phishing sites: local and remote
Jethro R Binks
jethro.binks at strath.ac.uk
Tue Feb 10 21:30:06 GMT 2009
On Tue, 10 Feb 2009, Julian Field wrote:
> Are lots of other people seeing this sort of attack?
> If so, is it worth my while doing something about it?
> I'm not going to start coding for 1 site (sorry David), but if plenty of
> people are seeing this then I could possibly do something.
For what it is worth, we have seen some very targetted spear phishes using
newly registered domains that are "a bit" like ours (last example was
"strath-ac.com", copying website content from some system (like VLEs etc),
and subsequently having users receive email purportedly from the
administrarots of the systems trying to get people to visit the fraudulent
version of the site.
It was so specific and unusual we have reported it (two occasions, last
week and December) to JANET IRT. Any other JANET sites seeing similar
elaborate institutionally-targetted attacks of this nature (rather than
just run of the mill "your webmail is running out of space" generic spear
phish) should please also report them to JANET IRT so they can keep an eye
on the situation.
> On 4/2/09 16:31, David Lee wrote:
> > We try to use MS configs (currently 4.72.5) reasonably close to the
> > distributed version. That includes taking the routine updates to
> > "phishing.bad.sites.conf" and "phishing.safe.sites.conf".
> > Being a university, we are also getting badly hit by spear-phishing attempts
> > against our users. We noticed that some of incoming bait
> > contained URLs similar to ours. Our true URLs are of the form:
> > http://...durham.ac.uk/...
> > The incoming bait reads:
> > http://...durham.ac.uk.spammer.bad/...
> > (Real life pattern-matching would need more subtlety than that, but you get
> > the idea.)
> > The routine anti-phishing stuff detects dubious URLs etc and displays
> > bright red "possible fraud" warnings.
> > It would be nice if we could supplement this with an additional,
> > locally-based, component that could be configured to match suspicious
> > URLs based on the local site name.
> > Is it possible to run such an antiphishing config, comprising both Julian's
> > standard set and a local component?
> > If not, might it be a worthwhile addition?
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
More information about the MailScanner