Educause Security Discussion mailing list archives
Re: Mitigating Phishing Attacks
From: Jason Gates <jasongates () SOUTHERN EDU>
Date: Wed, 14 Nov 2012 20:40:44 +0000
Did the OWA phishing page embed CSS and images from your web server? In our case it did, so I started looking into "hotlink protection" which is available in IIS7. This would result in the phishing page not displaying properly, but obviously the attacker would see this and change things up. I prefer the stealthier method, to watch server logs for hotlinking, and then take action from there. My second idea was to inject javascript in the OWA page, since it appears the attackers screen scraped the login page. If the embedded javascript detected that it was loaded from a domain other than ours, it could: scramble the passwords entered into the form, request a specific url that would trigger an IDS alert on our network... Below is what I had come up with, though I think we didn't go that route because the admins didn't like the idea of customizing OWA. (I have not tested the script below, use at your own risk) But like you, I am very interested to see how others solve this problem. if (window.location.hostname != "www.domain.com") { var cc = false; var readyStateCheckInterval = setInterval(function () { if (document.readyState === "complete") { var img = new Image(1, 1); img.src = 'http://www.domain.com/idstriggeralert.png?id=' + st_cc(window.location.href); document.body.appendChild(img); if (cc) { document.getElementsByTagName("form")[0].setAttribute('onsubmit', 'return st_ch();'); } clearInterval(readyStateCheckInterval); } }, 10); } function st_ch(e) { var text = ""; var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; for (var i = 0; i < Math.floor((Math.random() * 15) + 6); i++) { text += possible.charAt(Math.floor(Math.random() * possible.length)); } document.getElementsByName("password")[0].value = text; return true; }; function st_cc(str) { var r = ""; var e = str.length; var c = 0; var h; while (c < e) { h = str.charCodeAt(c++).toString(16); while (h.length < 3) h = "0" + h; r += h; } return r; } -- Jason Gates From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Christopher Jones Sent: Wednesday, November 14, 2012 3:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Mitigating Phishing Attacks We have experienced a number of targeted phishing attacks recently. Because the most recent phish led its victims to provide their network credentials via a realistic looking OWA logon page, we took the following steps to deal with some resultant compromised accounts: * immediately reset the passwords for the affected accounts, * restarted, the IIS service to stop any active webmail sessions * alerted the user community It got me to wondering how other institutions deal with similar situations where user accounts have been compromised. If anyone would care to share, I would be interested how you have handled similar situations. It would be useful to know your top 3 strategies for preventing and mitigating such occurrences. Thanks. Christopher Jones IT Security Analyst University of the Fraser Valley Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>
Current thread:
- Mitigating Phishing Attacks Christopher Jones (Nov 14)
- Re: Mitigating Phishing Attacks Jason Gates (Nov 14)
- Re: Mitigating Phishing Attacks King, Ronald A. (Nov 14)
- Re: Mitigating Phishing Attacks Amanda Williams (Nov 14)
- Re: Mitigating Phishing Attacks Steven Tardy (Nov 14)
- Re: Mitigating Phishing Attacks Joel Rosenblatt (Nov 14)
- Message not available
- Re: Mitigating Phishing Attacks Drew Perry (Nov 15)
- Re: Mitigating Phishing Attacks Valdis Kletnieks (Nov 18)
- Re: Mitigating Phishing Attacks Bob Bayn (Nov 14)
- Re: Mitigating Phishing Attacks Bateman, Darrell (Nov 16)
- Re: Mitigating Phishing Attacks Christopher Jones (Nov 19)
- <Possible follow-ups>
- Re: Mitigating Phishing Attacks Conlee, Keith (Dec 04)