[41633] in Resnet-Forum
Re: Phishing victims' turned into spammers
daemon@ATHENA.MIT.EDU (Randy Kouns)
Mon Apr 17 11:28:39 2017
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=001a113d2dfe60d492054d5dc5c9
Message-ID: <CAJ0ztaJNHLDAfH8M6CmReix9c_b6UrKfL9Jx-3iw0x+E+P2Axw@mail.gmail.com>
Date: Mon, 17 Apr 2017 10:40:21 -0400
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Randy Kouns <randykouns@GMAIL.COM>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CAD6i8oK=--LBR_v4SUzxk-GYuZYA1i=aw4ZL7j3LCK4pT-dwtA@mail.gmail.com>
--001a113d2dfe60d492054d5dc5c9
Content-Type: text/plain; charset=UTF-8
Friends,
Although I am no longer in Higher Ed, I maintain an eye on this listserv
for great information and trends. This is one involves a problem that
exists in all areas of Network/Email management, regardless of the
organizational type.
As many of you know, I have gone to the dark side of City Government, we
are a smaller community (36,000) with approximately 350 employees. In an
effort to be pro-active against spammers, and phishing attempts, we began a
training program for our employees, based on the SaaS "Knowbe4" This was
recommended to me by our local Electric/INTERNET Coop provider after they
experienced great success. For those of you unfamiliar with KnowBe4, they
provide a method to send spoofed emails to a list you provide, they have
close to 100 templates that can be customized as you see fit. The embedded
link not only sends the "clicker" to a webpage of your choice (ex: you have
failed the phishing test) but also records the OPENERS and Clickers, so
that they can receive direct training. You can also send "clickers"
directly to a training video that they must complete.
I know this does not answer the problem William wrote about, but from our
results in using the package it does provide the end user with training and
has reduced our number of infections/victims. Our initial test (no
advanced warning to our users) we have about a 40% failure rate. Following
training and about a 3 month delay, our last test was down to 4%. A great
improvement.
Keep doing what you all are doing... keep the information flowing.... I
miss the Symposiums and environment... but wish you all well.
Randy Kouns
Director of Information Technology
City of Richmond, IN.
On Mon, Apr 17, 2017 at 10:08 AM, Becky Klein <becky.klein@valpo.edu> wrote:
> At Valpo, we used to have a big problem with people falling victim and
> then the scams continuing to spread across campus through the phishers
> accessing the global addressbook. We use Gmail, and we've found that if
> enough people report a message as phishing that Gmail automatically starts
> filtering out the offending messages from inboxes *and* disables the
> victimized account so it can no longer propagate the scam. I believe it's a
> multi-step process to unlock the account, including an admin on our side
> unlocking *and* the user changing their password.
>
> In addition, several years ago we started sending out campus-wide emails
> when we are in the midst of a phishing outbreak. Once our Help Desk
> receives five reports, we send out a message with a description of the
> message that advises people of the following: 1) don't click the link, 2)
> don't give out your login information, 3) report the message as phishing in
> Gmail. Since doing that consistently for several years now, we've noticed a
> significant decrease in the number of victims on campus, as well as better
> awareness throughout our user base of how to spot suspicious messages. At
> this point, our users are so suspicious that they are wary of legitimate
> messages! But we'd rather they be safe than sorry.
>
> -Becky Klein
>
>
> On Mon, Apr 17, 2017 at 8:26 AM, WILLIAM J. DIDOMENICO <
> didomenico@lycoming.edu> wrote:
>
>> We are dealing with an issue where some of our users who are falling
>> victim to phishing emails are having their email accounts used to send more
>> spam and phishing emails, to the point where our Exchange server and
>> Barracuda Email Security Gateway can't keep up, causing very long delays in
>> legitimate outbound email delivery.
>>
>>
>> The IT department has sent a number of messages out to our campus
>> community about the hazards of unsolicited document sharing emails, but we
>> continue to have users entering their credentials online with little regard
>> for security. Our current process is to place user accounts in a
>> pseudo-quarantine until their password is changed and their devices scanned
>> for malware, but this only happens after we notice the mail queues filling
>> up with hundreds of messages.
>>
>>
>> This cat-and-mouse game is wearing on the team, so I'd like some other
>> perspectives and advice on how to keep ahead of this type of attack and how
>> to protect users against themselves and their trusting nature.
>>
>>
>> Thanks,
>>
>>
>>
>> William DiDomenico
>>
>> Network Specialist
>>
>> Lycoming College
>>
>> 700 College Place
>>
>> Campus Box 142
>>
>> Williamsport, PA 17701
>>
>> Office: 570.321.4160 <(570)%20321-4160>
>> ___________________________________________________ You are subscribed
>> to the ResNet-L mailing list.
>>
>> To subscribe, unsubscribe or search the archives, go to
>> http://LISTSERV.ND.EDU/archives/resnet-l.html
>> ___________________________________________________
>>
>
>
>
> --
>
> Becky (Belmont '97) Klein
> <http://www.google.com/calendar/embed?src=becky.klein%40valpo.edu&ctz=America/Chicago>
> Manager of IT Communications
> Valparaiso University
> Office of Information Technology
> Phone: 219.464.5986 <(219)%20464-5986>
> valpo.edu/it
>
> *New skills. Improved skills. Now. Login to Lynda.com
> <http://valpo.edu/r/lynda>!*
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--001a113d2dfe60d492054d5dc5c9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Friends,<div><br></div><div>Although I am no longer in Hig=
her Ed, I maintain an eye on this listserv for great information and trends=
. =C2=A0 This is one involves a problem that exists in all areas of Network=
/Email management, regardless of the organizational type.</div><div><br></d=
iv><div>As many of you know, I have gone to the dark side of City Governmen=
t, =C2=A0we are a smaller community (36,000) with approximately 350 employe=
es.=C2=A0 In an effort to be pro-active against spammers, and phishing atte=
mpts, we began a training program for our employees, based on the SaaS &quo=
t;Knowbe4" =C2=A0 This was recommended to me by our local Electric/INT=
ERNET Coop provider after they experienced great success. =C2=A0 For those =
of you unfamiliar with KnowBe4, they provide a method to send spoofed email=
s to a list you provide, they have close to 100 templates that can be custo=
mized as you see fit.=C2=A0 The embedded link not only sends the "clic=
ker" to a webpage of your choice (ex: you have failed the phishing tes=
t) but also records the OPENERS and Clickers, so that they can receive dire=
ct training.=C2=A0 You can also send "clickers" =C2=A0directly to=
a training video that they must complete.</div><div><br></div><div>I know =
this does not answer the problem William wrote about, but from our results =
in using the package it does provide the end user with training and has red=
uced our number of infections/victims. =C2=A0 Our initial test (no advanced=
warning to our users) we have about a 40% failure rate.=C2=A0 Following tr=
aining and about a 3 month delay, our last test was down to 4%.=C2=A0 A gre=
at improvement.</div><div><br></div><div>Keep doing what you all are doing.=
.. keep the information flowing.... I miss the Symposiums and environment..=
. but wish you all well.</div><div><br></div><div>Randy Kouns</div><div>Dir=
ector of Information Technology</div><div>City of Richmond, IN.=C2=A0</div>=
</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon, Apr=
17, 2017 at 10:08 AM, Becky Klein <span dir=3D"ltr"><<a href=3D"mailto:=
becky.klein@valpo.edu" target=3D"_blank">becky.klein@valpo.edu</a>></spa=
n> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;b=
order-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">At Valpo, we u=
sed to have a big problem with people falling victim and then the scams con=
tinuing to spread across campus through the phishers accessing the global a=
ddressbook. We use Gmail, and we've found that if enough people report =
a message as phishing that Gmail automatically starts filtering out the off=
ending messages from inboxes *and* disables the victimized account so it ca=
n no longer propagate the scam. I believe it's a multi-step process to =
unlock the account, including an admin on our side unlocking *and* the user=
changing their password.<div><br></div><div>In addition, several years ago=
we started sending out campus-wide emails when we are in the midst of a ph=
ishing outbreak. Once our Help Desk receives five reports, we send out a me=
ssage with a description of the message that advises people of the followin=
g: 1) don't click the link, 2) don't give out your login informatio=
n, 3) report the message as phishing in Gmail. Since doing that consistentl=
y for several years now, we've noticed a significant decrease in the nu=
mber of victims on campus, as well as better awareness throughout our user =
base of how to spot suspicious messages. At this point, our users are so su=
spicious that they are wary of legitimate messages! But we'd rather the=
y be safe than sorry.</div><div><br></div><div>-Becky Klein</div><div><br><=
/div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Mon=
, Apr 17, 2017 at 8:26 AM, WILLIAM J. DIDOMENICO <span dir=3D"ltr"><<a h=
ref=3D"mailto:didomenico@lycoming.edu" target=3D"_blank">didomenico@lycomin=
g.edu</a>></span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir=3D"ltr">
<div id=3D"m_44094816200484020m_-7417126977654498479divtagdefaultwrapper" s=
tyle=3D"font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sa=
ns-serif" dir=3D"ltr">
<p>We are dealing with an issue where some of our users who are falling vic=
tim to phishing emails are having their email accounts used to send more sp=
am and phishing emails, to the point where our Exchange server and Barracud=
a Email Security Gateway can't keep
up, causing very long delays in legitimate outbound email delivery.</p>
<p><br>
</p>
<p>The=C2=A0IT department has sent=C2=A0a number of messages out to our cam=
pus community about the hazards of unsolicited document sharing emails, but=
we continue to have users entering their credentials online with little re=
gard for security. Our current process is
to place user accounts in a pseudo-quarantine until their password is chan=
ged and their devices scanned for malware, but this only happens after we n=
otice the mail queues filling up with hundreds of messages.</p>
<p><br>
</p>
<p>This cat-and-mouse game is wearing on the team, so I'd like some oth=
er perspectives and advice=C2=A0on how to keep ahead of this type of attack=
and how to protect users against themselves and their trusting nature.</p>
<p><br>
</p>
<div id=3D"m_44094816200484020m_-7417126977654498479Signature">
<div name=3D"divtagdefaultwrapper">
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
Thanks,</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
=C2=A0</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
William DiDomenico</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
Network Specialist</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
Lycoming College</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
700 College Place</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
Campus Box 142</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
Williamsport, PA 17701</span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:"Courier New"">=
Office: <a href=3D"tel:(570)%20321-4160" value=3D"+15703214160" target=3D"_=
blank">570.321.4160</a></span></p>
</div>
</div>
</div>
</div>
______________________________<wbr>_____________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/archive<wbr>s/resnet-l.html</a>
______________________________<wbr>_____________________
</p></blockquote></div><br><br clear=3D"all"><div><br></div>-- <br><div cla=
ss=3D"m_44094816200484020gmail_signature" data-smartmail=3D"gmail_signature=
"><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div dir=3D"ltr"><div><div di=
r=3D"ltr"><div dir=3D"ltr"><div><font face=3D"arial, helvetica, sans-serif"=
><br></font></div><font face=3D"arial, helvetica, sans-serif"><a href=3D"ht=
tp://www.google.com/calendar/embed?src=3Dbecky.klein%40valpo.edu&ctz=3D=
America/Chicago" target=3D"_blank">Becky (Belmont '97) Klein</a></font>=
</div><div dir=3D"ltr"><font face=3D"arial, helvetica, sans-serif">Manager =
of IT Communications</font></div><div dir=3D"ltr"><div><div><font face=3D"a=
rial, helvetica, sans-serif">Valparaiso University</font></div><div><font f=
ace=3D"arial, helvetica, sans-serif">Office of Information Technology</font=
></div><div><font face=3D"arial, helvetica, sans-serif">Phone: <a href=3D"t=
el:(219)%20464-5986" value=3D"+12194645986" target=3D"_blank">219.464.5986<=
/a></font></div></div><div><font face=3D"arial, helvetica, sans-serif"><a h=
ref=3D"http://valpo.edu/it" target=3D"_blank">valpo.edu/it</a></font></div>=
<div><font face=3D"arial, helvetica, sans-serif"><br></font></div><div><i><=
font face=3D"arial, helvetica, sans-serif">New skills. Improved skills. Now=
. Login to <b><a href=3D"http://valpo.edu/r/lynda" target=3D"_blank">Lynda.=
com</a></b>!</font></i></div></div></div></div></div></div></div></div></di=
v></div>
</div>
______________________________<wbr>_____________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/<wbr>archives/resnet-l.html</a>
______________________________<wbr>_____________________
</p></blockquote></div><br></div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--001a113d2dfe60d492054d5dc5c9--
