phishing sites: local and remote

Jethro R Binks jethro.binks at strath.ac.uk
Tue Feb 10 21:30:06 GMT 2009


On Tue, 10 Feb 2009, Julian Field wrote:

> Are lots of other people seeing this sort of attack?
> If so, is it worth my while doing something about it?
> I'm not going to start coding for 1 site (sorry David), but if plenty of
> people are seeing this then I could possibly do something.

For what it is worth, we have seen some very targetted spear phishes using 
newly registered domains that are "a bit" like ours (last example was 
"strath-ac.com", copying website content from some system (like VLEs etc), 
and subsequently having users receive email purportedly from the 
administrarots of the systems trying to get people to visit the fraudulent 
version of the site.

It was so specific and unusual we have reported it (two occasions, last 
week and December) to JANET IRT.  Any other JANET sites seeing similar 
elaborate institutionally-targetted attacks of this nature (rather than 
just run of the mill "your webmail is running out of space" generic spear 
phish) should please also report them to JANET IRT so they can keep an eye 
on the situation.

Jethro.


> 
> On 4/2/09 16:31, David Lee wrote:
> > We try to use MS configs (currently 4.72.5) reasonably close to the
> > distributed version.  That includes taking the routine updates to
> > "phishing.bad.sites.conf" and "phishing.safe.sites.conf".
> > 
> > Being a university, we are also getting badly hit by spear-phishing attempts
> > against our users.  We noticed that some of incoming bait
> > contained URLs similar to ours.  Our true URLs are of the form:
> >    http://...durham.ac.uk/...
> > 
> > The incoming bait reads:
> >    http://...durham.ac.uk.spammer.bad/...
> > 
> > (Real life pattern-matching would need more subtlety than that, but you get
> > the idea.)
> > 
> > The routine anti-phishing stuff detects dubious URLs etc and displays 
> > bright red "possible fraud" warnings.
> > 
> > It would be nice if we could supplement this with an additional, 
> > locally-based, component that could be configured to match suspicious 
> > URLs based on the local site name.
> > 
> > Is it possible to run such an antiphishing config, comprising both Julian's
> > standard set and a local component?
> > 
> > If not, might it be a worthwhile addition?
> > 
> > 
> 
> Jules
> 
> 

-- 
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK


More information about the MailScanner mailing list