Educause Security Discussion
mailing list archives
Re: Small cheap custom phishing
From: Albert Lunde <atlunde () PANIX COM>
Date: Wed, 13 Nov 2013 08:23:45 -0600
I think somewhat larger .edu institutions and .com ISPs have been hit by
customized phishing attacks routinely for some time, it may be a matter
of someone looking for new targets. General measures that may help:
1) Many of our automated mailings go out with a disclaimer that we (IT
support) won't ask people for their username and password: this needs to
be carefully worded.
2) Publicize the threat of phishing. Have a rogues gallery of actual
phishing messages that have been received (removing victim names and
e-mails if any). Link to third-party resources.
3) Use a WebSSO and/or federated authentication scheme to reduce the
number of different contexts people have to login with their local
username and password. (e.g. CAS, OpenAM, Shibboleth)
4) Clean house locally to reduce the number of mailings that look like
phishing. It's unfortunately true that semi-automated messages tend to
have "click here" links. Forcing people to actually type https:// URLs
for a few well-known pages on your web site or portal is a security
measure or a sort.
5) Reduce appeals to authority, where the presence of, say, a university
logo in a mail is intended to convey the importance of a message.
Avoid sending HTML email for security-sensitive messages. Send messages
like account expirations, as plain text or MIME quoted-printable
paragraphs with text URLs rather than HTML links. Sign automated
messages with PGP or SMIME signatures.
5) Run a fake-phishing "gotcha" campaign, where people receive a warning
rather than malware.