Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Small cheap custom phishing
From: Albert Lunde <atlunde () PANIX COM>
Date: Wed, 13 Nov 2013 08:23:45 -0600

I think somewhat larger .edu institutions and .com ISPs have been hit by customized phishing attacks routinely for some time, it may be a matter of someone looking for new targets. General measures that may help:

1) Many of our automated mailings go out with a disclaimer that we (IT support) won't ask people for their username and password: this needs to be carefully worded.

2) Publicize the threat of phishing. Have a rogues gallery of actual phishing messages that have been received (removing victim names and e-mails if any). Link to third-party resources.

3) Use a WebSSO and/or federated authentication scheme to reduce the number of different contexts people have to login with their local username and password. (e.g. CAS, OpenAM, Shibboleth)

4) Clean house locally to reduce the number of mailings that look like phishing. It's unfortunately true that semi-automated messages tend to have "click here" links. Forcing people to actually type https:// URLs for a few well-known pages on your web site or portal is a security measure or a sort.

5) Reduce appeals to authority, where the presence of, say, a university logo in a mail is intended to convey the importance of a message.

Avoid sending HTML email for security-sensitive messages. Send messages like account expirations, as plain text or MIME quoted-printable paragraphs with text URLs rather than HTML links. Sign automated messages with PGP or SMIME signatures.

5) Run a fake-phishing "gotcha" campaign, where people receive a warning rather than malware.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]