Anti-phishing

Countermeasures articles:


There are a few ways to counter Phishing, both technical and non technically. In this article we will highlight and recap four Anti-Phishing techniques:

  1. Technical Anti-Phishing Techniques
  2. Non-Technical Countermeasures
  3. Simulated Phishing Campaigns
  4. Anti-Phishing Tips

Technical Anti-Phishing Techniques

Some of the best or most used Technical Countermeasures are:

  • Using HTTPS
  • A properly configured Web Browser
  • Monitoring Phishing Sites
  • Proper Email Client Configuration
  • Using SPAM Filters

Using HTTPS

Your normal HTTP website is running over port 80, whereas the secure version, HTTPS, runs over port 443. Using HTTPS means that the information passed between the browser and intended server is all encrypted. Hence the added S for secure, but visiting an HTTPS website alone is not a 100% level of protection. A Phisher could setup a phishing site using HTTPS. The best way to help determine the legitimacy of the site is to verify the certificate details. A legitimate site would have a certificate issued by a reputable and trusted CA.

Properly Configured Web Browser

Most Browsers now come equipped with tools to help combat navigating to Phishing sites. If you navigate to the Security settings within Mozilla Firefox, under the General settings there are options to:

  1. Warn me when sites try to install add-ons
  2. Block reported attack sites
  3. Block reported web forgeries

Best practice would be to check all three radio boxes next to these options to protect yourself. In IE there is a SmartScreen Filter listed under the tools dropdown. Using this options means websites you visit will be sent back to Microsoft to verify their authenticity against a list of reported sites.

Monitoring Phishing Sites

As stated, Microsoft and other organizations keep a running list of reported sites. There are also online tools available that can be used to check a site out before navigating to it. Google Safe Browsing is one of the popular online tools available.

Proper Email Client Configuration

As an end user you aren’t responsible for going into the server room and making configurations to your email server, but you do have power with how your email client processes emails. There are many client options available, especially now with the increase of email being checked on mobile devices. It’s important to understand the features of the client option you choose. Outlook is still the most popular desktop email client. It offers options for phishing protection. Go into the Junk email settings to disable links, and to receive warnings about suspicious domains and email addresses. To use google Safe Browsing you would use the URL:

http://www.google.com/safebrowsing/diagnostic?site=

before entering the URL of the site you want to navigate to. So, before navigating to apple.com, append the new address right after the =, and press enter like you normally would.

SPAM Filters

Along with proper email client configuration, you want to implement the use of SPAM filters in your email.

Non-Technical Countermeasures

The best non technical countermeasure is user training. Ensuring that members of your organization, or even your household are aware of current phishing techniques could help them avoid becoming a victim. Some organizations are even creating Phishing emails to see which employees will fall victim. Employees that do click any of the links in the email, or does not report it as suspicious are redirected to a training site where they have to go through the mandatory training, and at times are even tested on the material presented in the training brief.

Another non technical measure is policies and laws. Companies create policies to protect their staff and their assets from compromise. The policies themselves are non technical in nature, but are used to create technical controls.

There are laws in place to try and protect consumers against SPAM and phishing, but these cases are tough to prosecute. The criminals are tough to find.

Simulated Phishing Campaigns

A simulated phishing campaign is one where the phishing is done by the organization trying to protect itself. In order to better train staff, an organization may deploy a phishing email created in house to see who bites.
PhishSim, AwareEd, and SecuityIQ are a suite of phishing campaign software options. The goal of these simulated campaigns is to train users to better spot suspicious emails. It is not clear the best method of deploying. Should you notify users of this training technique? If so, how much information do you give them? Do you treat this like a fire drill and let them know one is coming, but the when remains a surprise? If you do let them know one is coming, if you gave the date and time, not only does it take away the element of surprise, but it could make your users numb to looking out for actual phishing attempts and increase risk.

Many simulated phishing campaign software allow the company to create their own campaign and the monitor the results. Using this method means you can maintain statistics on the effectiveness of the program. The goal is continued education, not to berate or belittle users. This type of campaign is controversial, but there are studies to back its effectiveness, showing that after such launces users are better informed. These type of simulations can keep up to date with current trends and not stay stuck in old attack methods. The Nigerian Prince emails requesting money to get money are almost 20 years old, but now there are a lot of phony efax emails being used to get unsuspected users to believe they have received a fax. This could easily grab the attention of someone at their desk at work where they may receive faxes. As these attacks change, so does the simulated phishing campaign software “attacks” (Higgins, 2013).

Anti-Phishing Tips

Some things to pay attention to is examining the “To” and “From” in the address line of a suspicious email. Ensure the email came from a sender you actually know. Even if it does come from a trusted sender, look in the To line to see if you are the only recipient. Many times a phishing email is sent from a compromised account, and the new “user” will create a phishing email, and maybe in an attempt to save time, or typing, will send the email to as many recipients as possible. If you are one of many recipients, and you don’t recognize the others, be weary. In this modern day of social media, the chain emails of the 90s and 2000s are almost obsolete, they have become status updates and shared links.

Before opening an email, you can use your mouse to point and then hover over the email to see if the Sender that appears in the from line, is actually the sender. As you hover over a smaller box will appear with metadata information concerning the email. Examine that information to see if it matches up with what appears in your inbox.

If these initial steps don’t raise any alarms and you open the email, if it includes images, attachments, or URL, begin examining those as well. Many phishing emails will contain links to URLs that are actually links to Cyber and Typo Squatting sites. Microsoft provides tips on spotting and avoiding falling victim to Cyber and Typo Squatting. Some of these tips include, ensuring your browsers are up to date with current security patches, setting your favorites so you can avoid a typo, and using HTTPS site addresses if you need to enter personal or financial information.

The Department of Homeland Security has a United States Computer Emergency Readiness Team (US-CERT) that also releases warnings in relation current technology threats

US-CERT tips include, setting up multiple email accounts, scanning files with updated antivirus software, and also trusting your instincts. If something seems suspicious is probably is. Unfortunately, phishing attacks are not on a decline, so you should maintain your vigilance and caution in order to protect assets.

Conclusion

In conclusion, there are a few ways to counter Phishing, to include:

  1. Technical Anti-Phishing Techniques
  2. Non-Technical Countermeasures
  3. Simulated Phishing Campaigns
  4. Anti-Phishing Tips

We will never be able to fully avoid or deter phishing attempts, but we can do our best to protect our assets, and keep users trained on current phishing trends.

Be Safe

Section Guide

Tyra
Appleby

View more articles from Tyra

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Tyra
Appleby

View more articles from Tyra