08-20-2014 09:28 AM
Hi all. We are trying to come up with a way to prevent our users from entering their credentials on bogus websites. The problem starts with a phishing email being received that contains a link to a malicious site and asks them to log in or update their info. Users click the link and then proceed to enter their username and password and submit the credentials to the site.
Is there a way to block this as it's happening? The URLs are always new and varying. Maybe the use of a custom signature or data pattern? All user IDs follow the same format of letters and numbers and have the same length of characters. I welcome your thoughts on this and any help would be greatly appreciated.
Tim
08-21-2014 06:55 PM
Tim,
Your question or idea does spark some thought. The fact that your userids follow a defined format is helpful. The challenge is the pattern you are looking for could be found in existing traffic flows. On the plus side the http method would be a POST which would help narrow it down. The other challenge is that users log into legitimate websites and they could use a similar userid pattern. While we have created lots of custom vulnerability and spyware signatures, we are generally looking for a specific string. What we have had success with is tweaking our email / spam gateway to identify word patterns used by the Phishers and blocking those email messages. Not to say that is 100% effective but we have found a lot of success. Add the blocking or continue option for unknown and parked url categories will help also.
Phil
09-14-2014 03:07 PM
I would consider blocking these domains with PANDB url filtering: malware, phishing, parked and unknown.
As you stated, new phishing domains are popping up all the time; this is why it is a good idea to also block parked and unknown. Parked domains will take care of the malicious domains which were registered long ago and suddenly became active; unknown domains will take care of the domains PANDB has yet to categorize. Then once PAN has rescanned the site, it would go to either malware or phishing. This way, you block the sites at each level of the domain lifecycle.
09-15-2014 03:04 AM
I agree that blocking parked domains is low risk.
But there are a heck of a lot of active websites in the unknown category. I would have a look at the actual usage of unknown on your network and what the sites are before blocking that category. You could be in for a lot of tickets on legitimate traffic being denied.
09-15-2014 04:59 AM
I agree that blocking unknown causes more work as a lot of legit websites are still in the unknown category. Luckily, it is easy to create whitelisting rules for this. I typically create a new URL category and white list the domains there that are blocked via unknown.
From the security standpoint though, there may be a lot of malware sites classified as unknown. E.g. when I look through the logs at malware blocked, especially involving files flagged by WF, the domain is classified as unknown. So you certainly reduce the attack surface when you block unknown. You just have to keep in mind, you are committing to your users that you will whitelist the domains they need.
As always, security is a balancing act.
But I have blocked the unknown category for most of my clients. The first few days is when you find the most domains being blocked due to being category unknown. So you may whitelist a lot in the first few days; once you get past that period, it is pretty smooth sailing.
Last note that on that. When you have the PAN do cert checking, most of the OCSP sites it calls out to are flagged as unknown. So do not block unknown for your PAN mgmt interface(s). Other than that, no issues thus far.
09-15-2014 05:00 AM
Also, if you find legit sites which are flagged as unknown. I would certainly recommend submitting a change request so they can classify it correctly as this helps everyone else in the PAN community.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
