How to customize the policy of Sax2 to detect E-Mail Phishing Scams

 

1. what is phishing scams?

(fish´ing) (n.) The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.


2.  How to customize the security policy
 

First, we should analyze the object to be detected before customizing any security policy. We will take "PayPal phishing" as an example to introduce how to customize a  security policy. "PayPal phishing" is the latest phishing scams to have been  intercepted by us .The E-mail is from the opinion account@ paypall.com – pay attention to a domain’s usage with a 'typo - error' and it contains instructions to access the attached file to restore your account to open, for more information about . ”PayPal phishing”, please visit http://www.ids-sax2.com/Newsletter/ReportofInformationSecurityNo2.htm.Through the analysis of "PayPal phishing" email ,we found that sender of the email  is "account@ paypall.com", that's the significant feature of it. We can define security policy  with this feature. It will be introduces as followings in detail:


Step 1: click "Detection/ Policy" button ,Pop-up the "Security Policy" window. Select the policy settings which need to be modified (notice : Only a derived settings of policies that use the green icon to be identified can be modified)

Step 2: Click "Edit" button, Pop-up the "Policy Maintenance" window, then switch "Custom" page. The whole window was divided by two parts., the left is a tree. According to different types ,all customized policies were listed. the corresponding details show on the right.

Step 3: Determine the type of policy. Such as "PayPal phshing "is adopted POP3 protocol ,so we choose "POP3"on the left, then click "New" button at the bottom of window to add new policy, and select the new policy, the details settings of the policy will be displayed on the right window. As illustrated, we can set policy's name , severity, endpoint, transmission content, find what and other information. We need to highlight that because the message content is received from the server, so set Endpoint property as "Server”; also because information of sender is included in the message header, so set the Transmission Content property as "POP3 Email head”, Set the "Find what" as account@paypall.com. The three key settings show that we search "account@ paypall.com" feature in the received email header, and then can set other auxiliary information.


Step 4: After the customizing of security policy, the new policy still not take effect automatically, so have to close the ” Policy Maintenance” window, then click "Apply" button and Re-load policy information to the detection engine.