VPN PHISH DETECTION Fatema Bannat Wala Security Engineer
VPN PHISH DETECTION Fatema Bannat Wala Security Engineer Technical Security Group University of Delaware Fatema. bannatwala@gmail. com
Quick pick – Detecting the Phish Look at the http. log file, specially the “referrer” field. Many VPN related phishes we encountered recently redirected the user to the actual login page/ help logon page. Making user think that they might have typed in the password incorrectly on the previous page. Goal is not to late user realize that they have fallen for a phish.
Example http. log 1520600140. 876000 C 03 t. Da 1 Rn. O 8 Ht 3 i. Eil 173. 200. 3. 103 5467 128. x. x. x 80 4 GET www 1. udel. edu /it/help/connecting/vpn/ http: //sslvpnudeledu. csinformationsupports. ga/login. php? tgroup=&next=&tgcookieset=&username =xxxx&password=yyyy&Login=Login 0 13795 200 OK 1520603292. 774940 CDj. TPd 19 f. Vp 88 Jgu. Mb 164. 27. 39. 219 47201 128. x. x. x 80 1 GET www 1. udel. edu /it/help/connecting/vpn/ http: //sslvpnudeledu. csinformationsupports. ga/login. php? tgroup=&next=&tgcookieset=&username =xxxx&password=yyyy&Login=Login 0 13795 200 OK 1520604012. 254355 CXvz. Epf 0 Fw 3 Jyfl. Kb 173. 141. 226. 94 50930 128. x. x. x 80 1 GET www 1. udel. edu /it/help/connecting/vpn/ http: //sslvpnudeledu. csinformationsupports. ga/login. php? tgroup=&next=&tgcooki eset=&username=xxxx&password=yyyy&Login=Login 0 13795 200 OK
$ zcat http* | grep "http: //sslvpnudel-edu. csinformationsupports. ga" | grep "/it/help/connecting/vpn/" | awk -F't' '{print $11}’ | cut -d'&' -f 4, 5 username=SDFGHJ&password=SDFGHJ username=xxxxx&password=yyyyy username=xxxxx&password=yyyyy username=xxxxx&password=yyyyy
- Slides: 4