Educause Security Discussion
mailing list archives
Re: Mitigating Phishing Attacks
From: Bob Bayn <bob.bayn () USU EDU>
Date: Wed, 14 Nov 2012 22:24:15 +0000
At Utah State U, we have invested a considerable effort in a "Be an Internet Skeptic" campaign which has a significant
focus on phishing. As a result, I have a growing cadre of "Internet Skeptics" who send me any obvious or suspiciously
hazardous email so that I can investigate and, if appropriate, send a followup warning spam to all the recipients. I
also submit abuse notices to the sending host site and link host sites, and may locally DNS blacklist the link host.
I guess the unspoken flip side of "Be and Internet Skeptic" is something like "Don't be Gullible (or worse)". We try
to encourage good behavior rather than discipline poor behavior with this campaign. This effort and the followup
messages have raised awareness broadly so that we don't have too many victims. That's good because we haven't set up
any reliable detection schemes for sudden massive outbound spam. But every new social engineering strategy needs the
explanatory alert messages to be sent to keep recipients well informed.
When we do detect active spamming, we first try to contact the user for an immediate password change. Failing that, we
disable the account. But that only happens about once a year.
Fortunately, we haven't had any OWA clone targeted phish, but we did have one google spreadsheet form that said it was
"Usu(sic) Webmail Login".
Bob Bayn SER 301 (435)797-2396 IT Security Team
Office of Information Technology, Utah State University
three common hazardous email scams to watch out for:
1) unfamiliar transaction report from familiar business
2) attachment with no explanation in message body
3) "phishing" for your email password
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Christopher
Jones [Christopher.Jones () UFV CA]
Sent: Wednesday, November 14, 2012 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Mitigating Phishing Attacks
We have experienced a number of targeted phishing attacks recently. Because the most recent phish led its victims to
provide their network credentials via a realistic looking OWA logon page, we took the following steps to deal with some
resultant compromised accounts:
· immediately reset the passwords for the affected accounts,
· restarted, the IIS service to stop any active webmail sessions
· alerted the user community
It got me to wondering how other institutions deal with similar situations where user accounts have been compromised.
If anyone would care to share, I would be interested how you have handled similar situations. It would be useful to
know your top 3 strategies for preventing and mitigating such occurrences. Thanks.
IT Security Analyst
University of the Fraser Valley
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>