Re: Mitigating Phishing Attacks

[Bob Bayn <bob.bayn () USU EDU>]

At Utah State U, we  have invested a considerable effort in a "Be an Internet Skeptic" campaign which has a significant 
focus on phishing.  As a result, I have a growing cadre of "Internet Skeptics" who send me any obvious or suspiciously 
hazardous email so that I can investigate and, if appropriate, send a followup warning spam to all the recipients.  I 
also submit abuse notices to the sending host site and link host sites, and may locally DNS blacklist the link host.

I guess the unspoken flip side of "Be and Internet Skeptic" is something like "Don't be Gullible (or worse)".  We try 
to encourage good behavior rather than discipline poor behavior with this campaign.  This effort and the followup 
messages have raised awareness broadly so that we don't have too many victims.  That's good because we haven't set up 
any reliable detection schemes for sudden massive outbound spam.  But every new social engineering strategy needs the 
explanatory alert messages to be sent to keep recipients well informed.

When we do detect active spamming, we first try to contact the user for an immediate password change.  Failing that, we 
disable the account.  But that only happens about once a year.

Fortunately, we haven't had any OWA clone targeted phish, but we did have one google spreadsheet form that said it was 
"Usu(sic) Webmail Login".

Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Christopher 
Jones [Christopher.Jones () UFV CA]
Sent: Wednesday, November 14, 2012 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Mitigating Phishing Attacks

We have experienced a number of targeted phishing attacks recently.  Because the most recent phish led its victims to 
provide their network credentials via a realistic looking OWA logon page, we took the following steps to deal with some 
resultant compromised accounts:


·         immediately reset the passwords for the affected accounts,

·         restarted, the IIS service to stop any active webmail sessions

·         alerted the user community


It got me to wondering how other institutions deal with similar situations where user accounts have been compromised.  
If anyone would care to share, I would be interested how you have handled similar situations. It would be useful to 
know your top 3 strategies for preventing and mitigating such occurrences.  Thanks.


Christopher Jones
IT Security Analyst
University of the Fraser Valley
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>