Versions Compared

Version Old Version 6 New Version 7
Changes made by

Michael MacDonald

Benjamin.Walther

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. The staff member who will attempt to resolve the issue should immediately assign the ticket to themselves.
    1. In TechConnect, press the 'Take' llnk.
  2.  If the ticket is in the 'abuse' queue, click on the "Basics" field in TechConnect and move it to the "uit-user-phish-reports" queue.
  3. If the phishing attempt contains a URL:
    1. Test the URL at the Trend Micro Site Safety Center: http://global.sitesafety.trendmicro.com/ If the URL is not marked as malicious, it will be scheduled to be scanned by Trend Micro.
      1. If detected as malicious, Tufts users with the Trend Micro / OfficeScan AV client will be prohibited from visiting this URL.
      2. If website is malicious but not flagged by Trend Micro, log into the TrendMicro Smart Scan Protection Server: https://tabvmtrend2.tufts.ad.tufts.edu:4343/ and block URL. 
        1.  This will block the URL for any Tufts client running Trend Micro OfficeScan 10.6
    2. Test the URL at the VirusTotal scanner: https://www.virustotal.com/index.html Click on the "Submit a URL" tab
      1. You may request VirusTotal to re-analyze a page at any time.
      2. VirusTotal will report on the status of the URL from several major anti-malware vendors.
    3. Report the URL and phishing email to PhishTank.com: http://www.phishtank.com/add_web_phish.php for now, username=benwalther, password=na}e5G.sPA%[VYHc^x.aa@kgTZtZ?(CeUU*$"q . There is a group account named "TuftsInfoSec." Email is_team@tufts.edu if you need credentials.
      1. PhishTank reports to OpenDNS and other phishing monitoring services.
    4. Report the URL and Phishing email to Google Report Phish: http://www.google.com/safebrowsing/report_phish/ Google will update StopBadware.org, which is the source for Firefox and IE page-level warnings.
    5. Run a WHOIS query on the URL hostname. Example from a bash shell prompt:whois tufts.edu
    6. Contact the site administrator reported in the WHOIS query, and the relevant "abuse" email address for the domain or registrar (for example, abuse@dot.tk). Send a modified version of the following template on top of the forwarded phishing email: 
      Subject: Phishing abuse at (REPORTED URL) 
      Greetings, 
      You may not yet be aware of the malicious activity at the following URL: (OBFUSCATED VERSION OF REPORTED URL; don't want them to fall victim to their own link) 
      Unfortunately, this URL is being referenced in an email-based phishing attack against users in my organization. Many of our users have received emails directing them to provide their credentials to this illegitimate web form. Can you please investigate the matter and take this page offline if possible and appropriate? 
      Thank you and please let me know if I can provide any further information. 
      (YOUR NAME) 
      Tufts Information Security Operations 
      (617) 627-6070
  4. Note the IP address associated with the URL. Execute an ArcSight Logger query to detect traffic directed at this IP address. Example:destinationAddress = "130.64.205.66"

...