Handling phishing attack
Recently, I have the *privilege* of being on the target end of a phishing attack. It was a lot of work handling this incident. In traditional incident handling, you generally feel like you are at the scene fighting fire. When handling the phishing attack, I felt like I was away from the fire and just trying to fight the fire by yelling and shouting. I am writing this diary entry to share some tips and tricks on handling phishing attack, hopefully someone will find this useful.
First of all, if you are under a phishing attack, you should feel proud (seriously). Yes, be optimistic! The phishers pick their target wisely, if you are a mom and pop shop, the phisher are not likely to choose you as target since the return is minimal. Look at all the sites that have been attacked in the past, they are mostly well-known websites and are usually sites that have a high percentage of market shares (www.antiphishing.org has a list of previous attack). So, if someone is willing to launch a phishing attack against your organization, it means that your organization is important.
Let's get started on how to handle phishing attack
Preparation - before it happens
Nothing beats education when it comes to phishing attack. Dedicate some space on your website to educate users about phishing. As we all know, it will never work perfect, but any effort here helps. Some companies also like to include a statement when the user sign up for service telling the user to never reveal information when being asked over the phone or internet. These tactics helps!
---------------------------------------------------
Fighting fire - after phishing attack were noticed
Get the offending email with all header information
Same as any other incidents, you would want to identify the issues first. At this point, some whistleblowers might have alerted your organization about the existence of the phishing email. It is important that you get the full email with headers from them so you can analyse the origin of the email as well the content of the email (HTML source). The following link has information on how to get the full email content.
http://www.spamcop.net/fom-serve/cache/19.html
Try to get your hands on as many copies of the email as possible and compare them, see if they are sent from the same host and if they are directing user to the same phishing host.
Investigate the phishing email and the site
This is the important part of the incident handling for phishing. Inspect carefully the email, is that really a phishing email by looking at the content? You sure that your organization did not send out this email? If you answer yes to these two question, then you are likely to be dealing with a phishing attack. Next, look through the source line by line and pick out the interesting things from the source (email address, link to the phishing site, other URL links).
In the email, there should be a link to the phishing site which is where the victims hand over their valuable information. Get yourself prepared before visiting that site, you really don't know what you are dealing with here. There could be a 0-day browser exploit on the phishing site waiting for you. As the first step, fire up wget to download and save the source of the website. Take a quick look at the source and examine it very carefully for any potential malicious commands. Another way to do this is to use an online service called Master Snooper, it will reveal the source for you without using your browser.
http://www.willmaster.com/master/snooper/MasterSnooperV2.cgi
There is likely a HTML form where the victims are asked to send in their information, check to see where the information are being sent to, does it get send back to the same site or another host?
Submit the spamming host to all realtime blocklist
Feeling the urge to stop this attack? Let's get to the source of the problem - the email. Victims get to the phishing site because of these emails. Stopping the email spread could potentially reduce the number of people exposed to the attack. The email provided information about where this email was sent from (IP address). There are multiple ways of stopping the spread of this email. 1. Contact the organization hosting the mail server - this can be very time consuming and not very rewarding, since it is just too slow. Attempt this only if you know you can stop that mail host quick or you have enough people on your team to handle this. 2. Submit the source IP to the realtime mail blocklist. After the source IP is blocklisted, the mailservers on the Internet subscribing to the blocklist will start blocking email from the spamming host, effective cutting down the number of emails getting to potential victims.
Get your public affairs people involved
Since phishing email can reach a lot of people and your company is probably famous, the press people pick up on these things real quick. Before you know it, they are already calling your company about it. Get your public affairs people involve early on in the incident handling process and keep them informed. This saves your company from mis-representation of information leading to reputation damage.
Inform customers
During the attack, you probably want to coordinate a way to inform customers that such an attack is underway. The best way to inform customers is different for every company. For some, a small notice on the company's main website is sufficient.
Report to external teams
In the high stress incident handling mode, any handler would benefit from expert help. There are incident handling team dedicated to help you out in emergencies like this. Since you are reading this diary, SANS ISC is one good candidate to help you out. antiphishing.org is dedicated for phishing attacks. There are also other government teams that will be able to help you out. Contact them and seek help.
Report to police
Depending on your company policy and local laws, you may be required to report the incident to police. Contact them early on and seek advise, some police force may have experience on dealing with phishing attack and may offer help. There is a very high chance that the phishing site is located in another country, they usually poses a big problem for the local police force.
Contact the hosting parties
In normal incident handling, you would want to isolate and eradicate the problem. The problem with phishing attack is - you do not own the phishing site. Some other party does. In previous experience, most phishing sites are hosted on compromised machines at another country. Netcraft has statistics on which country hosts most phishing sites (see link below).
http://toolbar.netcraft.com/stats/countries
If the incident involve a host in your data center, you can goto the machine and yank the cable, that's the isolation right there. When dealing with a machine in another country, how do you get it done? Contact the party hosting the website (or owning the netblock) to get them to resolve the issue is almost the only way to isolate the problem. With the IP of the phishing site, you can look up the registry service (ARIN, RIPE, APNIC...) to seek out the party responsible for that netblock and their contact information. Pick up the phone and call them might yield a faster resolution.
Important thing to keep in mind here is language barrier. If you are calling another country, try to see if you have anyone on staff who can speak the local language, that will help you a lot. If you are not successful at contacting the party hosting the phishing site, consider contacting their upstream provider about the issue. In previous experience, I found larger ISP to have better understanding of security issue and better English speaking staff (if there's language barrier). If you ask nicely, they are most likely willing to contact the downstream party (their customer) and help resolve this problem. Since they usually have previous communication with their client and they speak the local language, they usually get the issue resolved pretty quick.
Ask for the log files
After you get the site shutdown, you might want to contact the phishing site hosting organization and see if they are willing to supply you with their log on the phishing site computer. With those logs, you might be able to figure out the affected customers and the lost data. Remember, the phishing site hosting party have no obligation to reveal their logs to you but ask nicely and usually they will help you out. Remember, they are probably shocked about the incident (since their host likely got compromised) and is not in the best mood, so be as gentle as possible with them. Ask nicely and you might get it.
Conclusion
That's a lot of tasks to be done which mean one thing - do not do it all by yourself. Get help! I won't go into the details of incident handling techniques and theories, but I do want to stress the importance of segregation of duties here. Unless you are superman, I don't see how you can coordinate the site shutdown and deal with the press all at the same time.
If you think you may be a high risk phishing target, do a drill on a Saturday ASAP. It will let you see if your call list need revision and expose the weakness before the incident actually happens.
I forgot to mention one important point in handling the phishing incident - pray to your God. To get the phishing site shutdown (which is the most effective mitigation), you are at the mercy of some other administrators potentially half a world away. You definitely need some luck to get that going.
Lastly, I would like to praise the team I worked with on my last phishing adventure. You know who you are and you guys really handled it well.
-------------------------------
Handler on Duty - Jason Lam, jason /AT/ networksec.org
First of all, if you are under a phishing attack, you should feel proud (seriously). Yes, be optimistic! The phishers pick their target wisely, if you are a mom and pop shop, the phisher are not likely to choose you as target since the return is minimal. Look at all the sites that have been attacked in the past, they are mostly well-known websites and are usually sites that have a high percentage of market shares (www.antiphishing.org has a list of previous attack). So, if someone is willing to launch a phishing attack against your organization, it means that your organization is important.
Let's get started on how to handle phishing attack
Preparation - before it happens
Nothing beats education when it comes to phishing attack. Dedicate some space on your website to educate users about phishing. As we all know, it will never work perfect, but any effort here helps. Some companies also like to include a statement when the user sign up for service telling the user to never reveal information when being asked over the phone or internet. These tactics helps!
---------------------------------------------------
Fighting fire - after phishing attack were noticed
Get the offending email with all header information
Same as any other incidents, you would want to identify the issues first. At this point, some whistleblowers might have alerted your organization about the existence of the phishing email. It is important that you get the full email with headers from them so you can analyse the origin of the email as well the content of the email (HTML source). The following link has information on how to get the full email content.
http://www.spamcop.net/fom-serve/cache/19.html
Try to get your hands on as many copies of the email as possible and compare them, see if they are sent from the same host and if they are directing user to the same phishing host.
Investigate the phishing email and the site
This is the important part of the incident handling for phishing. Inspect carefully the email, is that really a phishing email by looking at the content? You sure that your organization did not send out this email? If you answer yes to these two question, then you are likely to be dealing with a phishing attack. Next, look through the source line by line and pick out the interesting things from the source (email address, link to the phishing site, other URL links).
In the email, there should be a link to the phishing site which is where the victims hand over their valuable information. Get yourself prepared before visiting that site, you really don't know what you are dealing with here. There could be a 0-day browser exploit on the phishing site waiting for you. As the first step, fire up wget to download and save the source of the website. Take a quick look at the source and examine it very carefully for any potential malicious commands. Another way to do this is to use an online service called Master Snooper, it will reveal the source for you without using your browser.
http://www.willmaster.com/master/snooper/MasterSnooperV2.cgi
There is likely a HTML form where the victims are asked to send in their information, check to see where the information are being sent to, does it get send back to the same site or another host?
Submit the spamming host to all realtime blocklist
Feeling the urge to stop this attack? Let's get to the source of the problem - the email. Victims get to the phishing site because of these emails. Stopping the email spread could potentially reduce the number of people exposed to the attack. The email provided information about where this email was sent from (IP address). There are multiple ways of stopping the spread of this email. 1. Contact the organization hosting the mail server - this can be very time consuming and not very rewarding, since it is just too slow. Attempt this only if you know you can stop that mail host quick or you have enough people on your team to handle this. 2. Submit the source IP to the realtime mail blocklist. After the source IP is blocklisted, the mailservers on the Internet subscribing to the blocklist will start blocking email from the spamming host, effective cutting down the number of emails getting to potential victims.
Get your public affairs people involved
Since phishing email can reach a lot of people and your company is probably famous, the press people pick up on these things real quick. Before you know it, they are already calling your company about it. Get your public affairs people involve early on in the incident handling process and keep them informed. This saves your company from mis-representation of information leading to reputation damage.
Inform customers
During the attack, you probably want to coordinate a way to inform customers that such an attack is underway. The best way to inform customers is different for every company. For some, a small notice on the company's main website is sufficient.
Report to external teams
In the high stress incident handling mode, any handler would benefit from expert help. There are incident handling team dedicated to help you out in emergencies like this. Since you are reading this diary, SANS ISC is one good candidate to help you out. antiphishing.org is dedicated for phishing attacks. There are also other government teams that will be able to help you out. Contact them and seek help.
Report to police
Depending on your company policy and local laws, you may be required to report the incident to police. Contact them early on and seek advise, some police force may have experience on dealing with phishing attack and may offer help. There is a very high chance that the phishing site is located in another country, they usually poses a big problem for the local police force.
Contact the hosting parties
In normal incident handling, you would want to isolate and eradicate the problem. The problem with phishing attack is - you do not own the phishing site. Some other party does. In previous experience, most phishing sites are hosted on compromised machines at another country. Netcraft has statistics on which country hosts most phishing sites (see link below).
http://toolbar.netcraft.com/stats/countries
If the incident involve a host in your data center, you can goto the machine and yank the cable, that's the isolation right there. When dealing with a machine in another country, how do you get it done? Contact the party hosting the website (or owning the netblock) to get them to resolve the issue is almost the only way to isolate the problem. With the IP of the phishing site, you can look up the registry service (ARIN, RIPE, APNIC...) to seek out the party responsible for that netblock and their contact information. Pick up the phone and call them might yield a faster resolution.
Important thing to keep in mind here is language barrier. If you are calling another country, try to see if you have anyone on staff who can speak the local language, that will help you a lot. If you are not successful at contacting the party hosting the phishing site, consider contacting their upstream provider about the issue. In previous experience, I found larger ISP to have better understanding of security issue and better English speaking staff (if there's language barrier). If you ask nicely, they are most likely willing to contact the downstream party (their customer) and help resolve this problem. Since they usually have previous communication with their client and they speak the local language, they usually get the issue resolved pretty quick.
Ask for the log files
After you get the site shutdown, you might want to contact the phishing site hosting organization and see if they are willing to supply you with their log on the phishing site computer. With those logs, you might be able to figure out the affected customers and the lost data. Remember, the phishing site hosting party have no obligation to reveal their logs to you but ask nicely and usually they will help you out. Remember, they are probably shocked about the incident (since their host likely got compromised) and is not in the best mood, so be as gentle as possible with them. Ask nicely and you might get it.
Conclusion
That's a lot of tasks to be done which mean one thing - do not do it all by yourself. Get help! I won't go into the details of incident handling techniques and theories, but I do want to stress the importance of segregation of duties here. Unless you are superman, I don't see how you can coordinate the site shutdown and deal with the press all at the same time.
If you think you may be a high risk phishing target, do a drill on a Saturday ASAP. It will let you see if your call list need revision and expose the weakness before the incident actually happens.
I forgot to mention one important point in handling the phishing incident - pray to your God. To get the phishing site shutdown (which is the most effective mitigation), you are at the mercy of some other administrators potentially half a world away. You definitely need some luck to get that going.
Lastly, I would like to praise the team I worked with on my last phishing adventure. You know who you are and you guys really handled it well.
-------------------------------
Handler on Duty - Jason Lam, jason /AT/ networksec.org
Keywords:
2 comment(s)
My next class:
Cloud Security for Leaders | Online | US Eastern | Feb 10th - Feb 14th 2025 |
×
Diary Archives
Comments
Here is the link - http://www.killmalware.net/tricks-to-spot-phishing-attacks
Anonymous
Apr 30th 2015
9 years ago
Anonymous
Apr 30th 2015
9 years ago