We're seeing increasingly targeted and dangerous phish spam attempts

October 27, 2021

In the old days, phish spam was generally pretty crude and generally easily recognized. A lot of it still is, but we're increasingly seeing some pretty sophisticated and targeted phish spam. Some of the latest phish spam we've seen uses essentially exact duplicates of university web pages and authentication dialogs, and has relatively convincing pitches in the email to get people to click on the links. To me, this is scary and goes well beyond assuming we can be phished, as I did in 2019. In 2019, I thought that an alert person might still have a reasonable chance. Now, I think that all that's between us and a significant scale compromise is that attackers aren't that committed yet (and whatever multi-factor authentication has propagated to our user population).

The university has it somewhat worse than companies do, in that our "internal" information really isn't. Since we have a large and and varied user population and almost all of our internal services websites are public, there's very little information on how the university sends out email notifications about things and what our internal websites look like that couldn't be found by a dedicated attacker. With that information in hand, the attacker could put together a basically letter-perfect fake.

(There are some technical measures the university has adopted to try to make such fake emails more obvious, but the only real mitigation is multi-factor authentication, which itself has assorted limitations.)

In light of all of this, one of the things I wonder is how long people will continue using email to deliver high-sensitivity information. One thing that has to be attractive to the university is moving to delivering all notifications about things like payroll, benefits, vacation planning, and so on (basically anything that would actively prompt people to log in) over a communication method that simply doesn't allow outsiders to send messages in.

(This is especially the case because the university already has access to such a communication method and is encouraging staff and faculty to adopt it for general use. I'm not naming the services involved because it's provided by a large commercial organization that doesn't need free publicity.)

Comments on this page:

By Fazal Majid at 2021-10-28 04:38:42:

Yet TOTP-based 2FA, which I assume is what you are using, is vulnerable to phishing as it does not authenticate the server. Shouldn't that push towards Webauthn/U2F, which while not perfect, will at least not fall for forged sites?

By Nick at 2021-10-28 04:54:27:

Is it possible to add some marker like '[External]' to the subject of emails that come in from outside the university? I guess not but why?

By Bill Dietrich at 2021-10-28 07:46:54:

One answer is better tools for users. Maybe make all links in emails come through as plain-text and show as the actual URL, not the text of the link ? Or do that only for links that seem to be typo-squatting ? Or have an allow-list to let certain links come through as clickable links ?

Users should not have to become experts at examining URLs and deciding which ones are safe/accurate.

Another feature would be "badges" on site login pages. User enters username, site verifies it and shows something unique and verifiable to the user, such as the user's profile photo. That tells the user that they're on the right site. Then they enter password and maybe 2FA.

By Alyssa Ross at 2021-10-30 10:50:42:

Another feature would be "badges" on site login pages. User enters username, site verifies it and shows something unique and verifiable to the user, such as the user's profile photo. That tells the user that they're on the right site. Then they enter password and maybe 2FA.

That doesn't help at all — what's stopping the malicious site from simply relaying the entered username to the real site, getting the image from it, and then showing that to the user?

Written on 27 October 2021.
« Vim visual mode and an unfortunate restriction on the filter operation
Things to do in Python 3 when your Unix standard input is badly encoded »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Wed Oct 27 23:41:39 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.