Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MSN Messenger; Notable Activity on Port 903, 1063, 1978; Steps to Beat Phishing

Published: 2005-02-12
Last Updated: 2005-02-13 01:38:05 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)

MSN Messenger


Microsoft has now restricted access to the MSN Messenger service to updated versions only. Users will be prompted to update their software if they are using outdated version.

Microsoft has also provided a KB article on http://support.microsoft.com/kb/889829">How to disable MSN Messenger and MSN Web Messenger in a corporate environment. This will be helpful to those corporates who wish to block access to .Net Messenger or MSN Web Messenger.


http://www.microsoft.com/technet/security/Bulletin/MS05-009.mspx

http://support.microsoft.com/kb/889829

http://www.microsoft.com/security/incident/im_info.mspx

Notable Activity on Port 903, 1063, 1978


There have been spikes on these ports over the last few days. If this is the same trend you have seen on your end, do let us know.


http://isc.sans.org/port_details.php?port=903

http://isc.sans.org/port_details.php?port=1063

http://isc.sans.org/port_details.php?port=1978

Steps to Beat Phishing


Some of the handlers have a discussion on the techniques for website owner to detect and beat phishing attack. One way is to monitor referral URLs. Progressively, phishers have taken great pain to include real code from the real site that they are spoofing. For example, if you click on any of the links of the phishing/fake site, it will take you to the actual real site pages. But over at real site, the real site should be able to see the referral URL that sent you there. If the real site is getting visitors referred by any URL other than their own, then they should actively create a page with a big fat warning banner at the top saying that it is likely that the user was just at a fake site previously. Note that referring URLs can come from legitimate locations, like a local business directory or something similar. Here are some of the techniques discussed that website owner can consider to detect whether their sites could be possibly targeted by phishers:



* Use cookies to track deep-linking visitors (set a cookie for visitors arriving at the main page, then use it to track state; alarm visitors who do not have a top-level non-persistent cookie).

* Filter referral URLs coming from sites unrelated to the bank (easier said than done, but a default deny rule would be a good place to start, particularly for the deep links).

* Provide an email address to handle questions and a FAQ.

* Use warning banners to educate users.

* Even better - issue all of your customers an X.509 cert that they install in their browsers and don't accept business transactions unless the certificate is valid (also easier said than done).

* Equipping all the customers with a hardware token generating a OTP (though another easier said than done, but it has been implemented on one of the site).



We have in fact a document on . Check this out.



If you have other useful inputs, send to us. Thanks to Marcus Sachs, Swa Frantzen and Johannes for the great discussion.
Keywords:
0 comment(s)
Diary Archives