Re: FW: Are consumers being misled by "phishing"?

["Chris Umphress" <umphress () gmail com>]

On 6/29/06, Josh L. Perrymon <joshuaperrymon () gmail com> wrote:

>  Most companies believe that blocking HTML in email handicaps emails
> effectiveness.. ( screw the newsletters.. put it on a website )

Hehe, agree with you there.

>  Network Protection:
>  I believe that it's possible to develop "widgets" to alert on this type of
> directed phishing attacks. First you have to have the ability to monitor all
> emails traffic. This shouldn't piss off legal because all users should have
> already signed off on this.

MmmHmm. Enter 1984.

>  The most effective would be to monitor all known public email addresses.
> Including "planted' email address placed in forums and webpages to be
> harvested. This would provide a greater % that traffic sent to those
> addresses are directed attacks.. (Like an Email Honeypot :)

Planted e-mail addresses is an old idea. And so are e-mail honeypots.

Link: http://wiki.apache.org/spamassassin/ReportingMboxesToRazor

I also found a forum recently (sorry, don't remember the link) where
somebody took the IP address of visitors to his site and encrypted it
into a unique e-mail address so that he could learn the IPs of spam
bots.

>  It should be easy to develop an analysis to pick up on standard phishing
> emails. You would look for Anchors / links with IP addresses that resolve
> outside of the "known- whiteliested" address list. This should at least
> alert and place the email in a second level queue for analysis. You could
> also do some type of grep on the email link looking for company X verbiage.

So... anything that doesn't match the whitelist gets tested against
the blacklist? :)

Having a more strict filter for users who aren't in the user's address
book is (IMO) one of the best ways, but that relies more on the end
user than on the company's sys admin.

>  M$ Phishing filter may even be USEFUL ( Almost.... )
>
>  So using the methods above you would have a system to alert on potential
> phishing attacks scanning all emails or preferably only public emails
> included "planted" ones.
>
>  The widget performs analysis to determine if the email is a phishing
> attack.

Thunderbird does some analysis in this area already. It's probably
closely related to the junk filters, but the phishing mails generally
find their way to the Junk or Trash folder before being opened on this
end, so I don't know a lot about it.

>  This process could be automated to perform the whois so on…  So now we
> should have determined the IP or block for the hosted phishing site.  We can
> use something like M$ phishing filter. Send it the new whitelisted IP
> address of the phishing site and the browser should block the site. If the
> widget monitors all emails coming into the company then it should have the
> ability to do some trending of who received certain emails.. sorted on
> subjects for instance. One you found the phishing email you would have a
> known list of all email addresses that received the email once the attack
> has been spotted.

Performing thousands of WHOIS lookups per day for a medium-sized
business might be a little pricey for the purpose. There are tools
(like SpamAssassin) to filter out spam messages -- Even commercial
programs, but from what I hear, none of them is at 100% efficiency.
Hey, AOL is even charging to be on their "white list."

"The widget" might be useful for companies where all e-mail is only
accessible from a web interface (and e-mail can be deleted from the
local mbox file later), but generally you don't argue with the CEO
when he says he wants to use XYZ e-mail client while he is travelling.
Some of the employees, or worse, management, will see these e-mail
messages on occasion. This means that there would either have to be a
delayed delivery system for incoming e-mail, or the e-mail clients
will have to have an understanding of phishing -- and if that were the
case, then "the widget" should have caught it anyway. The user still
has to be educated.

My solution is simple. We have deer season, rabbit season, and tourist
season. Start a spammer season!

--
Chris Umphress <http://daga.dyndns.org/>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/