Educause Security Discussion mailing list archives
Spear phishing regex ideas
From: "Hall, Rand" <hallr () MERRIMACK EDU>
Date: Thu, 3 Apr 2014 14:22:42 -0400
A successful spear phishing campaign at a local institution got me playing with a regex to alert on 3 types of domain name monkey business often seen in targeted campaigns like those mentioned here http://msisac.cisecurity.org/daily-tips/university-direct-deposit.cfm. Links with no dot before the domain name: http://www.my-company.com Links with domain name crap after the domain name: http://www.company.com-IT.com Links that turn your domain into a subdomain: https://www.company.com.index.ph The following pretty much does the trick. Your users will do the darnedest things with your domain name! You'll definitely want to monitor this for false positive tuning...but I'm not getting many. (?:(?:https?:\/\/)(?:[0-9a-z\.\-_\%]*?)(?:[^\.]))(?:(?:company\.com)|(?:(?:\.company\.com)(?:[^:\./\s\!\\?\>"]))|(?:(?:\.company\.com(?:[\.])(?:[^\s\/])))) Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.hall () merrimack edu If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. - Einstein
Current thread:
- Spear phishing regex ideas Hall, Rand (Apr 03)