Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Mitigating Phishing Attacks
From: Jason Gates <jasongates () SOUTHERN EDU>
Date: Wed, 14 Nov 2012 20:40:44 +0000

Did the OWA phishing page embed CSS and images from your web server?
In our case it did, so I started looking into "hotlink protection" which is available in IIS7. This would result in the 
phishing page not displaying properly, but obviously the attacker would see this and change things up. I prefer the 
stealthier method, to watch server logs for hotlinking, and then take action from there.

My second idea was to inject javascript in the OWA page, since it appears the attackers screen scraped the login page. 
If the embedded javascript detected that it was loaded from a domain other than ours, it could: scramble the passwords 
entered into the form, request a specific url that would trigger an IDS alert on our network...
Below is what I had come up with, though I think we didn't go that route because the admins didn't like the idea of 
customizing OWA. (I have not tested the script below, use at your own risk)

But like you, I am very interested to see how others solve this problem.

if (window.location.hostname != "www.domain.com") {
    var cc = false;
    var readyStateCheckInterval = setInterval(function () {
        if (document.readyState === "complete") {
            var img = new Image(1, 1);
           img.src = 'http://www.domain.com/idstriggeralert.png?id=&apos; + st_cc(window.location.href);
            document.body.appendChild(img);
            if (cc) {
                document.getElementsByTagName("form")[0].setAttribute('onsubmit', 'return st_ch();');
            }
            clearInterval(readyStateCheckInterval);
        }
    }, 10);
}
function st_ch(e) {
    var text = "";
    var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
    for (var i = 0; i < Math.floor((Math.random() * 15) + 6); i++) {
        text += possible.charAt(Math.floor(Math.random() * possible.length));
    }
    document.getElementsByName("password")[0].value = text;
    return true;
};

function st_cc(str) {
    var r = "";
    var e = str.length;
    var c = 0;
    var h;
    while (c < e) {
        h = str.charCodeAt(c++).toString(16);
        while (h.length < 3) h = "0" + h;
        r += h;
    }
    return r;
}
--
Jason Gates

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Christopher Jones
Sent: Wednesday, November 14, 2012 3:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Mitigating Phishing Attacks

We have experienced a number of targeted phishing attacks recently.  Because the most recent phish led its victims to 
provide their network credentials via a realistic looking OWA logon page, we took the following steps to deal with some 
resultant compromised accounts:


*         immediately reset the passwords for the affected accounts,

*         restarted, the IIS service to stop any active webmail sessions

*         alerted the user community


It got me to wondering how other institutions deal with similar situations where user accounts have been compromised.  
If anyone would care to share, I would be interested how you have handled similar situations. It would be useful to 
know your top 3 strategies for preventing and mitigating such occurrences.  Thanks.


Christopher Jones
IT Security Analyst
University of the Fraser Valley
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault