Re: Small cheap custom phishing

[Albert Lunde <atlunde () PANIX COM>]

I think somewhat larger .edu institutions and .com ISPs have been hit by 
customized phishing attacks routinely for some time, it may be a matter 
of someone looking for new targets.  General measures that may help:

1) Many of our automated mailings go out with a disclaimer that we (IT 
support) won't ask people for their username and password: this needs to 
be carefully worded.

2) Publicize the threat of phishing. Have a rogues gallery of actual 
phishing messages that have been received (removing victim names and 
e-mails if any). Link to third-party resources.

3) Use a WebSSO and/or federated authentication scheme to reduce the 
number of different contexts people have to login with their local 
username and password. (e.g. CAS, OpenAM, Shibboleth)

4) Clean house locally to reduce the number of mailings that look like 
phishing. It's unfortunately true that semi-automated messages tend to 
have "click here" links. Forcing people to actually type https:// URLs 
for a few well-known pages on your web site or portal is a security 
measure or a sort.

5) Reduce appeals to authority, where the presence of, say, a university 
logo in a mail is intended to convey the importance of a message.

Avoid sending HTML email for security-sensitive messages. Send messages 
like account expirations, as plain text or MIME quoted-printable 
paragraphs with text URLs rather than HTML links. Sign automated 
messages with PGP or SMIME signatures.

5) Run a fake-phishing "gotcha" campaign, where people receive a warning 
rather than malware.