Re: Phishing, compromised account and SPAM

[Bob Bayn <bob.bayn () USU EDU>]

Joseph makes a good point, but there is an alternative.  We, too, found it ineffective to try to teach the masses at, 
say, orientation gatherings or dept staff meetings.

What has worked is to give them the information when it is relevant - when they have just received a phish message.

When an "Internet Skeptic" reports a phish message, we check our email logs to see who else got it.  Then we send the 
recipients a followup warning, identifying the message, explaining how the scam was presented, and providing 
instuctions for recovering their password if they were fooled.  We conclude with an invitation to "become an Internet 
Skeptic" and forward future message to us.  Successful use of a phished account dropped way down because the password 
was generally changed in time.  And people more safely became "once fooled, twice shy".

Once that program gained ground, we began to recognize the free web form services that were being used by phishers.  
That started with google spreadsheet forms but has moved on through a succession of other services.  We eventually 
figured out how to configure our email filter (Cicso Ironports) to flag short email messages containing a link to one 
of those services.  Those messages get an explanatory warning added at the top.

We discover, by one of those two methods, between one and two dozen separate phish attacks PER DAY now and we have 
maybe a couple successful uses of phished accounts per year.

Here's our log of phish attacks in a Google docs spreadsheet:
https://docs.google.com/spreadsheet/ccc?key=0AlMnxApOMKl_dEhVa3RCRG5uclVZNFZrY3hOSmFpaUE&usp=sharing

And here's our list of free web form services that we watch for:
https://it.usu.edu/computer-security/be-an-internet-skeptic/form-services/



Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737


________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Joseph Tam [tam 
() MATH UBC CA]
Sent: Thursday, April 03, 2014 2:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Phishing, compromised account and SPAM

Rob Tanner <rtanner () LINFIELD EDU> writes:

> We are seeing an increase in phishing expeditions as well as a more signifi=
> cant increase in those who fall for them and give their password away.  We=
> =92ve tried everything we can think of to educate faculty and staff to the =
> fact that ITS never, ever asked them to revalidate their account by enterin=
> g their username and password.

The problem I see with most educational campaigns is that they tend to
preach to the converted.  The people most prone to succumbing are
unaware they are susceptible, and don't go through training since they
think they are immune.

I've been eyeball to eyeball to new users explaining what fraud is and
how our IT staff will never ask for password, blah blah, and they nod
up and down in agreement, but they don't know what they don't know.
When presented with an actual phish, their conciousness doesn't trigger
the technical knowledge they have since it never occured to them that
it is relevant.

When I do a forensic interview afterwards, and when you get them to pay
attention, they sheepishly see it as the obvious fraud it is.  That is
where the gap is: skeptical attitude that leads to recognition, not the
technical description of phish.

There is too much emphasis put on describing superficial characteristics
of fraud, and not enough to promote skeptcism.  Unfortunately, this is
hard to teach.

> But it still continues to happen and it loo=
> ks like what folks are after is an account they can send SPAM through.  If =
> it=92s in the middle of a week-day we catch it pretty early , but evenings =
> and especially week-ends, thousands of email messages with between 40 and 5=
> 0 recipients each are sent out before we can kill it.  So, we are constantl=
> y getting on blacklists.

Automated rate limiting can help here.  I am currently adding AUTH/SMTP
tracking and disable accounts that send over a threshold.  Our webmail
systems already employs this and has on numerous occasions stopped a
compromised account cold.

"Banks, Teresa E - (tbanks)" <tbanks () EMAIL ARIZONA EDU> writes:

> We have devoted a lot of printed materials to the issue, warnings, awareness
> presentations, etc.
>
> Our last newsletter was completely dedicated to phishing.  You can find it
> at hxxp://security.arizona.edu/securecat-courier.

More preaching to the converted.  The ones to worry about are the ones *not*
thinking this applies to them.

From:    JR Ramirez <jrramirez30 () GMAIL COM>

> My organization uses the Proofpoint e-mail gateway.  All potential phish
> URLs are re-written and re-directed through Proofpoint's servers.  Valid
> sites would be accessible; links detected as malicious would be filtered
> and users would be prompted with a Proofpoint-branded landing page.  This
> typically happens within a couple of hours of detection.  This helps to
> protect both internal and external users who click on phish links via their
> phones.  This has also cut down on the number of account compromises
> dramatically; we dropped from an average of 15 compromises per month to
> zero.

Rather invasive, but I can see where it gives enough of a pause for people
to engage their brain.  It won't work in that critical first few hours,
*or* if they forward mail out of your network.  I sometimes catch users
via DNS query logs to the phish sites.

>  We have also taken the somewhat extreme step of blocking the whole country
> of Nigeria from accessing our OWA web server since this has been the main
> source of phish attacks for the past two years.

As I have for inbound mail.  Country of origin login checks are also useful.

From:    Mally Mclane <mally.mclane () BRISTOL AC UK>

> I think  a problem we have (without any evidence to back it up..) that we
> promoted Postini and Gmail to be so good at blocking things that when stuff
> does get through, it's almost viewed by some as genuine, because it wasn't
> blocked...

Yes, I agree.  The irony of spam filtering is that the better they get,
the more oblivious your mail users get.  I've joked that the best method
to phish-proof users to is hose them with all the phish they can stand
for the first month they get their Email account.  They will come to
the natural conclusion that they can't all be true, and maybe none of
them are.  Immunity by exposure.

From:    "Pollock, Joseph" <PollockJ () EVERGREEN EDU>

> Many spams are caught by our Ironport, and nearly 90% of inbound traffic is=
> blocked based on sender reputation.

Unfortunately, that's one reason why they target educational accounts.
They usually have good reputation and speedy networks.  Once they get
a compromised account, they use it to send more phish to .edu sites
since it is unlikely be be blacklisted, and round and round it goes.
(update*.info ring a bell?)

Another method I haven't seen mentioned is to run a phish sting campaign.
By that, I mean to deliberately send fraudulent Email to your user base
enticing them to divulge information to a site you control.  This has the
benefit that it directly exposes those who are susceptible to becoming
victims, you can deliver your online training right then and there and
maybe followup with more intensive training or educational efforts.

Joseph Tam <tam () math ubc ca>