Re: Phishing, compromised account and SPAM

[JR Ramirez <jrramirez30 () GMAIL COM>]

Roger, you are correct -- it will re-write every URL.  Some users initially
complained about this but we had an information campaign to let them know
this was coming.

As great a product as Proofpoint is, its major drawback is the fact that it
typically takes a couple of hours from when a user first clicks on a phish
link to actually have Proofpoint block the phish site.

As a way to get around this protection, the phishers have become more
sophisticated in their e-mails, using University insignia and such.  Also,
we currently do not block e-mail sent on behalf of the University sourced
from an external user (working on fixing that very soon), so some phish
e-mails appear to come from internal users.

For the one or two accounts that have been compromised, the phishers would
log into OWA and send internal e-mail, thereby passing the Proofpoint
protection.  They would also log into our VPN infrastructure and send
e-mail from their PC, also bypassing the Proofpoint protection.  This is
the main reason why we are blocking Nigeria from accessing our OWA and VPN.

The solution we will soon implement is two-factor authentication, though it
won't be long before the phishers start asking users to supply their OTP as
well :)


On Wed, Apr 2, 2014 at 3:53 PM, Roger A Safian <r-safian () northwestern edu>wrote:

>  Can you comment on how the phishers have gotten around proof point?  Do
> you rewrite all your URL's to point to proof point?  (we're just starting a
> demo, and we're concerned that our community may balk if we rewrite URL's)
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *JR Ramirez
> *Sent:* Wednesday, April 2, 2014 3:48 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Phishing, compromised account and SPAM
>
>
>
> My organization uses the Proofpoint e-mail gateway.  All potential phish
> URLs are re-written and re-directed through Proofpoint's servers.  Valid
> sites would be accessible; links detected as malicious would be filtered
> and users would be prompted with a Proofpoint-branded landing page.  This
> typically happens within a couple of hours of detection.  This helps to
> protect both internal and external users who click on phish links via their
> phones.  This has also cut down on the number of account compromises
> dramatically; we dropped from an average of 15 compromises per month to
> zero.
>
>
>
> In the six months since we implemented this solution, the phishers have
> found ways around this, though it does provide an additional road block.
>  We have also taken the somewhat extreme step of blocking the whole country
> of Nigeria from accessing our OWA web server since this has been the main
> source of phish attacks for the past two years.
>
> Hope this helps.
>
>
>
> JR
>
>
>
> On Wed, Apr 2, 2014 at 3:20 PM, Rob Tanner <rtanner () linfield edu> wrote:
>
>  Hi,
>
>
>
> We are seeing an increase in phishing expeditions as well as a more
> significant increase in those who fall for them and give their password
> away.  We've tried everything we can think of to educate faculty and staff
> to the fact that ITS never, ever asked them to revalidate their account by
> entering their username and password.  But it still continues to happen and
> it looks like what folks are after is an account they can send SPAM
> through.  If it's in the middle of a week-day we catch it pretty early ,
> but evenings and especially week-ends, thousands of email messages with
> between 40 and 50 recipients each are sent out before we can kill it.  So,
> we are constantly getting on blacklists.
>
>
>
> I can't imagine that Linfield College is alone in this situation.  What
> are others doing to mitigate the consequences or better yet, prevent from
> occurring in the first place.
>
>
>
> Thanks.
>
>
>
>
>
> *Rob Tanner*
>
> UNIX Services Manager
> Linfield College, McMinnville Oregon
>
> *ITS will never ask you for your password.  Please don't share yours with
> anyone!*