Re: Phishing, compromised account and SPAM

[JR Ramirez <jrramirez30 () GMAIL COM>]

We are looking at Duo and Toopher -- likely leaning towards Duo.

JR

> On Apr 2, 2014, at 4:19 PM, Roger A Safian <r-safian () NORTHWESTERN EDU> wrote:
>
> Thanks…For multi-factor we are working with Duo.  What is your OTP system going to be based on?
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of JR 
> Ramirez
> Sent: Wednesday, April 2, 2014 4:06 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Phishing, compromised account and SPAM
>  
> Roger, you are correct -- it will re-write every URL.  Some users initially complained about this but we had an 
> information campaign to let them know this was coming.
>  
> As great a product as Proofpoint is, its major drawback is the fact that it typically takes a couple of hours from 
> when a user first clicks on a phish link to actually have Proofpoint block the phish site.
>  
> As a way to get around this protection, the phishers have become more sophisticated in their e-mails, using 
> University insignia and such.  Also, we currently do not block e-mail sent on behalf of the University sourced from 
> an external user (working on fixing that very soon), so some phish e-mails appear to come from internal users.
>  
> For the one or two accounts that have been compromised, the phishers would log into OWA and send internal e-mail, 
> thereby passing the Proofpoint protection.  They would also log into our VPN infrastructure and send e-mail from 
> their PC, also bypassing the Proofpoint protection.  This is the main reason why we are blocking Nigeria from 
> accessing our OWA and VPN.
>  
> The solution we will soon implement is two-factor authentication, though it won't be long before the phishers start 
> asking users to supply their OTP as well :)
>  
>
> On Wed, Apr 2, 2014 at 3:53 PM, Roger A Safian <r-safian () northwestern edu> wrote:
> Can you comment on how the phishers have gotten around proof point?  Do you rewrite all your URL’s to point to proof 
> point?  (we’re just starting a demo, and we’re concerned that our community may balk if we rewrite URL’s)
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of JR 
> Ramirez
> Sent: Wednesday, April 2, 2014 3:48 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Phishing, compromised account and SPAM
>  
> My organization uses the Proofpoint e-mail gateway.  All potential phish URLs are re-written and re-directed through 
> Proofpoint's servers.  Valid sites would be accessible; links detected as malicious would be filtered and users would 
> be prompted with a Proofpoint-branded landing page.  This typically happens within a couple of hours of detection.  
> This helps to protect both internal and external users who click on phish links via their phones.  This has also cut 
> down on the number of account compromises dramatically; we dropped from an average of 15 compromises per month to 
> zero.
>  
> In the six months since we implemented this solution, the phishers have found ways around this, though it does 
> provide an additional road block.  We have also taken the somewhat extreme step of blocking the whole country of 
> Nigeria from accessing our OWA web server since this has been the main source of phish attacks for the past two years.
>
> Hope this helps.
>  
> JR
>  
>
> On Wed, Apr 2, 2014 at 3:20 PM, Rob Tanner <rtanner () linfield edu> wrote:
> Hi,
>  
> We are seeing an increase in phishing expeditions as well as a more significant increase in those who fall for them 
> and give their password away.  We’ve tried everything we can think of to educate faculty and staff to the fact that 
> ITS never, ever asked them to revalidate their account by entering their username and password.  But it still 
> continues to happen and it looks like what folks are after is an account they can send SPAM through.  If it’s in the 
> middle of a week-day we catch it pretty early , but evenings and especially week-ends, thousands of email messages 
> with between 40 and 50 recipients each are sent out before we can kill it.  So, we are constantly getting on 
> blacklists.
>  
> I can’t imagine that Linfield College is alone in this situation.  What are others doing to mitigate the consequences 
> or better yet, prevent from occurring in the first place.
>  
> Thanks.
>   
>  
>
> Rob Tanner
> UNIX Services Manager
> Linfield College, McMinnville Oregon
>
> ITS will never ask you for your password.  Please don’t share yours with anyone!
>  
>  
>