Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: The Frustration of Phishing Attacks - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Frustration of Phishing Attacks

Over the last few months I have been involved in tracking down and attempting to prevent phishing attacks and cleaning up the mess that can result.  It is extremely irritating and frustrating that these continue to happen and some users continue to fall for the scams.  In spite of publishing an advisory on our webpage, publishing it in our newsletter, putting it on our message on hold for our help desk and repeatedly reminding people that we will never send out an email asking for the customer’s userid and password the customers continue to fall for the phish.  So what do you say to a customer that has fallen for the phish?  I feel bad for them because in some cases they felt like they had been violated yet I still can’t help but get ticked off.  Why would you be more willing to send someone your userid and password to login to your email account than you would to give out any other personal information? 

The frustrating thing for me is dealing with the blacklisting and cleanup that follows.  I have spent hours cleaning up the mail queues, answering questions for other customers who have lost their ability to send email because of the blacklisting and contacting the blacklisters to get the servers cleared. 

What is even more irritating is the companies, banks, etc that do send out emails that are phish like. This week I received an email from a company that I do business with at home.  They have a page setup on their domain which allows you to login and check your account, request changes to service or request information.  They are doing a server upgrade, putting in new hardware.  They sent out an email to that effect and said that the passwords on the new system will be changed, if you want your password to be the same on the new server send them your password and they would set it for you.  Now I realize that this is a really low target for phisher’s but none the less is a bad idea.  I called them and voiced my opinion and let them know that they didn’t need to set my online access back up.  If I have any questions I would just call them.  They couldn’t understand my concern or why I no longer wanted on line access to their system. 

I just hope someday Internet users will understand the importance of protecting their email information.  Until they do, I will continue to clean up the servers and try to manage as best I can.

So my question to our reader’s is: 

What do you do to educate your employees, customers, family and friends to the do’s and don’ts of email? 

I look forward to your input and will print some of your ideas in a later diary.

 

Deborah

278 Posts
ISC Handler
I find that collating a little sample of the more pernicious spams and phishes of the month (you really should be monitoring what your filters are doing) and sending out the odd reminder that this stuff exists works quite well. Good filtering, greylisting and virus scanning can insulate a user from the dangers of the Internet, making them complacent and unable to recognise a malicious mail when one gets around the filters, which they will given time. Worse, that complacency can easily turn to a sense of victory over the spammers and phishers instead of simply the halfway compromise to mitigate the most obvious malmail that it really is. A little reminder of what we do and the limitations of our technical solutions once in a while is, in my opinion, quite valuable.

Also, the banks, service providers and others handling user accounts really need to get behind a good verification of sender protocol. DKIM, SID, SPF, I really don't care which, but keeping it accurate (v=spf1 +a +mx +ptr ~all, for example. It's worse than useless. DKIM is marginally better, but for ${DEITY}'s sake, don't leave it set up as testing or disregarding results in the policy) and securing the mechanism by which it is delivered (DNSSEC) has to be a priority. I know it's a partial solution, but security *is* a game of multiple layers, after all.

As you can see, I believe there are multiple layers of "fail" here and not all of them can be laid at the door of the user. Granted, many can, but the temptation to blame the users' collective ignorance for everything (although the assumption that they're all ignorant when planning mail services is healthy) should be guarded against if we are to be effective in serving the very people we are entrusted to protect. I know that sounds like new-age Y-management gobbledygook and that users can be frustrating, but thinking this problem over only reinforces my belief in the rectitude of this philosophy.
Matt

7 Posts
I can only speak of what I do to educate my family and friends - I used to try, but then I stopped. There, I said it. Yes, it's true - I stopped.
I gave up on trying to get my family and friends to think and act like me - a person whose job is in information security. I advise them if they ask and, because of who they are, I clean up their mess if they ask me to.

They bought their computer for their own reasons, usually for entertainment, so yes they love to get and send e-cards. They love to forward chain mail messages. They gleefully click on e-mail attachments. They do all the things that makes us cringe in horror.

For them it's simple. It's what they bought the system for. They are the system owners after all, and as such they assume the risk.

Hi Mom, Your computer is doing what?
Jerry

12 Posts
People are desensitized to entering their personal information because so many businesses and organizations require it, they are entering it all the time for all manner of transactions. They are just overwhelmed with authentication requirements and methods, to the point that they just follow instructions without thinking critically. Many times the requirements for entering a password are for esoteric reasons that most people will not understand. This is a common problem in safety, where people become so fatigued by all the signs warning of hazards that they stop reading them.

Unfortunately, the next level of security will likely require an external device to provide a cryptographically strong "something I alone possess" factor. With USB this is not too great a burden, but it is another key to carry in your pocket. While there are other administrative processes that could be exploited to overcome this solution, it could ultimately be a much stronger protection than current practice. I am surprised that more banks haven't chosen to use a hardware-based second method rather than methods that still rely on the user's judgment.
MichaelH

4 Posts

Sign Up for Free or Log In to start participating in the conversation!