Grepular

Mitigating Spear Phishing

Written 8 years ago by Mike Cardwell

In 2008, many UK and US higher education institutions started falling prey to a certain type of scam. A large number of emails would come in to staff and students pretending to be from that particular institutions IT department. The emails contained various different stories to try and convince the recipients that they should reply with their login credentials. Traditional spam filtering techniques couldn’t always block these emails from arriving, and despite telling users that they should never send their login details via email, some would still fall for the scam. Once the scammers received an email containing valid login details, they would then use the account to perform further spear phishing attacks and spam runs.

My boss at Loughborough University suggested that it would be good if we could scan outgoing emails for working login credentials and block emails if they contained them. After all, like most organisations, our AUP specifically disallows people to send their login details via email. So I knocked up a proof of concept application, and have been developing it for the past year. Once I got it working well, I restructured the code to turn it into a framework so that other institutions could customise and integrate it with their own mail systems, and we released it under the GPL under the name “Kochi”. It has been developed entirely in Perl, and will work with any mail system that can talk to ClamAV; I copied an interface that I knew was already well supported. The source code, documentation and support can all be accessed here.

Be warned: You need to be able to write Perl code in order to use the framework. If you need help, there are details of how to subscribe to the mailing list on the website.

Looking to hire somebody like me? I'm open to offers of full time employment and small contract jobs. Check out my hiring page. You can follow this Blog using RSS or . To read more, visit my blog index.

Feeling generous?BitcoinMoneroZcashPaypal