IDS mailing list archives
RE: Detecting phising scams on wire
From: "Mike Barkett" <mbarkett () nfr com>
Date: Tue, 6 Dec 2005 23:57:24 -0500
I've been chipping away at the same concept for a while in my spare time, in hopes of creating a safe and reliable phishing package for NFR's IPS product line. The biggest trouble with the reverse lookup is that it creates a covert channel. However, all is not lost; reverse lookup is not the only dead giveaway that the phishermen are casting their lures into your network. Here are some others: 1. Received: header traces back to a domain different than the sender 2. MTA is a known open relay 3. Message body contains certain keywords, like "account" and "suspended" and "update" 4. Message subject contains same keywords 5. <A HREF="some URL at one domain">http://a legitimate looking, but different URL at a different domain</A> contained in the message body. 6. onMouseOver() and/or onMouseOut() java calls contained in message body The reverse lookup is #1, but not the only one. Also, a lot can be learned from SPAM prevention software such as SpamAssassin. Now of course, how much Bayesian CPU scratching you want to do in real-time with your IPS is up to you, but if you ask me, that level of inspection is probably best left to the mail servers and other non-inline devices. Actually, most of this is better achieved with a good mail server, but alas, most people don't run good mail servers. Numbers 2-6 can be done by a talented IPS with very little drag on performance, but unfortunately #1 is worth the most points. (Here's the NFR plug.) NFR's patent-pending Confidence Indexing (TM) is actually perfect for this situation. Basically, each criterion would be worth a confidence value, and the total confidence value of a message would determine whether that SMTP/POP3/IMAP connection is prevented or not. If I can figure out how to do #1 without creating a covert channel or compromising the stealth positioning of our IPS appliance, then I will have a great start toward a silver bullet that reliably kills phishing on the wire. Which IPS are you working with? -MAB -- (nfr)(security) Michael A Barkett, CISSP Vice President, Systems Engineering (www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512
-----Original Message----- From: vulnerabilty () gmail com [mailto:vulnerabilty () gmail com] Sent: Tuesday, December 06, 2005 1:43 AM To: focus-ids () securityfocus com Subject: Detecting phising scams on wire I am working on IPS signatures to detect phising scams on wire. the points in my mind are IPS should have capabilty to validate the IP addresses using reverselookup or by maintaining a list of blacklisted IPs. to check SSL validation for commercial sites on wire to prevents url spoofing i would appreciate your comments and suggestion thanks in advance ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Detecting phising scams on wire vulnerabilty (Dec 05)
- Re: Detecting phising scams on wire Matt . Carpenter (Dec 10)
- RE: Detecting phising scams on wire Mike Barkett (Dec 10)