When Phishers Attack

What should be done when attacked by Phishers? Many organizations face this question everyday. With Phishing attacks rising both in numbers as well as sophistication, organizations need to keep an action plan ready for responding to such attacks. While working with my customers I came across a number of countermeasures taken to respond to phishing attacks. Here are a few things which I think can be useful to all,

1. Bring down the Phishing site - Immediately after the phishing attempt is reported, necessary steps should be taken to bring down the phishing site. This can be done by directly contacting the ISP hosting the Phishing site. There are also some companies which do this task such as Fraudwatch International. But in my experience I have found that contacting the ISP directly is much faster in bringing down the Phishing sites.
2. Preserve evidence - Preserve all evidences related to the phishing attack. This may include taking screen shots of all pages of the phishing site. Storing the source code of the phishing page. If the phishing attack has been perpetrated by sending unsolicited e-mails to the customers, copy of such e-mail along with the header of the mail should be preserved. Additionally, the web server logs should also be preserved.
3. Feed Dummy data on the Phishing Site - A list of dummy user ids and passwords should be kept ready for the purpose of feeding onto the phishing site. The purpose of this activity is to identify the location of the phisher by logging all such user ids if they are used by the Phishers.
4. Analyze the web server logs - If referer logs are enabled on the web server then it should be analyzed. As indicated in my last post here, web server logs can help in pinpointing the exact location of the phisher.
5. Report to relevant authorities - Though it may not help much, still a complaint may be lodged with the relevant authorities for legal purposes. The evidences preserved earlier will be helpful here.
6. Post Phishing analysis of Online transactions - In some cases the transactions carried out during Phishing attack can be analyzed to detect suspicous transactions. What to analyze would depend upon the type of application which was targeted? For example, if it is an internet banking applications then following are a few things which can be examined - addition of a specific third party account by more than one user. All credit transactions to such third party accounts should be scrutinized. The users should be contacted and the addition of third party to their user name should be confirmed. Demand draft requests where the user has asked for the draft to be dispatched to an address other than the address registered with the Bank etc.