Versions Compared

Version Old Version 2 New Version Current
Changes made by

Rebecca.Dewey

Benjamin.Walther

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Information Security procedure for User Reported Phishing

Email sent to report-phish@tufts.edu will automatically create a ticket in the RT TechConnect system. RT TechConnect will notify the Information Security team of the creation of a new ticket.

...

  1. The staff member who will attempt to resolve the issue should immediately assign the ticket to themselves.
    1. In RTTechConnect, press the 'Take' llnk.
  2.  If the ticket is in the 'abuse' queue, click on the "Basics" field in RT TechConnect and move it to the "uit-user-phish-reports" queue.
  3. If the phishing attempt contains a URL:
    1. Test the URL at the Trend Micro Site Safety Center: http://global.sitesafety.trendmicro.com/ If the URL is not marked as malicious, it will be scheduled to be scanned by Trend Micro.
      1. If detected as malicious, Tufts users with the Trend Micro / OfficeScan AV client will be prohibited from visiting this URL.
      2. If website is malicious but not flagged by Trend Micro, log into the TrendMicro Smart Scan Protection Server: https://tabvmtrend2.tufts.ad.tufts.edu:4343/ and block URL. 
        1.  This will block the URL for any Tufts client running Trend Micro OfficeScan 10.6
    2. Test the URL at the VirusTotal scanner: https://www.virustotal.com/index.html Click on the "Submit a URL" tab
      1. You may request VirusTotal to re-analyze a page at any time.
      2. VirusTotal will report on the status of the URL from several major anti-malware vendors.
    3. Report the URL and phishing email to PhishTank.com: http://www.phishtank.com/add_web_phish.php for now, username=benwalther, password=na}e5G.sPA%[VYHc^x.aa@kgTZtZ?(CeUU*$"q . There is a group account named "TuftsInfoSec." Email is_team@tufts.edu if you need credentials.
      1. PhishTank reports to OpenDNS and other phishing monitoring services.
    4. Report the URL and Phishing email to Google Report Phish: http://www.google.com/safebrowsing/report_phish/ Google will update StopBadware.org, which is the source for Firefox and IE page-level warnings.
    5. Run a WHOIS query on the URL hostname. Example from a bash shell prompt:whois tufts.edu
    6. Contact the site administrator reported in the WHOIS query, and the relevant "abuse" email address for the domain or registrar (for example, abuse@dot.tk). Send a modified version of the following template on top of the forwarded phishing email: 
      Subject: Phishing abuse at (REPORTED URL) 
      Greetings, 
      You may not yet be aware of the malicious activity at the following URL: (OBFUSCATED VERSION OF REPORTED URL; don't want them to fall victim to their own link) 
      Unfortunately, this URL is being referenced in an email-based phishing attack against users in my organization. Many of our users have received emails directing them to provide their credentials to this illegitimate web form. Can you please investigate the matter and take this page offline if possible and appropriate? 
      Thank you and please let me know if I can provide any further information. 
      (YOUR NAME) 
      Tufts Information Security Operations 
      (617) 627-6070
  4. Note the IP address associated with the URL. Execute an ArcSight Logger query to detect traffic directed at this IP address. Example:destinationAddress = "130.64.205.66"

...

Thanks again,
(YOUR NAME)
Information Security Operations
(617) 627-6070

  1. Resolve the RT TechConnect ticket. Note that you complied with this procedure.

...

  • This is a course first draft.It will need to be updated when RT is updated.
  • It will not scale if we start receiving a higher volume of phishing notifications.
  • It is adequate for the 5-10 notifications per month we receive at the time of writing.

Ideas for future improvements, if needed:

  • Create an RT scrip that logs phishing emails to another server.Create a cron job that checks for new phishing messages, parses them for URLs, and
  • submits them to the reporting agencies
  • reports the reporting agencies findings
  • reports the whois information and prepares a draft email to copy/paste
  • extracts IP info for each URL; executes a logger query / script to detect potential victims; reports their details
    • prepares mail templates?