05-08-2012 05:16 AM
So I dont know if its just us but we are getting hammered with phishing requests to google docs web sites. The latest is:
My URL Filter wont block this because it is SSL. It can read the cert which points to *.google.com but not the specific URL.
Now, I'm not opposed to turning on SSL decryption but I dont want to turn it on for everything. Also, I dont understand how I can create the rule using IP Addresses as I'm sure docs.google.com has hundreds of IP Addresses associated with it. I also cant import a cert to everyones machine. Thats just not practicle.
I'm angry that google would let this go on but its becoming a real issue for us.
Are there any creative ideas out there on how to block this type of SSL phishing attempt ?
Justin
05-08-2012 09:33 AM
Patch your users 
Well there are billions of phishing URLs around the world. Defeating phishing is usually a problem of education. The form you pasted here can be duplicated/reacreated with a new URL/ID everyday, so it would never end in URL blacklist.
05-08-2012 10:41 AM
Well, I fully understand the need for training users and we do that but there are those who will never learn/listen. URL Filtering is a critical piece of our security arsenal. We pay money to have a company (PaloAlto and Brightcloud) find and categorize websites. I understand it cannot be 100% accurate or up to date.
Google Docs is a safe haven for Phishers is it not ? They hide behind a legit certificate which PA cannot filter on because it is not the same as the URL. If I was Google I would be concerned and I'm sure they are.
I can create a decryption rule but do not want to turn this on for everywhere. I'd have to think that any list of google subnets would be only temporarily accurate at best.
It's a pickle.
05-08-2012 01:39 PM
The future problem of security. Everyone hiding behind SSL.
I would say you could either use SSL Decryption, block Google Docs, or get fancy and use the Block and Continue function of the URL filtering to include a nice message about phishing scams.
05-08-2012 01:41 PM
anyway, anyone can create a new google account everyday, and create a doc with a form like you showed in a few seconds. Does it mean that Brightcloud should ban the X millions clones of same phishing form ? Pointless and performance hungry.
05-08-2012 01:45 PM
If URL filtering is such critical piece of your security arsenal then you REALLY should enable ssl decryption (for all outbound ssl connections).
This way the URL filter can do a better job and you will also be able to perform IDP, file, AV and other filtering on the flows.
You can in the decryption policy for example exclude banking if you have some privacy concerns in your organisation and at the same time make sure that ssl flows that cannot be decrypted will be blocked.
Also dont forget to change that "url-filtering <name> license-expired" so it will "block" if your URL filtering license expires (otherwise ALL sites will suddently be available).
05-08-2012 02:10 PM
essnet,
If they then advertise this website to millions of users then yes, brightcould should find reports of this instance and block it. They are already doing it. I look up the links in their database and more often then not they are correctly identified as 'Phishing and Other Scams'. I dont get the argument against URL filtering.
I'll kick the tires with SSL Decryption.
Thanks,
Justin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
