Phishing & BotNets
What else to be done ? Feb 14 2007 06:40AM
dubaisans dubai (dubaisans gmail com) (2 replies)
Re: What else to be done ? Feb 16 2007 06:56AM
Carl Jongsma (info skiifwrald com) (1 replies)
RE: What else to be done ? Feb 20 2007 12:31PM
Anoop Mangla (anoop mangla paladion net) (1 replies)
Re: What else to be done ? Feb 21 2007 02:42PM
Carl Jongsma (info skiifwrald com)
Hi Anoop,

There are a number of things that can be done once an institution
becomes the target of a phish attempt. Most importantly, if there
isn't already a policy in place to deal with phishing attacks, then
you really need to get one created and in place to guide the ongoing
management and recovery from an attack.

Assuming that nothing has been done or introduced prior to the
detection of a phishing run, you need to identify a few key items
that will then help you work out what to do next:

- Are the phishers using a weakness in your site to confuse users
(such as an active redirect, hidden pages, or other similar web
application weakness)? If they are, then you need to immediately
tighten the security on your web site and associated services. This
should include a complete security audit, as it is probable that the
phishers have left other surprises around the site. If the phishers
are using their own site and services, all you can really do is
pressure the upstream ISP (and sometimes the compromised site hosting
the service) to close down the phish site.

- Do you have an easily accessible (and highlighted) page which
acknowledges that your clients are being targeted in a phishing
attack. Does this page have an easy means for your clients to
forward copies of the phish emails that they are receiving. Sure,
you probably have already seen all of the variants that your clients
are receiving, but it shows good faith in your clients and that you
respect their input (even if you just ignore the duplicate copies).
There are some very large institutions that make it extremely hard
(if not actually impossible) to report new phishes to, and this is
actually harming their ability to respond quickly to damage (hint:
PIRT, CERT, and other equivalent bodies are NOT the first to find out
and report issues).

- Does the afore-mentioned page explain in clear, basic English
(or language of choice) how your clients can identify the REAL
institution from the fake sites being set up? Demonstrate to your
clients that you know about the attacks and provide them with the
means to better identify phish attempts and how they can know when
they are logging in to the real site services.

- Ensure that clients can only log on to company services through
an https connection that is not hidden in a form on an http:// page.
If it includes a log on form, the whole page should be https://.
Although this provides a minimal increase in technical security, it
provides a significant boost to client confidence and awareness.

- Finally, just weather out the attack. Work with the clients who
have been compromised, but learn to accept that these sort of attacks
will be ongoing (this isn't the list to hawk company services on, but
there are other options as well).

The only thing that will really decrease damage / risk of exposure in
the long run is client / user awareness and training, and well-
maintained and secure online services.

If you are referring to the institution I am thinking of, then you
really need to engage the services of professionals who specialise in
this field. While mailing lists like this are excellent learning
resources, when it comes to effectively protecting end client data
(personal and financial), then an "I'm sorry, I am still learning"
isn't going to cut it when something goes wrong. All any security
breach takes is a hacker / phisher who is one lesson ahead of you.


Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia

On 20/02/2007, at 11:01 PM, Anoop Mangla wrote:
> Hi,
> What options does an institution have once its website has been
> phished?
> What measures can lower the damage?
> Thanks,
> Anoop

[ reply ]
Re: What else to be done ? Feb 15 2007 08:35AM
Isaac Perez (suscripcions tsolucio com)


Privacy Statement
Copyright 2010, SecurityFocus