Announcement

Collapse
No announcement yet.

Can't get Threat Prevention nor Web Filter to block a fraudulent site

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't get Threat Prevention nor Web Filter to block a fraudulent site

    Hi everyone,

    I have a client running a Complete license, and they lost some money today through a fraudulent site portalllbbua.com.mx when the intended site was bbva.com.mx

    I've tried installed a block in both the Threat Prevention and Web Filter apps, but none of them will block this url.

    I tried entering portalllbbua.com.mx and *portalllbbua* as a url, as a blocked site in Web Filter, but none of my rules would flag or block portalllbbua.com.mx

    Can anyone tell me why not? Thanks in advance.

  • #2
    Update: Webfilter now blocks portalllbbua.com.mx so maybe it just took a few minutes to iterate on the UTM.

    Comment


    • #3
      Question: Brightcloud lists this website as created on 9/22/22. If the website is too new to be listed as a blocked malware/phishing site through WebFilter, Threat Prevention, or the endpoint applications like Bitdefender, are there other ways to protect users from new threats like these? Thanks

      Comment


      • #4
        You can set it to block anything that's not categorized, but IME this tends to have unwanted side effects.

        While whole new sites are relatively rare, people tend to visit pages within legitimate sites that are not categorized for legitimate reasons all the time: the page within the site is new, it's generated based on a database record of which there are arbitrarily many possible pages, it's a behind a login so the category engine can't see it, using HTTPS + hosted on AWS/Azure IP range + no unecrypted domain header, etc.

        You've just discovered one of the things that makes phishing (especially spear-phishing) campaigns so dangerous: the campaigns tend to be short lived; they'll stand up a domain, use it for a few weeks, and then move on to run the same software at another location with a new set of potential victims. In this way, each web site doesn't last long enough for most of their targeted traffic to be blocked by security products.
        Last edited by jcoehoorn; 10-05-2022, 01:23 PM.
        Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

        Comment


        • #5
          Yeah, and I've worked with other products that provide specific tools in this case. OpenDNS for example will let you say, never allow access to a "new" site until it's X days old. And that policy helps in these cases!

          Right up until you deploy a new app somewhere... and all of a sudden your subdomain.whatever won't work for two weeks because you told it to keep anything new away for that period.

          I believe Threat Prevention will block these sites if it's set to "suspicious"... but that has even more broad reaching impact.

          There is no perfect solution to this problem, and yes... that means spear phishing will be around a very long time.
          Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
          NexgenAppliances.com
          Phone: 866-794-8879 x201
          Email: [email protected]

          Comment


          • #6
            Thanks to both of you for your responses. Any chance NGFW has poisoned DNS entries? OpenDNS idea seems like a good one.

            Comment


            • #7
              Originally posted by junglechuck View Post
              Any chance NGFW has poisoned DNS entries?
              We don't cache any DNS lookups; it's a live/real-time query every time. Unless it's an issue with the DNS server itself (or you're using your own internal DNS resolver), this shouldn't be the case.

              Edit: turns out I'm wrong and the DNS daemon does actually cache a very small number of DNS lookups. This doesn't affect my overall answer, however: it's not DNS poisoning.
              Last edited by gravenscroft; 10-11-2022, 02:05 PM.
              Græme Ravenscroft • Technical Marketing Engineer
              ('gram', like the unit of measurement)
              he/him
              Please don't reboot your NGFW.
              How can we make Arista ETM products better?

              Comment


              • #8
                Originally posted by gravenscroft View Post
                We don't cache any DNS lookups; it's a live/real-time query every time. Unless it's an issue with the DNS server itself (or you're using your own internal DNS resolver), this shouldn't be the case.
                Ok, thank you for the clarification.

                Comment


                • #9
                  The web filter has a button on the advanced tab to flush cached results.

                  DNSMasq does cache things, but it's extremely short duration. Web Filter can in some cases hold onto a bad categorization for AGES... which is why we have the aforementioned button.

                  It's not SUPPOSED to work that way, but sometimes... gremlins.
                  Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
                  NexgenAppliances.com
                  Phone: 866-794-8879 x201
                  Email: [email protected]

                  Comment


                  • #10
                    Originally posted by sky-knight View Post
                    The web filter has a button on the advanced tab to flush cached results.
                    Just for Category lookup results, though. Doesn't have anything to do with DNS lookups.

                    Originally posted by sky-knight View Post
                    DNSMasq does cache things, but it's extremely short duration.
                    This was just brought to my attention! I (and my previous post) stand corrected.
                    Last edited by gravenscroft; 10-11-2022, 02:05 PM.
                    Græme Ravenscroft • Technical Marketing Engineer
                    ('gram', like the unit of measurement)
                    he/him
                    Please don't reboot your NGFW.
                    How can we make Arista ETM products better?

                    Comment

                    Working...
                    X