Educause Security Discussion mailing list archives
Re: Phishing, compromised account and SPAM
From: "Frahm, Eric J Jr." <efrahm () ILLINOIS EDU>
Date: Thu, 3 Apr 2014 01:43:00 +0000
We also use Proofpoint for protection, and due to a serious cluster of compromised accounts last year have done a campus test and gotten approval to implement the URL rewrite product (Targeted Attack Protection). One feature I am very excited about in that URL rewrite is the report of users who clicked on the link. So even the risks that occur in those few hours before the link begins getting blocked can be responded to proactively, as JR points out, by reaching out to affected users and resetting accounts. In our case last year, this would have gone a long way toward resolving the blacklisting early. We did not have a handle on how many and which accounts were compromised, so it took much too long to weed out the compromised accounts and truly stop the spam floods, so we could get off the blacklists. This product will give us some tracking of likely compromises before they are being abused. - a different Eric ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Roger A Safian [r-safian () NORTHWESTERN EDU] Sent: Wednesday, April 02, 2014 3:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing, compromised account and SPAM Can you comment on how the phishers have gotten around proof point? Do you rewrite all your URL’s to point to proof point? (we’re just starting a demo, and we’re concerned that our community may balk if we rewrite URL’s) From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of JR Ramirez Sent: Wednesday, April 2, 2014 3:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Phishing, compromised account and SPAM My organization uses the Proofpoint e-mail gateway. All potential phish URLs are re-written and re-directed through Proofpoint's servers. Valid sites would be accessible; links detected as malicious would be filtered and users would be prompted with a Proofpoint-branded landing page. This typically happens within a couple of hours of detection. This helps to protect both internal and external users who click on phish links via their phones. This has also cut down on the number of account compromises dramatically; we dropped from an average of 15 compromises per month to zero. In the six months since we implemented this solution, the phishers have found ways around this, though it does provide an additional road block. We have also taken the somewhat extreme step of blocking the whole country of Nigeria from accessing our OWA web server since this has been the main source of phish attacks for the past two years. Hope this helps. JR On Wed, Apr 2, 2014 at 3:20 PM, Rob Tanner <rtanner () linfield edu<mailto:rtanner () linfield edu>> wrote: Hi, We are seeing an increase in phishing expeditions as well as a more significant increase in those who fall for them and give their password away. We’ve tried everything we can think of to educate faculty and staff to the fact that ITS never, ever asked them to revalidate their account by entering their username and password. But it still continues to happen and it looks like what folks are after is an account they can send SPAM through. If it’s in the middle of a week-day we catch it pretty early , but evenings and especially week-ends, thousands of email messages with between 40 and 50 recipients each are sent out before we can kill it. So, we are constantly getting on blacklists. I can’t imagine that Linfield College is alone in this situation. What are others doing to mitigate the consequences or better yet, prevent from occurring in the first place. Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Current thread:
- Re: Phishing, compromised account and SPAM, (continued)
- Re: Phishing, compromised account and SPAM Kevin Wilcox (Apr 03)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM Pollock, Joseph (Apr 02)
- Re: Phishing, compromised account and SPAM Eric Schewe (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM JR Ramirez (Apr 02)
- Re: Phishing, compromised account and SPAM Jones, Mark B (Apr 02)
- Re: Phishing, compromised account and SPAM Roger A Safian (Apr 02)
- Re: Phishing, compromised account and SPAM Frahm, Eric J Jr. (Apr 02)
- Re: Phishing, compromised account and SPAM Bob Bayn (Apr 03)
- Re: Phishing, compromised account and SPAM Pete Hickey (Apr 03)
- Re: Phishing, compromised account and SPAM Bob Bayn (Apr 03)