Dealing with phishers

2008-05-07 16:00
fanf: (Default)
[personal profile] fanf

There's been a raft of phishing attacks against Universities over the last few months. We received a couple of thousand of these last night:

Subject:  CONFIRM YOUR EMAIL ADDRESS
Date:     Tue, 6 May 2008 16:08:53 -0400
From:     CAM SUPPORT TEAM 
Reply-To: 

Dear Cam Subscriber,

To complete your (CAM) account, you must reply to this email
immediately and enter your password here (*********)

Failure to do this will immediately render your email address
deactivated from our database.

You can also confirm your email address by logging into your
CAM account at www.webmail.cam.ac.uk/

Thank you for using CAM.AC.UK!
FROM THE CAM SUPPORT TEAM

We did the usual announcement dance, including a notice on the webmail login page, but this did not prevent some users (including webmail users!) from replying to the phish.

[livejournal.com profile] captain_aj suggests scanning email to reject it if it contains the user's password. I wonder how long it would take to crypt() every word of every message... :-)

  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2008-05-07 15:12 (UTC)
From: [identity profile] burkesworks.livejournal.com
Had a run of these at work last month, about the same time that the University of Manchester was being hit by them. Crude garden-variety phishing, which appeared to originate from servers in Romania IIRC.

Date: 2008-05-07 15:31 (UTC)
tikibar: (Default)
From: [personal profile] tikibar
These phishing attacks can stop any day now. Thankfully our Proofpoint appliances have a phishing score we can check against, so anything that score 99-100 gets the Reply-to: replaced with our helpdesk address. Unfortunately, there's a big grey area where phish and phishy looking legitimate email lives and, well, users will be users. *sigh*

Date: 2008-05-07 15:33 (UTC)
From: [identity profile] filecoreinuse.livejournal.com
[troll] Well the obvious answer is to store a plaintext version of people's password and use grep! The effort of duplicating passwords is more than outweighed by the added security. [/troll]

Date: 2008-05-07 15:47 (UTC)
From: [identity profile] cartesiandaemon.livejournal.com
I was thinking:

1. Send everyone an email containing the word [password1] and inviting them to reply to look at [enticing pics]
2. Send everyone an email not containing the word [password1] and inviting them to reply to look at [different enticing pics]
3. Assume everyone who replies to the second only has the password "password1"
4. Profit.

I'm sure that doesn't work, but something in that plan gives me the heebiejeebies even if it's possible. (Though admittedly it may be better than letting people tell people their passwords.)

Date: 2008-05-07 18:23 (UTC)
From: [identity profile] ex-robhu.livejournal.com
Doesn't this scheme require people to reply, and for you to know the correct "password1" ?

I mean you can guess the password, but that only gives you one attempt (because anyone receiving a few thousand such emails would be tipped off) per user. Wouldn't it be easier to just try to brute force logging in?

Date: 2008-05-07 23:35 (UTC)
From: [identity profile] cartesiandaemon.livejournal.com
I mean, suppose 1% of 10000 students have the password "password1" and 1% of people respond to a plausible looking email, then you'd expect to find out one password, which might be enough. In fact, that's almost certainly stupid and doesn't work at all, which is why I said "I'm sure that doesn't work", but the point is, anything that produces public behaviour based on a private password makes me nervous, just in case there's some other subtle scam I didn't think of. There probably isn't, I don't have a security mindset, it was just my first thought.

Wouldn't it be easier to just try to brute force logging in?

Well, maybe, but I guessed there would be something to stop someone trying n00 logins.

Date: 2008-05-07 23:36 (UTC)
From: [identity profile] ex-robhu.livejournal.com
It looks to me like there is something (i.e. someone) watching to stop someone trying to send such emails too ^_^

Date: 2008-05-08 04:22 (UTC)
bens_dad: (Default)
From: [personal profile] bens_dad
Wouldn't it be easier to just try to brute force logging in?
Someone is doing that. Our firewall has blocked about 180 hosts in 24 hours, for trying to make too many ssh connections.
The coincidence of the timing is *interesting*, though the logs suggest the ssh attacks are targetting root.

Date: 2008-05-07 15:47 (UTC)
From: [identity profile] nunfetishist.livejournal.com
We had something similar at MMU: they even put the IT department's phone number on it. Still, loads of people replied - fortunately we told Exim to forward the mails to us rather than sending them off to Yahoo.

Date: 2008-05-07 16:09 (UTC)
From: [identity profile] senji.livejournal.com
Apparently my employer's been targeted by a similar one, so I guess it's not just Universities.

Date: 2008-05-07 16:37 (UTC)
gerald_duck: (devil duck)
From: [personal profile] gerald_duck
Exim already rejects e-mail that contains the user's password. If you don't believe me, just try sending an e-mail containing your password to cn-fanf.livejournal.com-88033@ql.gs.

(Surely nobody reading this journal will fall for that old chestnut?)

Date: 2008-05-07 16:52 (UTC)
ext_8103: (Default)
From: [identity profile] ewx.livejournal.com
echo "I promise my password is znqrlbhybbx" | mail cn-fanf.livejournal.com-88033@ql.gs

Date: 2008-05-07 19:56 (UTC)
fanf: (Default)
From: [personal profile] fanf
It seems I can test about 2000 words per second to see if they might be a password, which implies that the software going the checking would have to make a reasonably good choice about which words to test.

I'm wondering if this idea is inspired or stupid.

Date: 2008-05-07 20:05 (UTC)
From: [identity profile] crazyscot.livejournal.com
Problematic if people use passwords which might otherwise legitimately crop up in the mail body. Of course, you might consider that a feature.

Date: 2008-05-07 20:08 (UTC)
fanf: (Default)
From: [personal profile] fanf
Yes, I think it is a feature :-) The false positive rate should be negligible since it would only check email from Hermes users, and it would only check a message against the sender's own password.

Date: 2008-05-07 22:59 (UTC)
From: [identity profile] mobbsy.livejournal.com
Does Hermes impose any namespace restrictions on passwords? (e.g. Must contain a capital, must contain a digit, must be at least 6 characters). That could significantly reduce the search space.

Date: 2008-05-08 00:12 (UTC)
fanf: (Default)
From: [personal profile] fanf
Must contain at least one letter and at least one non-letter, must be at least 6 characters. Not sure what the useful maximum length is...

I'm thinking of skipping the message header and checking the first few hundred words that pass these basic tests.

Date: 2008-05-08 09:01 (UTC)
From: [identity profile] techiebloke.livejournal.com
I think leaking any information about users passwords is worrying and needs loads of very careful thought before implementation.

Date: 2008-05-08 21:27 (UTC)
From: [identity profile] ingulf.livejournal.com
Well, you now know which users are dumb enough to do this, so you only need to check *their* mails :-)

You could get a crypto processor. This is our one: http://www.broadcom.com/products/Small-Medium-Business/Security-Processor-Solutions/BCM5862

It can do 2Gbps ipSEC. It's not immediately clear to me how many crypt operations this means it could do.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

fanf: (Default)
fanf
dotat.at

July 2025

S M T W T F S
  1 2345
6789101112
13141516171819
20212223242526
2728293031  

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated 2025-07-28 12:40
Powered by Dreamwidth Studios