The Golden Hour of Phishing Attacks

Orome1 writes "Trusteer conducted research into the attack potency and time-to-infection of email phishing attacks. One of their findings was that 50 per cent of phishing victims' credentials are harvested by cyber criminals within the first 60 minutes of phishing emails being received. Given that a typical phishing campaign takes at least one hour to be identified by IT security vendors, which doesn't include the time required to take down the phishing Web site, they've dubbed the first 60 minutes of a phishing site's existence is the critical 'golden hour.'"

A solution presents itself

[Wonko the Sane]

Delay all email deliveries for one hour. What could possibly go wrong?

Re:

[LostCluster]

Then the discovery of the scam would be delayed by the hour and the "golden hour" would just be delayed.

Re:A solution presents itself

[Chrisq]

Delay all email deliveries for one hour. What could possibly go wrong?

Then the discovery of the scam would be delayed by the hour and the "golden hour" would just be delayed.

whoosh....

NEW DISCOVERY!

[gparent]

NEW DISCOVERY! It can take up to several hours to understand a joke on slashdot! A solution presents itself, th-....

Re:

[PPH]

If one of those whooshes by fast enough, do we get a sonic boom?

Re:

[drinkypoo]

Actually that's not all bad as an idea. Gmail already makes mail available to you when and how it feels like it. Mail which looks like it might be phishing email could be delivered to active users proven to be discriminating first, giving a chance to subject them to a human test for scams before delivering the mail to the greater audience. I'm pretty well convinced that google already does this with spam but they don't have a "report scam" button (unfortunately.)

Re:A solution presents itself

[Anonymous Coward]

Mail which looks like it might be phishing email could be delivered to active users proven to be discriminating first,

Congratulations! Gmail has determined that you are smart and competent. Your reward is more spam.

Re:

[flappinbooger]

Delivered-To: xxxxxxxx@gmail.com Authentication-Results: mx.google.com; spf=pass (google.com: domain of 1f01dd8d3layfovciatke43yaaaaabn3glabcerig44yaaaaa@email.walgreens.com designates 216.33.63.66 as permitted sender) smtp.mail=1f01dd8d3layfovciatke43yaaaaabn3glabcerig44yaaaaa@email.walgreens.com Reply-To: "support" Bounces_to: Walgreens.1f01dd8d3layfovciatke43yaaaaabn3glabcerig44yaaaaa@email.walgreens.com X-SS: 1-1-10920280-574949095 X-BFI: 1f01dd8d3layfovciatke43yaaaaabn3glabcerig44yaaaaa Date: Thu, 02 Dec 2010 08:07:40 EST From: Adobe Subject: Action Required : Upgrade New Adobe Acrobat Reader 2011 For Windows And Mac To: xxxxxxx@gmail.com
ADOBE PDF READER SOFTWARE UPGRADE NOTIFICATION This is to remind that a new version of Adobe Acrobat Reader with enhanced features for viewing, creating, editing, printing and internet-sharing PDF documents has been released. To upgrade your application: + Go to http://www.adobe-2011-downloads.net/ [adobe-2011-downloads.net] + Get your options, download and upgrade. Thanks and best regards, John Watt Adobe Acrobat Reader Support Copy rights Adobe 2010 © All rights reserved []

A customer of mine got this email. He forwarded it to me, not because he thought it might be a scam, but because he remembered I had put on foxit reader instead.

I explained a little bit about how it wasn't from adobe and wasn't going to an adobe site.

A quick google: http://www.google.com/search?q=John+Watt+Adobe+Acrobat+Reader+Support&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a [google.com]

Re:

[idontgno]

Did you just post a malware distribution URL? As a live href?

I hope that was munged, edited, or otherwise neutralized. Otherwise, that was reckless.

Also, as evidenced by your partially-anonymized email header, the spam zombie server seems to be associated with Walgreens. Nice piece of malware intel, there.

Re:

[flappinbooger]

Did you just post a malware distribution URL? As a live href?

I hope that was munged, edited, or otherwise neutralized. Otherwise, that was reckless.

Also, as evidenced by your partially-anonymized email header, the spam zombie server seems to be associated with Walgreens. Nice piece of malware intel, there.

Nope, I was reckless and all I blanked out was my guys email address. HOWEVER I'm not totally insane, the urls didn't work for me when I checked - My thought is they had already been dealt with.

Re:

[Anonymous Coward]

I'm pretty well convinced that google already does this with spam but they don't have a "report scam" button (unfortunately.)

Gmail does, in fact, have a "report scam" button. Click the menu button to the right of "Reply" in any message to "Report phishing." Done.

Re:

[hedwards]

Really? Gmail users get spam? That's news to me, unless you're talking about that bit of junk mail that ends up in my inbox every several months.

Re:A solution presents itself

[alexmipego]

They do have a "Report Phishing" option though. Sad thing is that most people don't know what phishing is or even realize they've been victims of it until it's too late, at which point they rarely go back to gmail to report the phishing attempt.

Re:

[natehoy]

Well, it's really no surprise.

We used to call it "telephone fraud" or "scamming" back when it was done over the phone and "mail fraud" when it was done via the dead tree snail-mail system. And unwanted postal advertisement was called "junk mail".

Then when it came to online we decided on the terms "phishing" for fraud and "spam" for unwanted email. Oh, but then it got worse.

Then there's "whaling" (email scams targeting people higher up in the organization), and "spear phishing" (collecting data about the p

Re:

[natehoy]

Damnit, "review" fail.

Last bit should be:

"REPORT JUNK MAIL OR FRAUD" is clear, understandable, and obvious. Then when you hit a threshold for a specific message, throw it into the spam bin for everyone and force anyone who really wants to click the links on it to move it back to the Inbox first. Links in the spam bin should never, ever, ever be clickable.

Now, let's talk placement. "Report Phishing" is where, you say? Oh, under the REPLY button? That I have to open the email to get to. Oh, OK. Wait..

Re:

[KiloByte]

"pharming" (DNS redirect)

The name comes from "Phorm" [wikipedia.org], right?

Re:

[natehoy]

No reference to it in the Wiki about Pharming.

Phorm did appear to use a form of pharming (more specifically DNS poisoning, in this case poisoned at the ISP level) to do its ugly magic. So maybe the marketing dweebs who made up the term "pharming" had some inspiration from Phorm's name in inventing their security tool marketing term.

Re:

[tlhIngan]

They do have a "Report Phishing" option though. Sad thing is that most people don't know what phishing is or even realize they've been victims of it until it's too late, at which point they rarely go back to gmail to report the phishing attempt.

Problem is, the button isn't available in list view. Most of the phish attempts I get are plainly obvious from the preview line, and the only way to report is to open it and click Report Phishing, an annoying extra step.

And that's an advantage to having multiple addr

Re:

[drinkypoo]

There IS no button, it's a menu option! So you have to click through, find the pull-down, click it, and then click it again! This is retarded. I get WAY more phishing attempts than spam in my Inbox. It's gotten to where I just mark them as spam because I'm too lazy to drill down. Gmail interface fail.

Re:

[beh]

...and the next problem - with the potentially bad clicks not going to google - how is google going to find out how discerning you are? ...unless they rewrote all clicks to be proxied through a google web-service, in which case google would get massive data protection enforcement issues.

Re:

[dkf]

Delay all email deliveries for one hour. What could possibly go wrong?

Not much more than happens at moment. Our email systems typically delay incoming email from previously-unknown senders for up to an hour anyway; assuming that the message will go through straight away (let alone be read immediately) is definitely a losing proposition.

Re:

[noidentity]

Silly, that'll just delay the golden hour. What we need is for the email to be delivered, but for nobody to be able to respond within the first hour. Simple, really, when you think about it.

Re:

[ObsessiveMathsFreak]

Peoples rights are being violated by criminals online. I think this qualifies as a YRO story.

I know...

[Anrego]

This is up in lala land.. but you really can’t cure stupid.

What we need to do is make phishing attacks useless. Obviously a lot harder to do than say.

The best I could come up with is some kind of challenge response system, possibly with the aid of a key token, with the user’s IP address factored in. That is:

You are at the login screen.. and presented with a challenge. On the server the challenge is tied to the IP that requested the login screen. You punch the challenge into some device, it gives

Re:

[DrSkwid]

MITM

Scrub the sites...

[AdamThor]

So what we need is a way to scrub those websites within the critical time period, yes? A cleaning program? A sort of "Golden Shower"?

Re:

[gmuslera]

Sometimes is not phishing. If you i.e. block for an hour in the proxy the websites refered by incoming mails you will slow down those scams, but also the real sites (i.e. places where you register and have to confirm that your email)

Re:

[Monkeedude1212]

Wow, what a piss poor idea. I mean it really stinks. There's so many leaks in your logic, it's amazing you managed to pee-ce it together at all.

Re:

[AdamThor]

Hey, who pissed in your cheerios? You should know that back at the academy I was considered to be a real whiz! Urine the presence of a powerful intellect. It would be a shame to let an idea like this go down the drain.

Education is the best medicine

[digitaldc]

Educating people about computer scams seems to be the best way to combat this problem. Otherwise, we can just provide an IQ test as part of the Windows boot process.

Re:

[joebagodonuts]

...and booting windows means an automatic failure of the test. Brilliant!

Re:

[digitaldc]

The process you speak of is called 'Dunce Redundancy'

Re:

[panda]

Quoth Bruce Schneier:

There's nothing we can do to educate users, and anyone who has met an actual user knows that.....Rather than focus on what can we do to educate users, we need to focus on building security that doesn't require educated users.

Reference: http://www.schneier.com/news-055.html [schneier.com]

Re:

[John Hasler]

And all users are identical of course, and all dunces.

The fact is that most users are educable to varying degrees. How about we educated the educable while trying to think of something else to do about the rest?

Re:

[Cowmonaut]

Agreed. Users simply do not care. You can't teach what doesn't want to learn or understand the necessity of learning. It also goes a long way to show part of the problem with American public schools (i.e. a cultural thing).

IQ tests don't work.

[Benfea]

Smart people can fall for phishing attacks as well. The counter is knowledge, not intelligence. The more people know about how phishing scams work, the better prepared they are to identify phishing attacks.

Another solution

[VirtualJWN]

Since we are currently in an economic downturn, and many many tech folks are "on the beach" so to speak, i.e. not working, and perhaps collecting unemployment. why not let the "programmers" in the USA counter attack the overseas attacks on our internet. We invented the thing (Internet), we need VIGILANTE forces that can attack and destroy enemy targets on the web. WHY IS THIS ILLEGAL? This is a job Americans will do!!!!

Dumb idea

[Mathinker]

Joe job [wikipedia.org]

In other news...

[Amorymeltzer]

The 15 minutes it takes the cops to respond to a robbery have been dubbed "The golden quarter-hour of robberies." I would expect the majority of successes to occur before security mechanisms have started, what with them being security mechanisms and all.

Re:

[gsslay]

You have an interesting point there, you should apply for a grant to fund a study.

Hypothesis; Thefts are most successful before anyone notices they are happening. Afterwards... not so much.

Recommendations; Delay thefts until after they are noticed.

Simple

[PPH]

I never answer e-mail within an hour of receipt. I'm too busy trying to make first post.

Re:

[Opportunist]

Erh... two reasons.

First, it's illegal. Duh.

Second... well, the enemy has the bigger guns.

The real message

[Opportunist]

The most scamming is successful before the Antivirus screams bloody murder when you open the mail. No, really? Duh. That's not what surprised me.

But who would have guessed that so many people actually use antivirus tools that it matters this much how fast the AV vendors react to it?

Re:

[natehoy]

I help about a dozen people with their computers as "side favors", and I know of only one person at the moment on Windows who is not using Antivirus of some form. Comcast includes it for free, so anyone on Comcast I just send them the link and tell them to install it, the same is also true of most ISPs now - almost all of them include something for Antivirus.

If I drop by to help with something and there's no antivirus installed, we have a serious chat and I usually insist on installing something (at least

Re:

[KiloByte]

Except that both McAfee and Norton affect the computer worse than several concurrent malware infestations.

Re:

[Opportunist]

Well, probably when it comes to the impact on performance, but not the impact on your bank account.

Re:

[Mathinker]

> and it's always come back clean, so I'll give him credit that his caution is working OK for now

Current stats I've heard (they may be just flaky numbers pulled out of a certain orifice) is that A/V tools don't detect up to 50% of current professional botnet infections like Zeus, etc.

> Which works, sorta, but you want a Risky Rick who also uses Antivirus as an additional layer,
> because there's no such thing as too many layers of security.

By that reasoning, you should instead be investing in educat

Re:

[natehoy]

I agree wholeheartedly. The problem is that there's no driver's test for the Internet and as inadequately as antivirus tools are capable of protecting the innocent, they are at least better than nothing at all. Whether through simple lack of time or lack of access to an educator, there is a significant population of "click on whatever looks good and damn the torpedoes" folks out there.

I've tried educating the rest of my group, with some significant success, but I can't possibly make them aware of every ri

Re:

[shipofgold]

What you don't mention is how many times those A/V programs actually protected the users from something. My company forces A/V on my laptop but I never get any hits...I have A/V on my kids' computers and have re-imaged 5 times in the past 2 years....They click on just about everything. It is the behaviour that determines the risk of infection. Trying to use a condom with holes in it won't get you very far in the long run.

Nothing New Here

[JAS0NH0NG]

This result was already pretty well known.

Jagatic and others saw this in 2007 in their work on social phishing [acm.org] at Indiana University.

We saw the same in our PhishGuru work at Carnegie Mellon, on training people not to fall for phishing scams [cmu.edu] in 2009.

As an aside, I know many slashdotters don't believe you can train people to protect themselves from phishing. That is the standard conventional wisdom in computer security. However, we've actually demonstrated that you can, if you make it fun, timely, an

I always thought...

[BigSes]

that the golden hour for phishing was right before dawn.

(rimshot)

(smattering of applause)

Thanks, I'll be here all week.

Amazing discovery!

[JohnnyBGod]

This just in! Criminals are more effective while they are unknown to whoever is fighting crime! More at 11.