Jun 17)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 18)
- Re: FYI: Another round of spear Phishing Matthew Gracie (Jun 19)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 19)
- Re: FYI: Another round of spear Phishing Dean Halter (Jun 19)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 19)
- Re: FYI: Another round of spear Phishing Curt Wilson (Jun 19)
(Thread continues...)