Re: Phishing, compromised account and SPAM

[Joseph Tam <tam () MATH UBC CA>]

Rob Tanner <rtanner () LINFIELD EDU> writes:

> We are seeing an increase in phishing expeditions as well as a more signifi=
> cant increase in those who fall for them and give their password away.  We=
> =92ve tried everything we can think of to educate faculty and staff to the =
> fact that ITS never, ever asked them to revalidate their account by enterin=
> g their username and password.

The problem I see with most educational campaigns is that they tend to
preach to the converted.  The people most prone to succumbing are
unaware they are susceptible, and don't go through training since they
think they are immune.

I've been eyeball to eyeball to new users explaining what fraud is and
how our IT staff will never ask for password, blah blah, and they nod
up and down in agreement, but they don't know what they don't know.
When presented with an actual phish, their conciousness doesn't trigger
the technical knowledge they have since it never occured to them that
it is relevant.

When I do a forensic interview afterwards, and when you get them to pay
attention, they sheepishly see it as the obvious fraud it is.  That is
where the gap is: skeptical attitude that leads to recognition, not the
technical description of phish.

There is too much emphasis put on describing superficial characteristics
of fraud, and not enough to promote skeptcism.  Unfortunately, this is
hard to teach.

> But it still continues to happen and it loo=
> ks like what folks are after is an account they can send SPAM through.  If =
> it=92s in the middle of a week-day we catch it pretty early , but evenings =
> and especially week-ends, thousands of email messages with between 40 and 5=
> 0 recipients each are sent out before we can kill it.  So, we are constantl=
> y getting on blacklists.

Automated rate limiting can help here.  I am currently adding AUTH/SMTP
tracking and disable accounts that send over a threshold.  Our webmail
systems already employs this and has on numerous occasions stopped a
compromised account cold.

"Banks, Teresa E - (tbanks)" <tbanks () EMAIL ARIZONA EDU> writes:

> We have devoted a lot of printed materials to the issue, warnings, awareness
> presentations, etc. 
>
> Our last newsletter was completely dedicated to phishing.  You can find it
> at hxxp://security.arizona.edu/securecat-courier.

More preaching to the converted.  The ones to worry about are the ones *not*
thinking this applies to them.

From:    JR Ramirez <jrramirez30 () GMAIL COM>

> My organization uses the Proofpoint e-mail gateway.  All potential phish
> URLs are re-written and re-directed through Proofpoint's servers.  Valid
> sites would be accessible; links detected as malicious would be filtered
> and users would be prompted with a Proofpoint-branded landing page.  This
> typically happens within a couple of hours of detection.  This helps to
> protect both internal and external users who click on phish links via their
> phones.  This has also cut down on the number of account compromises
> dramatically; we dropped from an average of 15 compromises per month to
> zero.

Rather invasive, but I can see where it gives enough of a pause for people
to engage their brain.  It won't work in that critical first few hours,
*or* if they forward mail out of your network.  I sometimes catch users
via DNS query logs to the phish sites.

>  We have also taken the somewhat extreme step of blocking the whole country
> of Nigeria from accessing our OWA web server since this has been the main
> source of phish attacks for the past two years.

As I have for inbound mail.  Country of origin login checks are also useful.

From:    Mally Mclane <mally.mclane () BRISTOL AC UK>

> I think  a problem we have (without any evidence to back it up..) that we
> promoted Postini and Gmail to be so good at blocking things that when stuff
> does get through, it's almost viewed by some as genuine, because it wasn't
> blocked...

Yes, I agree.  The irony of spam filtering is that the better they get,
the more oblivious your mail users get.  I've joked that the best method
to phish-proof users to is hose them with all the phish they can stand
for the first month they get their Email account.  They will come to
the natural conclusion that they can't all be true, and maybe none of
them are.  Immunity by exposure.

From:    "Pollock, Joseph" <PollockJ () EVERGREEN EDU>

> Many spams are caught by our Ironport, and nearly 90% of inbound traffic is=
> blocked based on sender reputation.

Unfortunately, that's one reason why they target educational accounts.
They usually have good reputation and speedy networks.  Once they get
a compromised account, they use it to send more phish to .edu sites
since it is unlikely be be blacklisted, and round and round it goes.
(update*.info ring a bell?)

Another method I haven't seen mentioned is to run a phish sting campaign.
By that, I mean to deliberately send fraudulent Email to your user base
enticing them to divulge information to a site you control.  This has the
benefit that it directly exposes those who are susceptible to becoming
victims, you can deliver your online training right then and there and
maybe followup with more intensive training or educational efforts.

Joseph Tam <tam () math ubc ca>