RE: Detecting phising scams on wire

["Mike Barkett" <mbarkett () nfr com>]

I've been chipping away at the same concept for a while in my spare time, in
hopes of creating a safe and reliable phishing package for NFR's IPS product
line.  The biggest trouble with the reverse lookup is that it creates a
covert channel.

However, all is not lost; reverse lookup is not the only dead giveaway that
the phishermen are casting their lures into your network.  Here are some
others:

1. Received: header traces back to a domain different than the sender
2. MTA is a known open relay
3. Message body contains certain keywords, like "account" and "suspended"
and "update"
4. Message subject contains same keywords
5. <A HREF="some URL at one domain">http://a legitimate looking, but
different URL at a different domain</A> contained in the message body.
6. onMouseOver() and/or onMouseOut() java calls contained in message body

The reverse lookup is #1, but not the only one.  Also, a lot can be learned
from SPAM prevention software such as SpamAssassin.  Now of course, how much
Bayesian CPU scratching you want to do in real-time with your IPS is up to
you, but if you ask me, that level of inspection is probably best left to
the mail servers and other non-inline devices.  Actually, most of this is
better achieved with a good mail server, but alas, most people don't run
good mail servers.

Numbers 2-6 can be done by a talented IPS with very little drag on
performance, but unfortunately #1 is worth the most points.  (Here's the NFR
plug.)  NFR's patent-pending Confidence Indexing (TM) is actually perfect
for this situation.  Basically, each criterion would be worth a confidence
value, and the total confidence value of a message would determine whether
that SMTP/POP3/IMAP connection is prevented or not.  If I can figure out how
to do #1 without creating a covert channel or compromising the stealth
positioning of our IPS appliance, then I will have a great start toward a
silver bullet that reliably kills phishing on the wire.  Which IPS are you
working with?

-MAB

--
(nfr)(security)
Michael A Barkett, CISSP
Vice President, Systems Engineering
(www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512 

> -----Original Message-----
> From: vulnerabilty () gmail com [mailto:vulnerabilty () gmail com]
> Sent: Tuesday, December 06, 2005 1:43 AM
> To: focus-ids () securityfocus com
> Subject: Detecting phising scams on wire
>
> I am working on IPS signatures to detect phising scams on wire.
> the points in my mind are
> IPS should have capabilty to validate the IP addresses using reverselookup
> or by maintaining a list of blacklisted IPs.
> to check SSL validation for commercial sites on wire to prevents url
> spoofing
> i would appreciate your comments and suggestion
>
> thanks in advance
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------