Re: Recent Phishing Uptick (watch list of web hosting sites and Cisco Ironport rule for warning insertion)

[Bob Bayn <bob.bayn () USU EDU>]

 Paul Chauvet [chauvetp () NEWPALTZ EDU] asked:
P.S.  Would you be willing to share (on-list or off-list) a list of the URLs of these hosting services that you use 
this for?

Actually, I already did.  ;-)  See the link included in our warning message:
     https://it.usu.edu/computer-security/be-an-internet-skeptic/form-services/
It includes contact information to report abuse to each service provider.   I'd be glad to hear of others we haven't 
detected yet here.

As for the rule in our Cisco Ironports, in summary it goes like this:
   In our Cisco IronPort C670 Email Security Appliance

  1.  Go to the "Mail Policies" menu and select "Text Resources" (way down at the bottom)
  2.  Create a text resource (which I called "phishing_form") - of type "Disclaimer Template"
  3.  Enter the warning you want to appear, remembering that you can use "$MatchedContent" to include the string you 
detected in the message
  4.  "Submit" to save.
  5.  Now go back to the "Mail Policies" menu and select "Incoming Content Filters"
  6.  Add a filter (which I called "phish_forms") that has two conditions:
     *   Message Size - I chose a rule of body-size < 12000 to skip over the big messages that phishers don't send
     *   Message Body or Attachment - build a regex match rule which consists of a bunch of "or" entries for all the 
web hosting sites in your watch list.  (wait for it)
  7.  Add two actions for the filter:
     *   Add Disclaimer Text - add that text resource you made above "phishing_form" to the top of the message body
     *   Send Copy (Bcc:) - to some monitoring address so you can see how the rule is behaving  (this may be a 
temporary action for debugging or a permanent one for reporting/blacklisting)
  8.  "Submit" this and then "Confirm Changes" to deploy it all
  9.  What is my watch list "or" rule?  Build your rule in steps.  One typo and you are screwed. This is mine:

body-contains("(\\.0ad\\.info|\\.1eko\\.com|\\.adobeformscentral\\.com/|\\.atwebpages\\.com|\\.bravesites\\.com|\\.byethost\\.com|\\.coffeecup\\.com/forms/|\\.dasfree\\.com|\\.formbuddy\\.com/cgi-bin/formdisp\\.pl|\\.formees\\.com|\\.formoid\\.com|\\.formpl\\.us/form/|\\.hostingsiteforfree\\.com|\\.i-m\\.co/|\\.jigsy\\.com|\\.jimdo\\.com|forms\\.logiforms\\.com/formdata/|\\.mooform\\.com/form/|\\.noads\\.us|\\.pandaform\\.com|pastehtml\\.com|\\.phpforms\\.net|\\.the\\-webmail\\.com/|\\.tripod\\.com/|\\.twomini\\.com|\\.ucoz\\.|/use/.+/form1\\.htm|\\.webs\\.com/|\\.websitewizard\\.com|\\.yolasite\\.com|\\.zohosites\\.com/)",
 1)


Lately the most common hits here have been:  yolasite, jimdo, webs, i-m, tripod, jigsy, bravesites, the-webmail, and 
websitewizard.


BTW, the one I highlighted in green attempts to find links to hacked PHPformgenerator forms on any host.


Good luck to all of us and a pox on phishing spammers!


Bob Bayn         SER 301         (435)797-2396       IT Security Team
Office of Information Technology,                   Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737