?

Log in

No account? Create an account

fanf

Dealing with phishers

« previous entry | next entry »
7th May 2008 | 16:00

There's been a raft of phishing attacks against Universities over the last few months. We received a couple of thousand of these last night:

Subject:  CONFIRM YOUR EMAIL ADDRESS
Date:     Tue, 6 May 2008 16:08:53 -0400
From:     CAM SUPPORT TEAM 
Reply-To: 

Dear Cam Subscriber,

To complete your (CAM) account, you must reply to this email
immediately and enter your password here (*********)

Failure to do this will immediately render your email address
deactivated from our database.

You can also confirm your email address by logging into your
CAM account at www.webmail.cam.ac.uk/

Thank you for using CAM.AC.UK!
FROM THE CAM SUPPORT TEAM

We did the usual announcement dance, including a notice on the webmail login page, but this did not prevent some users (including webmail users!) from replying to the phish.

captain_aj suggests scanning email to reject it if it contains the user's password. I wonder how long it would take to crypt() every word of every message... :-)

| Leave a comment | Share

Comments {19}

Plastic Bertrand Russell

from: burkesworks
date: 7th May 2008 15:12 (UTC)

Had a run of these at work last month, about the same time that the University of Manchester was being hit by them. Crude garden-variety phishing, which appeared to originate from servers in Romania IIRC.

Reply | Thread

kendall

from: fubar
date: 7th May 2008 15:31 (UTC)

These phishing attacks can stop any day now. Thankfully our Proofpoint appliances have a phishing score we can check against, so anything that score 99-100 gets the Reply-to: replaced with our helpdesk address. Unfortunately, there's a big grey area where phish and phishy looking legitimate email lives and, well, users will be users. *sigh*

Reply | Thread

filecoreinuse

from: filecoreinuse
date: 7th May 2008 15:33 (UTC)

[troll] Well the obvious answer is to store a plaintext version of people's password and use grep! The effort of duplicating passwords is more than outweighed by the added security. [/troll]

Reply | Thread

cartesiandaemon

from: cartesiandaemon
date: 7th May 2008 15:47 (UTC)

I was thinking:

1. Send everyone an email containing the word [password1] and inviting them to reply to look at [enticing pics]
2. Send everyone an email not containing the word [password1] and inviting them to reply to look at [different enticing pics]
3. Assume everyone who replies to the second only has the password "password1"
4. Profit.

I'm sure that doesn't work, but something in that plan gives me the heebiejeebies even if it's possible. (Though admittedly it may be better than letting people tell people their passwords.)

Reply | Parent | Thread

from: ex_robhu
date: 7th May 2008 18:23 (UTC)

Doesn't this scheme require people to reply, and for you to know the correct "password1" ?

I mean you can guess the password, but that only gives you one attempt (because anyone receiving a few thousand such emails would be tipped off) per user. Wouldn't it be easier to just try to brute force logging in?

Reply | Parent | Thread

cartesiandaemon

from: cartesiandaemon
date: 7th May 2008 23:35 (UTC)

I mean, suppose 1% of 10000 students have the password "password1" and 1% of people respond to a plausible looking email, then you'd expect to find out one password, which might be enough. In fact, that's almost certainly stupid and doesn't work at all, which is why I said "I'm sure that doesn't work", but the point is, anything that produces public behaviour based on a private password makes me nervous, just in case there's some other subtle scam I didn't think of. There probably isn't, I don't have a security mindset, it was just my first thought.

Wouldn't it be easier to just try to brute force logging in?

Well, maybe, but I guessed there would be something to stop someone trying n00 logins.

Reply | Parent | Thread

from: ex_robhu
date: 7th May 2008 23:36 (UTC)

It looks to me like there is something (i.e. someone) watching to stop someone trying to send such emails too ^_^

Reply | Parent | Thread

Andrew

from: nonameyet
date: 8th May 2008 04:22 (UTC)

Wouldn't it be easier to just try to brute force logging in?
Someone is doing that. Our firewall has blocked about 180 hosts in 24 hours, for trying to make too many ssh connections.
The coincidence of the timing is *interesting*, though the logs suggest the ssh attacks are targetting root.

Reply | Parent | Thread

Rob Kendrick

from: nunfetishist
date: 7th May 2008 15:47 (UTC)

We had something similar at MMU: they even put the IT department's phone number on it. Still, loads of people replied - fortunately we told Exim to forward the mails to us rather than sending them off to Yahoo.

Reply | Thread

from: senji
date: 7th May 2008 16:09 (UTC)

Apparently my employer's been targeted by a similar one, so I guess it's not just Universities.

Reply | Thread

Gerald the cuddly duck

from: gerald_duck
date: 7th May 2008 16:37 (UTC)

Exim already rejects e-mail that contains the user's password. If you don't believe me, just try sending an e-mail containing your password to cn-fanf.livejournal.com-88033@ql.gs.

(Surely nobody reading this journal will fall for that old chestnut?)

Reply | Thread

ewx

from: ewx
date: 7th May 2008 16:52 (UTC)

echo "I promise my password is znqrlbhybbx" | mail cn-fanf.livejournal.com-88033@ql.gs

Reply | Parent | Thread

Tony Finch

from: fanf
date: 7th May 2008 19:56 (UTC)

It seems I can test about 2000 words per second to see if they might be a password, which implies that the software going the checking would have to make a reasonably good choice about which words to test.

I'm wondering if this idea is inspired or stupid.

Reply | Thread

Ross

from: crazyscot
date: 7th May 2008 20:05 (UTC)

Problematic if people use passwords which might otherwise legitimately crop up in the mail body. Of course, you might consider that a feature.

Reply | Parent | Thread

Tony Finch

from: fanf
date: 7th May 2008 20:08 (UTC)

Yes, I think it is a feature :-) The false positive rate should be negligible since it would only check email from Hermes users, and it would only check a message against the sender's own password.

Reply | Parent | Thread

Andrew Mobbs

from: mobbsy
date: 7th May 2008 22:59 (UTC)

Does Hermes impose any namespace restrictions on passwords? (e.g. Must contain a capital, must contain a digit, must be at least 6 characters). That could significantly reduce the search space.

Reply | Parent | Thread

Tony Finch

from: fanf
date: 8th May 2008 00:12 (UTC)

Must contain at least one letter and at least one non-letter, must be at least 6 characters. Not sure what the useful maximum length is...

I'm thinking of skipping the message header and checking the first few hundred words that pass these basic tests.

Reply | Parent | Thread

from: techiebloke
date: 8th May 2008 09:01 (UTC)

I think leaking any information about users passwords is worrying and needs loads of very careful thought before implementation.

Reply | Parent | Thread

from: ingulf
date: 8th May 2008 21:27 (UTC)

Well, you now know which users are dumb enough to do this, so you only need to check *their* mails :-)

You could get a crypto processor. This is our one: http://www.broadcom.com/products/Small-Medium-Business/Security-Processor-Solutions/BCM5862

It can do 2Gbps ipSEC. It's not immediately clear to me how many crypt operations this means it could do.

Reply | Parent | Thread