RE: Detecting phising scams on wire
- From: "Mike Barkett" <mbarkett@xxxxxxx>
- Date: Tue, 6 Dec 2005 23:57:24 -0500
I've been chipping away at the same concept for a while in my spare time, in
hopes of creating a safe and reliable phishing package for NFR's IPS product
line. The biggest trouble with the reverse lookup is that it creates a
covert channel.
However, all is not lost; reverse lookup is not the only dead giveaway that
the phishermen are casting their lures into your network. Here are some
others:
1. Received: header traces back to a domain different than the sender
2. MTA is a known open relay
3. Message body contains certain keywords, like "account" and "suspended"
and "update"
4. Message subject contains same keywords
5. <A HREF="some URL at one domain">http://a legitimate looking, but
different URL at a different domain</A> contained in the message body.
6. onMouseOver() and/or onMouseOut() java calls contained in message body
The reverse lookup is #1, but not the only one. Also, a lot can be learned
from SPAM prevention software such as SpamAssassin. Now of course, how much
Bayesian CPU scratching you want to do in real-time with your IPS is up to
you, but if you ask me, that level of inspection is probably best left to
the mail servers and other non-inline devices. Actually, most of this is
better achieved with a good mail server, but alas, most people don't run
good mail servers.
Numbers 2-6 can be done by a talented IPS with very little drag on
performance, but unfortunately #1 is worth the most points. (Here's the NFR
plug.) NFR's patent-pending Confidence Indexing (TM) is actually perfect
for this situation. Basically, each criterion would be worth a confidence
value, and the total confidence value of a message would determine whether
that SMTP/POP3/IMAP connection is prevented or not. If I can figure out how
to do #1 without creating a covert channel or compromising the stealth
positioning of our IPS appliance, then I will have a great start toward a
silver bullet that reliably kills phishing on the wire. Which IPS are you
working with?
-MAB
--
(nfr)(security)
Michael A Barkett, CISSP
Vice President, Systems Engineering
(www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512
> -----Original Message-----
> From: vulnerabilty@xxxxxxxxx [mailto:vulnerabilty@xxxxxxxxx]
> Sent: Tuesday, December 06, 2005 1:43 AM
> To: focus-ids@xxxxxxxxxxxxxxxxx
> Subject: Detecting phising scams on wire
>
> I am working on IPS signatures to detect phising scams on wire.
> the points in my mind are
> IPS should have capabilty to validate the IP addresses using reverselookup
> or by maintaining a list of blacklisted IPs.
> to check SSL validation for commercial sites on wire to prevents url
> spoofing
> i would appreciate your comments and suggestion
>
> thanks in advance
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- References:
- Detecting phising scams on wire
- From: vulnerabilty
- Detecting phising scams on wire
- Prev by Date: Re: on TASL correlation rules
- Next by Date: Replacing antivirus soft with a real IDS/IPS
- Previous by thread: Re: Detecting phising scams on wire
- Next by thread: Replacing antivirus soft with a real IDS/IPS
- Index(es):
Relevant Pages
|
