Full Disclosure mailing list archives
Re: FW: Are consumers being misled by "phishing"?
From: "Chris Umphress" <umphress () gmail com>
Date: Fri, 30 Jun 2006 02:07:43 -0700
On 6/29/06, Josh L. Perrymon <joshuaperrymon () gmail com> wrote:
Most companies believe that blocking HTML in email handicaps emails effectiveness.. ( screw the newsletters.. put it on a website )
Hehe, agree with you there.
Network Protection: I believe that it's possible to develop "widgets" to alert on this type of directed phishing attacks. First you have to have the ability to monitor all emails traffic. This shouldn't piss off legal because all users should have already signed off on this.
MmmHmm. Enter 1984.
The most effective would be to monitor all known public email addresses. Including "planted' email address placed in forums and webpages to be harvested. This would provide a greater % that traffic sent to those addresses are directed attacks.. (Like an Email Honeypot :)
Planted e-mail addresses is an old idea. And so are e-mail honeypots. Link: http://wiki.apache.org/spamassassin/ReportingMboxesToRazor I also found a forum recently (sorry, don't remember the link) where somebody took the IP address of visitors to his site and encrypted it into a unique e-mail address so that he could learn the IPs of spam bots.
It should be easy to develop an analysis to pick up on standard phishing emails. You would look for Anchors / links with IP addresses that resolve outside of the "known- whiteliested" address list. This should at least alert and place the email in a second level queue for analysis. You could also do some type of grep on the email link looking for company X verbiage.
So... anything that doesn't match the whitelist gets tested against the blacklist? :) Having a more strict filter for users who aren't in the user's address book is (IMO) one of the best ways, but that relies more on the end user than on the company's sys admin.
M$ Phishing filter may even be USEFUL ( Almost.... ) So using the methods above you would have a system to alert on potential phishing attacks scanning all emails or preferably only public emails included "planted" ones. The widget performs analysis to determine if the email is a phishing attack.
Thunderbird does some analysis in this area already. It's probably closely related to the junk filters, but the phishing mails generally find their way to the Junk or Trash folder before being opened on this end, so I don't know a lot about it.
This process could be automated to perform the whois so on… So now we should have determined the IP or block for the hosted phishing site. We can use something like M$ phishing filter. Send it the new whitelisted IP address of the phishing site and the browser should block the site. If the widget monitors all emails coming into the company then it should have the ability to do some trending of who received certain emails.. sorted on subjects for instance. One you found the phishing email you would have a known list of all email addresses that received the email once the attack has been spotted.
Performing thousands of WHOIS lookups per day for a medium-sized business might be a little pricey for the purpose. There are tools (like SpamAssassin) to filter out spam messages -- Even commercial programs, but from what I hear, none of them is at 100% efficiency. Hey, AOL is even charging to be on their "white list." "The widget" might be useful for companies where all e-mail is only accessible from a web interface (and e-mail can be deleted from the local mbox file later), but generally you don't argue with the CEO when he says he wants to use XYZ e-mail client while he is travelling. Some of the employees, or worse, management, will see these e-mail messages on occasion. This means that there would either have to be a delayed delivery system for incoming e-mail, or the e-mail clients will have to have an understanding of phishing -- and if that were the case, then "the widget" should have caught it anyway. The user still has to be educated. My solution is simple. We have deer season, rabbit season, and tourist season. Start a spammer season! -- Chris Umphress <http://daga.dyndns.org/> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Are consumers being misled by "phishing"?, (continued)
- Re: Are consumers being misled by "phishing"? security curmudgeon (Jun 29)
- Re: Are consumers being misled by "phishing"? n3td3v (Jun 29)
- Re: Are consumers being misled by "phishing"? GroundZero Security (Jun 29)
- Re: Are consumers being misled by "phishing"? Gadi Evron (Jun 29)
- Re: Are consumers being misled by "phishing"? teh kids (Jun 29)
- Re: Are consumers being misled by "phishing"? neil davis (Jun 29)
- Re: Are consumers being misled by "phishing"? Bill Weiss (Jun 29)
- Re: Are consumers being misled by "phishing"? Neil Davis (Jun 29)
- Re: FW: Are consumers being misled by "phishing"? Chris Umphress (Jun 30)