Re: FYI: Another round of spear Phishing

["Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>]

Zach, thanks for the suggestions.  Your idea of blocking outbound recipients is a good idea.  Because of the way our 
MTA is configured, I think I can assign any address to an internal account which will be checked before the message is 
then transferred to the appropriate outside SMTP server.  If I create an account for this purpose, forward it to 
myself, and then add the reply addresses of these phishing e-mails to that account, I could intercept any replies.  
This assumes I know what the reply addresses are, so I would have to get word of the phishing attempt before others 
started replying.
 
We call the offenders.  We lock their account until the mess is cleaned up and we have done an investigation (typically 
only an hour) and then we change their password and enable their account.  We then call them and explain what happened, 
telling them not to set the password back to what it was.
 
These phishing attacks could be much worse.  Right now mail reputations are going down the tube, but it could be our 
security reputation.  Most organizations now have single sign on to services or users set their passwords the same 
between services.  If someone from an administrative department such as financial aid gives our their account 
information to one of these attackers, the attacker could use the credentials to login to their systems and gain access 
to SSNs and other confidential information.  If it wasn't for the spam going out these accounts triggering alarms, 
would many of us know that it had even happened until it was too late?
 
Matt
 
Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu 
<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/> 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Zach Jansen
Sent: Thu 6/12/2008 10:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing



Clyde,
I think a few of us share your pain. Search the archives for some good suggestions, the topic has come up a couple 
times this year. In general there hasn't been a really good answer to how to handle these problems since we can't 
effectively block the phishing attacks. Matt's suggestion for blocking the DNS name is a good one and it's something I 
do here. Also, take a look at malwaredomains.com for a good list "bad" domains. I've been testing that here. Only 
problem so far is a small number of false positives, plus advertising sites getting blocked. I think opendns.com runs a 
similar service.

I wouldn't feel too bad that you haven't been able to stop the email phishing responses. The response rate here varies 
from campaign to campaign, but in general user education efforts have been ineffective. The only thing I've found 
effective is directly emailing folks who respond. I've yet to see anyone respond twice, but it would be nice if people 
paid attention to the mass mails instead of just the individual ones.

As far as the email phishing attacks there have been a few suggestions on how to mitigate this:
1) Automated checking of mail queues for large influxes of outgoing mail. Indicates an account compromise.... or 
college email campaign.
2) Install an outbound phishing filter. This won't block outgoing spam as much as you'd like, but it will have good 
features for blocking email recipients, which you use to block the return address as soon as you see a phishing attack. 
You can also search for people who have replied to a phishing attack and force them to change their passwords. I think 
you can do these things directly on the mail server if you don't have funds to purchase an outbound filter, but I found 
it easier technically and politically to just buy an outbound spam filter. Barracuda makes reasonably priced machines.
3) Direct emails to offenders. Most people don't respond to me when I send them a message informing them they fell for 
a scam, but I've yet to see anyone do it twice.
4) If we see a particularly clever email that's getting lots of responses, we'll send out an email alert telling people 
not to respond. That helps some, but sometimes I think it mostly makes the HelpDesk feel better.
5) Switch to google mail and let it be someone else's problem =)

The biggest problem for me is we have students who forward their mail and then respond to these attacks from their 
gmail or hotmail accounts. >From there I can't tell if they've responded, so I have to wait to detect those when they 
start getting used to send spam.

HTH,

Zach