Educause Security Discussion mailing list archives
Re: Recent Phishing Uptick
From: David Curry <david.curry () NEWSCHOOL EDU>
Date: Thu, 20 Feb 2014 13:56:51 -0500
Joel, I have not yet figured that out; I only see SAML as well. I have a suspicious that only web-based logins (and not POP/IMAP, etc.) are being recorded here, although I have not yet found a documented answer one way or the other. --Dave -- *DAVID A. CURRY, CISSP* * DIRECTOR OF INFORMATION SECURITY *THE NEW SCHOOL* * 55 W. 13TH STREET * NEW YORK, NY 10011 +1 212 229-5300 x4728 * david.curry () newschool edu On Thu, Feb 20, 2014 at 12:49 PM, Joel L. Rosenblatt <joel () columbia edu>wrote:
Hi David, I have been looking at our login reports and I only see saml logins "name": "login_type", "value": "saml" I am much more interested in the password logins - how do you get a report of those? Thank you, Joel Rosenblatt Joel Rosenblatt, Director Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel Public PGP key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3 On Wed, Feb 19, 2014 at 8:15 PM, David Curry <david.curry () newschool edu> wrote:We are also a Google Apps school. Starting in mid-November and increasing until now it's occurring two or three times a week, users in our domainhavebeen receiving phishing emails sent by other user accounts within our domain. The attempts are all pretty rudimentary: "your email is overquota,""security upgrades mean you need to confirm your information," etc. withalink to a form on some free web hosting site (yolasite or other). Nologosor other trickiness, just plain text written by folks with varyingdegreesof English proficiency. The content is not what has us concerned, thevolumeis. We've had nearly two dozen of them (different senders) since thefirstof this year. What's been confusing us is that every single one of these appears tohavebeen sent directly from Google, i.e., the sender was logged into theGmailaccount. They were not sent from outside our domain, or dumped in viasomeopen relay. This seems to be confirmed by the fact that, with two exceptions, each compromised account has sent one, and only one phishing email--we're guessing this is because as soon as we receive a phishing email, we try to contact the owner of the account and have him/her change his/her password. The only two exceptions were people we were not able to contact quickly. Sometimes Google beats us to it and disables theaccountsfor sending spam, but not always. Just this week, I started looking at the Google Admin Reporting SDK,whichlets you retrieve, among other things, a login history for an account, including IP address, AND, whether or not Google called it a "suspicious" login. It's not completely clear what "suspicious" means, but it seemstheywill flag it if you login from an unfamiliar IP range, or two widely separated geographic areas in a short time. If you'd like to try this on your domain: Sign in to your domain with an account that has Super Admin privileges Enable the Admin Reporting API on your domain if you haven't already Visit Google's API Explorer (https://developers.google.com/apis-explorer/#p/admin/reports_v1/) Click on "reports.activities.list" At the top right of the page, click the "off" switch to "on" toauthenticatevia OAuth2.0 Put a user email address in the 'userKey' field (e.g.,user () yourdomain edu)Put 'login' in the 'applicationName' field Click 'Execute' Now you can use your browser search function to look for the word "suspicious", or just browse through the output looking for interesting things. I did this yesterday for four or five of our accounts that hadsentphishing emails recently, and found some interesting things: For all but one of the accounts, Google had identified a "suspicious"login.All of these came from Nigeria -- two different ISPs there. For the one account that didn't have a suspicious login, the account was clearly "owned" by the bad guys; ALL the logins for the past few monthscamefrom Nigeria and the UK (my guess is that the "suspicious" loginoccurred solong ago it's no longer in the history). The "suspicious" login occurred at least two weeks before the account was used to send the phishing email. There was one exception where itoccurred acouple of days before. In most cases, the accounts seemed to get logged into multiple timesbetweenthe first suspicious login and the sending of the phishing email. Once the user changed his/her password, the unauthorized logins stopped. The above was all a terribly manual process--look up the data in API Explorer, manually read through JSON-formatted output, look IPs up in geolocation and ASN databases, etc. My new project is putting together an automated version of the steps above to dig up information about these accounts. I'm hoping that the accounts all exhibit the samecharacteristics,which might mean a script that runs nightly looking for suspicious logins from suspicious locations (e.g., Nigeria) can be developed and we can, maybe, start taking some proactive action. One thing that still has us puzzled, though, is how all these accountsgot(or are getting) compromised. Is it just users responding to phishingemailsand filling out the forms? Or was it some major event (the Adobecompromisecomes to mind from a timing standpoint, but we have no evidence tosuggestit had anything to do with this)? Sorry for the length of this response. But honestly, I'm a littlerelived tohear that someone else is having the same (or similar) problem, and it'snotjust us. --Dave -- DAVID A. CURRY, CISSP * DIRECTOR OF INFORMATION SECURITY THE NEW SCHOOL * 55 W. 13TH STREET * NEW YORK, NY 10011 +1 212 229-5300 x4728 * david.curry () newschool edu On Wed, Feb 19, 2014 at 6:15 PM, Peter Setlak <psetlak () colgate edu>wrote:Over the past few weeks we saw a dramatic increase in the level and sophistication of phishing against our domain. The phishers not onlyusedcompromised accounts from other Universities but from our own as well.Theyalso copied some images from our main website as well as screen-scrapedouraccounts-reset page. There seem to have been two different campaigns going; one more sophisticated than the other. They only sent emails at night or early morning, none were sent to my inbox (security admin). We use Google Apps and of course, they were of no real help. I was able to track down the logins from an IP range owned by SpotfluxVPNservices (spotflux.com). The IP range was 162.210.196.160-175. We also saw logins from a Nigerian IP range (41.203.69.x). After contacting their support, one of their techs was able to correlate some information and found 142 different machines in the Nigerian IPrangewas using their VPN service. He null-routed them and it has been a fewhoursbut we have not seen any logins since. Has anyone else seen this uptick in phishing? Has anyone else seen these IP ranges knocking at their doors? Has anyone else seen this scenario before? Does anyone have suggestions for working with Google to get better reporting and options? I would really like to see the ability to do two things through Google: 1. Deny certain IP ranges from successfully authenticating into our domain. Obviously, Google has to allow all users from anywhere use their services; if I could set our App domain to automatically log someoneout ifthey logged-in from a certain IP range, that would be very helpful. Wehaveno students in Nigeria (currently). 2. Pull an email from users' inboxes before they respond. In this case, perhaps the first 15 users in my domain might see and click on theemail -hopefully at least one sends it to ITS. Then, we could pull that emailfromthe remaining users' inboxes before they ever get a chance to open it. Perhaps there is something Google offers or a Google-integrated third-party offers that would allow me to do this? -- Thank you, Peter J. Setlak Network Security Analyst, GSEC, GLEG, GCPM Colgate University --- psetlak () colgate edu (315) 228-7151 Case-Geyer 450 skype: petersetlak Think Green! Please consider the environment before printing this email. Engage with Colgate University: News blog, Twitter, Facebook, Google+, Delicious, YouTube, Flickr, Pinterest, LinkedIn
Current thread:
- Re: Recent Phishing Uptick, (continued)
- Re: Recent Phishing Uptick Shettler, David (Feb 19)
- Re: Recent Phishing Uptick Bob Bayn (Feb 19)
- Re: Recent Phishing Uptick Bob Bayn (Feb 19)
- Re: Recent Phishing Uptick Gary Warner (Feb 19)
- Re: Recent Phishing Uptick Bob Bayn (Feb 19)
- Re: Recent Phishing Uptick Brandon Hume (Feb 20)
- Re: Recent Phishing Uptick Roger A Safian (Feb 20)
- Re: Recent Phishing Uptick Paul Chauvet (Feb 20)
- Re: Recent Phishing Uptick Derek Diget (Feb 20)
- Re: Recent Phishing Uptick Shettler, David (Feb 19)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Frank Barton (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Ejike, Emechete C. (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick David Curry (Feb 20)
- Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
- Re: Recent Phishing Uptick Frank Barton (Feb 21)
- Re: Recent Phishing Uptick Mike Iglesias (Feb 21)
- Re: Recent Phishing Uptick Tim Doty (Feb 21)