Thursday, April 18 started out as a normal day (except for all of the Heartbleed hubbub), that was, until we realized that the University had been hit with about 32K of phishing emails.
I have to hand it to the phishers, they did a really nice job.
An email, signed by one of our help desks, went out describing a process that we had just gone through – we consolidated many of our policies. They requested that everyone needed to read and understand the new policies, and that they should click on the link to do that.
That link (which started with www.columbia.edu) took you to a perfect copy of our login page and then onto our policy page. The only giveaway was that you do not need to login to see our policies. Quite honestly, the phishers did a better job of getting people to read our new policies than we did.
Since then, I have spent my time watching my email for alerts that indicate that an account is being used to send out spam. We found it very useful to process all outgoing email through our incoming spam filters (with some extra special sauce) – this turns out to be a great way to identify compromised accounts.
I’ve been turning off 15-20 accounts a day – it appears that the phisher is selling our accounts in batches of 20 or so. Another trick is to watch your authentication logs for an IP address with lots of failed logins, then look for successful logins from the same address – this is the address being used to verify the passwords of the phished accounts.
The ray of sunshine in this was that when we discovered the phish, we sent out an email to everyone who got it, saying that they received a phish, this is what it looked like, and if they clicked and authenticated, they should change their password ASAP. We got back a reply from one user, who basically said “Up Yours” (the words have been changed, as this is a G-rated magazine.
We answered them back with a “What???”,” at which point, they replied with “I am the hacker, and I am going to do bad things to you.”
Needless to say, we got a good laugh out of this. My guess is that they were getting frustrated that we are able to turn off the compromised accounts within a few minutes of them being used.
The frustrating part to this is that despite all of the work we have done over the years to educate our population about phishing and link clicking, the bad guys will always have the upper hand.
All they have to do is to monitor your environment, learn how to write proper prose, be creative in their application of technology and they will make it through the best filters. If they can get the mail into your users’ inboxes, and the story looks just like one that you have legitimately sent them in the past, they are assured of getting a reasonable number of responses.
Phishing, like Fishing, requires a lot of time and patience – I’m allergic to Fish – both kinds.