Phishing: Common Variations

phishingPhishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details be masquerading as a trustworthy entity in electronic communications. Communications purporting to be from popular social networking sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting people. A phishing attack is most often initiated with a special type of spam containing a link to a misleading domain name, which appears to be a legitimate site. The e-mail tricks the recipient into visiting the spoofed web site, which mimics a site where the person would feel comfortable entering a username and password or other personal information.

Phishing has also been explained as leveraging or exploiting the design of web pages in a social engineering attack that tricks the user into thinking that they are in a legitimate and secure web session with a trusted site. In reality, the phishing site is designed to install malicious software or acquire personal information. The information is then used by the phisher for identity theft, to steal money, or to commit other fraudulent schemes.


Variations on Phishing

There are several variations on phishing. For example, “spear phishing” is targeted communication toward employees or members of a certain organization or online group. E-mails or other forms of communication are customized with information publicly available on web sites like Facebook or MySpace. In cases where e-mails are utilized, the e-mails will often direct people to a fake login page. One such early example was the early phishing attempts on AOL. A phisher would pose as an AOL staff member and send an instant message to a potential victim, asking them to reveal their password. In order to lure the victim into giving up sensitive information, the message might include imperatives such as “verify your account” or “confirm billing information”. Once the victim had revealed the password, the attacker could access and use the victim’s account for fraudulent purposes or spamming. Phishing became so prevalent on AOL that they added a line on all instant messages stating: “no one working at AOL will ask you for your password or billing information”, though even this did not prevent some people from giving away their passwords and personal information.

“Whaling” is phishing that is targeted at corporate executives, affluent people, and other “big phish”. Like spear phishing, whaling e-mails are often customized with information directed to the resident and sent to a relatively small number of people. One example of whaling was when thousands of bogus subpoenas appearing to be from the U.S. District Court in San Diego were “served” by e-mail on corporate executives. The e-mail contained an image of the official seal from the court and contained a link which purportedly linked to a copy of the entire subpoena. However, the link actually linked to a software installer that installed key-logging software on the user’s computer.

“Clone phishing” is a type of phishing attack whereby a legitimate, and previously delivered, e-mail containing an attachment or link has its content and recipient address (or addresses) taken and used to create an almost identical e-mail. The attachment or link within the e-mail is replaced with a malicious version and then sent from an e-mail address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or possibly an updated version of the original. This technique could be used by the attacker to pivot from a previously infected machine and gain a foothold on another machine.


External Links:

Phishing on Wikipedia

MailScanner Installation and Configuration: Part Two

MailScannerIn the previous article, we introduced MailScanner and covered installation as well as basic configuration. In this article, we will look at some of the other configuration options.

If we navigate to Services -> MailScanner, there are nine tabs. The second tab is “Attachments“. Under the “Attachments” heading, there are several settings. The “Attachments features” list box controls how attachments are handled. “Expand TNEF” causes MailScanner to expand TNEF (Transport Neutral Encapsulation Format) attachments. TNEF is a proprietary e-mail attachment format used by Microsoft Outlook and Microsoft Exchange Server. “Deliver Unparsable TNEF” will do the opposite, and leave TNEF attachments unexpanded. “Find Archive By Content” will enable searching archives. “Unpack Microsoft Documents” will expand non-TNEF Microsoft attachments, and “Zip Attachments” will allow zip attachments through.

TNEF Contents” specifies what to do when TNEF attachments are expanded. If this is set to “no”, a TNEF attachment will be listed as an attachment, but not the attachments contained therein. If however, this is set to “add” or “replace”, then the attachments contained in the archive will be added to the list of attachments in the message, and recipients of messages sent in this format will be able to read the attachments even if they are not using Microsoft Outlook.


Maximum Attachment Size” specifies the maximum size (in bytes) of any attachment in a message. If this is set to zero, no attachments will be allowed. If this is set to less than zero, then no size checking will be done. The default value is -1.

Scrolling down, you will see edit boxes containing two separate config files: filename.rules.conf and filetypes.rules.conf. filename.rules.conf allows or denies certain files based on the file’s extension, while filetypes.rules.conf allows or denies certain file types based on their MIME (Multipurpose Internet Mail Extensions) type.

The next tab is “Antivirus“. under the “Antivirus” heading, there are several settings. The first is “Virus scanner features“. “Virus Scanning” is enabled by default, as is “Check Filenames In Password-Protected Archives“. In addition, you can enable such features as “Deliver Disinfected Files” (deliver files after they have been disinfected by the antivirus engine), “Still Deliver Silent Viruses“, “Block Encrypted Messages“, “Block Unencrypted Messages“, and “Allow Password Protected Archives“. The next setting is “Virus scanner“, which controls which virus scanner to use. Possible settings are “auto” (let MailScanner decide what to use), “clamav” (Clam AV), “clamd” (the Clam daemon), or “none” for no e-mail scanning. “Virus Scanner Timeout” controls the maximum length of time the commercial virus scanner is allowed to run for one batch of messages. The default is 300 seconds. The next heading, “Custom antivirus options“, allows you to add any custom parameters you need to specify.

The next tab is “Content“. The first heading is “Removing/Logging dangerous or potentially offensive content“. The first setting is the “Contents” list box, which determines what content for which MailScanner will scan. The default settings are “Dangerous content Scanning“, “Find Phishing Fraud“, “Also Find Numeric Phishing“, “Use stricter Phishing Net“, and “Highlight Phishing Fraud“. Other settings include “Allow Partial Messages“, “Allow External Message Bodies“, “Convert Dangerous HTML To Text“, “Convert HTML To Text“.


External Links:

The official MailScanner web site
MailScanner at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy