topic Re: Google Docs Phishing Issues in General Topics

Google Docs Phishing Issues

jhickey — Tue, 08 May 2012 12:16:50 GMT

So I dont know if its just us but we are getting hammered with phishing requests to google docs web sites. The latest is:

https://docs.google.com/a/smps.k12.ok.us/spreadsheet/viewform?formkey=dGdKTFpTcW5KVVF1UGxJTFJ0aF9UdHc6MQ

My URL Filter wont block this because it is SSL. It can read the cert which points to *.google.com but not the specific URL.

Now, I'm not opposed to turning on SSL decryption but I dont want to turn it on for everything. Also, I dont understand how I can create the rule using IP Addresses as I'm sure docs.google.com has hundreds of IP Addresses associated with it. I also cant import a cert to everyones machine. Thats just not practicle.

I'm angry that google would let this go on but its becoming a real issue for us.

Are there any creative ideas out there on how to block this type of SSL phishing attempt ?

Justin

Re: Google Docs Phishing Issues

essnet — Tue, 08 May 2012 16:33:43 GMT

Patch your users

Well there are billions of phishing URLs around the world. Defeating phishing is usually a problem of education. The form you pasted here can be duplicated/reacreated with a new URL/ID everyday, so it would never end in URL blacklist.

Re: Google Docs Phishing Issues

jickfoo — Tue, 08 May 2012 17:41:31 GMT

Well, I fully understand the need for training users and we do that but there are those who will never learn/listen. URL Filtering is a critical piece of our security arsenal. We pay money to have a company (PaloAlto and Brightcloud) find and categorize websites. I understand it cannot be 100% accurate or up to date.

Google Docs is a safe haven for Phishers is it not ? They hide behind a legit certificate which PA cannot filter on because it is not the same as the URL. If I was Google I would be concerned and I'm sure they are.

I can create a decryption rule but do not want to turn this on for everywhere. I'd have to think that any list of google subnets would be only temporarily accurate at best.

It's a pickle.

Re: Google Docs Phishing Issues

mharding — Tue, 08 May 2012 20:39:55 GMT

The future problem of security. Everyone hiding behind SSL.

I would say you could either use SSL Decryption, block Google Docs, or get fancy and use the Block and Continue function of the URL filtering to include a nice message about phishing scams.

Re: Google Docs Phishing Issues

essnet — Tue, 08 May 2012 20:41:44 GMT

anyway, anyone can create a new google account everyday, and create a doc with a form like you showed in a few seconds. Does it mean that Brightcloud should ban the X millions clones of same phishing form ? Pointless and performance hungry.

Re: Google Docs Phishing Issues

mikand — Tue, 08 May 2012 20:45:35 GMT

If URL filtering is such critical piece of your security arsenal then you REALLY should enable ssl decryption (for all outbound ssl connections).

This way the URL filter can do a better job and you will also be able to perform IDP, file, AV and other filtering on the flows.

You can in the decryption policy for example exclude banking if you have some privacy concerns in your organisation and at the same time make sure that ssl flows that cannot be decrypted will be blocked.

Also dont forget to change that "url-filtering <name> license-expired" so it will "block" if your URL filtering license expires (otherwise ALL sites will suddently be available).

Re: Google Docs Phishing Issues

jhickey — Tue, 08 May 2012 21:10:25 GMT

essnet,

If they then advertise this website to millions of users then yes, brightcould should find reports of this instance and block it. They are already doing it. I look up the links in their database and more often then not they are correctly identified as 'Phishing and Other Scams'. I dont get the argument against URL filtering.

I'll kick the tires with SSL Decryption.

Thanks,

Justin