lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 30 10:08:03 2006 From: umphress at gmail.com (Chris Umphress) Subject: FW: Are consumers being misled by "phishing"? On 6/29/06, Josh L. Perrymon <joshuaperrymon@...il.com> wrote: > Most companies believe that blocking HTML in email handicaps emails > effectiveness.. ( screw the newsletters.. put it on a website ) Hehe, agree with you there. > Network Protection: > I believe that it's possible to develop "widgets" to alert on this type of > directed phishing attacks. First you have to have the ability to monitor all > emails traffic. This shouldn't piss off legal because all users should have > already signed off on this. MmmHmm. Enter 1984. > The most effective would be to monitor all known public email addresses. > Including "planted' email address placed in forums and webpages to be > harvested. This would provide a greater % that traffic sent to those > addresses are directed attacks.. (Like an Email Honeypot :) Planted e-mail addresses is an old idea. And so are e-mail honeypots. Link: http://wiki.apache.org/spamassassin/ReportingMboxesToRazor I also found a forum recently (sorry, don't remember the link) where somebody took the IP address of visitors to his site and encrypted it into a unique e-mail address so that he could learn the IPs of spam bots. > It should be easy to develop an analysis to pick up on standard phishing > emails. You would look for Anchors / links with IP addresses that resolve > outside of the "known- whiteliested" address list. This should at least > alert and place the email in a second level queue for analysis. You could > also do some type of grep on the email link looking for company X verbiage. So... anything that doesn't match the whitelist gets tested against the blacklist? :) Having a more strict filter for users who aren't in the user's address book is (IMO) one of the best ways, but that relies more on the end user than on the company's sys admin. > M$ Phishing filter may even be USEFUL ( Almost.... ) > > So using the methods above you would have a system to alert on potential > phishing attacks scanning all emails or preferably only public emails > included "planted" ones. > > The widget performs analysis to determine if the email is a phishing > attack. Thunderbird does some analysis in this area already. It's probably closely related to the junk filters, but the phishing mails generally find their way to the Junk or Trash folder before being opened on this end, so I don't know a lot about it. > This process could be automated to perform the whois so on? So now we > should have determined the IP or block for the hosted phishing site. We can > use something like M$ phishing filter. Send it the new whitelisted IP > address of the phishing site and the browser should block the site. If the > widget monitors all emails coming into the company then it should have the > ability to do some trending of who received certain emails.. sorted on > subjects for instance. One you found the phishing email you would have a > known list of all email addresses that received the email once the attack > has been spotted. Performing thousands of WHOIS lookups per day for a medium-sized business might be a little pricey for the purpose. There are tools (like SpamAssassin) to filter out spam messages -- Even commercial programs, but from what I hear, none of them is at 100% efficiency. Hey, AOL is even charging to be on their "white list." "The widget" might be useful for companies where all e-mail is only accessible from a web interface (and e-mail can be deleted from the local mbox file later), but generally you don't argue with the CEO when he says he wants to use XYZ e-mail client while he is travelling. Some of the employees, or worse, management, will see these e-mail messages on occasion. This means that there would either have to be a delayed delivery system for incoming e-mail, or the e-mail clients will have to have an understanding of phishing -- and if that were the case, then "the widget" should have caught it anyway. The user still has to be educated. My solution is simple. We have deer season, rabbit season, and tourist season. Start a spammer season! -- Chris Umphress <http://daga.dyndns.org/>
Powered by blists - more mailing lists