Information Security procedure for User Reported Phishing

Email sent to report-phish@tufts.edu will automatically create a ticket in the TechConnect system. TechConnect will notify the Information Security team of the creation of a new ticket.

The Standard Operating Procedure for such user reported phishing tickets is:

The staff member who will attempt to resolve the issue should immediately assign the ticket to themselves.
1. In TechConnect, press the 'Take' llnk.
If the ticket is in the 'abuse' queue, click on the "Basics" field in TechConnect and move it to the "uit-user-phish-reports" queue.
If the phishing attempt contains a URL:
1. Test the URL at the Trend Micro Site Safety Center: http://global.sitesafety.trendmicro.com/ If the URL is not marked as malicious, it will be scheduled to be scanned by Trend Micro.
  1. If detected as malicious, Tufts users with the Trend Micro / OfficeScan AV client will be prohibited from visiting this URL.
  2. If website is malicious but not flagged by Trend Micro, log into the TrendMicro Smart Scan Protection Server: https://tabvmtrend2.tufts.ad.tufts.edu:4343/ and block URL.
    1. This will block the URL for any Tufts client running Trend Micro OfficeScan 10.6
2. Test the URL at the VirusTotal scanner: https://www.virustotal.com/index.html Click on the "Submit a URL" tab
  1. You may request VirusTotal to re-analyze a page at any time.
  2. VirusTotal will report on the status of the URL from several major anti-malware vendors.
3. Report the URL and phishing email to PhishTank.com: http://www.phishtank.com/add_web_phish.php for now. There is a group account named "TuftsInfoSec." Email is_team@tufts.edu if you need credentials.
  1. PhishTank reports to OpenDNS and other phishing monitoring services.
4. Report the URL and Phishing email to Google Report Phish: http://www.google.com/safebrowsing/report_phish/ Google will update StopBadware.org, which is the source for Firefox and IE page-level warnings.
5. Run a WHOIS query on the URL hostname. Example from a bash shell prompt:whois tufts.edu
6. Contact the site administrator reported in the WHOIS query, and the relevant "abuse" email address for the domain or registrar (for example, abuse@dot.tk). Send a modified version of the following template on top of the forwarded phishing email:
  Subject: Phishing abuse at (REPORTED URL)
  Greetings,
  You may not yet be aware of the malicious activity at the following URL: (OBFUSCATED VERSION OF REPORTED URL; don't want them to fall victim to their own link)
  Unfortunately, this URL is being referenced in an email-based phishing attack against users in my organization. Many of our users have received emails directing them to provide their credentials to this illegitimate web form. Can you please investigate the matter and take this page offline if possible and appropriate?
  Thank you and please let me know if I can provide any further information.
  (YOUR NAME)
  Tufts Information Security Operations
  (617) 627-6070
Note the IP address associated with the URL. Execute an ArcSight Logger query to detect traffic directed at this IP address. Example:destinationAddress = "130.64.205.66"

1. For each result from the modified query, investigate the owner of the Tufts IP address (check DHCP logs in Splunk, Bluecat/Proteus entries, etc.)
2. Investigate each user who may have accessed the malicious URL. If any of them are high risk, contact their FSP or contact them directly.
Note the Tufts user who forwarded the phishing email. Send a modified version of the following template. Include any personal touches you think appropriate.
Subject: Regarding the "(SUBJECT OF PHISHING EMAIL)" phishing attempt
Thank you for notifying information security of the recent phishing attempt.

We depend on your assistance for detecting and responding to these attacks. Reporting them doesn't just help prevent future annoyance, it can help protect your colleagues.

As a response, we've notified StopBadware and Trend Micro that the web page is malicious. If you or anyone else at Tufts uses Google Search, Google Chrome, Firefox, or the Tufts provided anti-virus - you and they should no longer be able to access that page. We've notified (PHISHING URL HOST) that they're hosting a malicious page and requested they remove it or restrict access. We will be monitoring traffic to the (PHISHING URL HOST) IP address to detect when less sophisticated users may be accessing the page (note: we do not see what you submit, just the IP's to which you connect; we do care about privacy here).

You may always forward such phishing attempts to abuse@tufts.edu or report-phish@tufts.edu.

Thanks again,
(YOUR NAME)
Information Security Operations
(617) 627-6070

Resolve the TechConnect ticket. Note that you complied with this procedure.

Notes about this procedure:

This is a course first draft.
It will not scale if we start receiving a higher volume of phishing notifications.
It is adequate for the 5-10 notifications per month we receive at the time of writing.

Browser not supported