Brian Thomas

Father, Husband, IT Systems Administrator, Chemical Engineer.

Most commented posts

  1. Large rule sets in Snort on pfSense cause PHP memory crash — 1 comments

Author's posts

Current Atlantic Storms

Cybersecurity | Part 3 | Endpoint Protection

Coming Soon…

Cybersecurity | Part 2 | Credential Theft

The most classic example is the endless stream of phishing attacks directed at us. The attacks often appear to be from legitimate sources, such as Payroll or HR. We had a bunch of people fall for the Payroll phish instantly. They were thinking more about not getting paid than the legitimacy of the message.

One of the best attacks I saw was an extremely well crafted email that was paired with an extremely accurate looking forgery page. The email utilized Drexel branding that was hosted on another academic institution’s website. This meant the message could be opened by many users without creating any kind of suspicious traffic load to the Drexel web server and since the image traffic was coming from another academic institution, it could run over the academic networks. This single image was not more than a few drops in an ocean of traffic on the academic backbone network. The traffic would be obscured by the larger transfers and higher volume going over the network.

The forgery page was built to match an internal authentication system complete with out of date copyright tags. The behavior of the site also claimed the password was incorrect no matter what the user entered. This meant the user could enter multiple possibilities for the password and the system would harvest all of them. This provided the site’s creators with several potential sets of credentials to use to attempt to access other systems. Most people will try the same password entry again after it’s wrong once but on subsequent attempts they typically start trying different/older passwords.

That phishing campaign was, by far, the worst we’ve seen. Since then we’ve developed a better warning system for our users and procedures to get the phishing sites taken offline as soon as we’re alerted to their presence. Hat tip again to @SwiftOnSecurity for the phishing site take down steps.

-Brian

Load more