Hot!Compromised site and fake tech support not blocked y fortigate

Author
diardnic
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2006/11/23 03:59:22
  • Status: offline
2020/01/22 06:03:15 (permalink)
0

Compromised site and fake tech support not blocked y fortigate

Hi all,
We often see some of our users reporting the fake tech support scam.
Exemple of a compromised site here : page2rss.com 
While the scam is hosted on cloud, and url may change, it looks like there is always the same url pattern :
"randomfirstpart".cloudfront.net/xxxch75xx88/"
(example : https://d378glj94x3qmi.cloudfront.net/xxxch75xx88/index.html)
 
1. How can i block url patterns with xxxchxx88 ?
2. Why isnt my fortigate able to protect me against that threat ?  (it's always the local antivirus that does the job)
 
ty
 
#1

6 Replies Related Threads

    tanr
    Platinum Member
    • Total Posts : 802
    • Scores: 36
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Compromised site and fake tech support not blocked y fortigate 2020/01/22 07:49:40 (permalink)
    0
    Looks like that's one Fortinet hasn't properly categorized yet.  You can report it from the FortiGate under (at least for 6.0) System, FortiGuard, Request re-evaluation of URL category.
    #2
    Nicklebon
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/12/07 15:39:13
    • Status: offline
    Re: Compromised site and fake tech support not blocked y fortigate 2020/01/22 10:18:22 (permalink)
    0
    Don't blame the fgt for an improper policy. Block uncategorized websites. Will it create more work for you? Most certainly it will but, these things this should get blocked. It is near an impossible task to classify as they come up. So you can expect to see a lot sites. This will really scale up as we move into election season in the US as local political sites will start popping up all over the place.
    post edited by Nicklebon - 2020/01/22 10:26:15
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2234
    • Scores: 215
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Compromised site and fake tech support not blocked y fortigate 2020/01/22 10:38:37 (permalink)
    0
    For the original question 1), you can use Static URL Filter with regex. Or if all at cloudfront.net to be blocked, just use a simple filter "cloudfront.net". In case you want to use regex, be careful not block other legit URLs simply because there is a same pattern in the URL. If you use too short one like "ch.*88", it matches many others like "www.schwab.com/archive/1988/..".
    #4
    Dave Hall
    Expert Member
    • Total Posts : 1724
    • Scores: 176
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Compromised site and fake tech support not blocked y fortigate 2020/01/22 13:17:18 (permalink)
    0
    The best overall advise IMO is user education - those fake tech support scams mostly always rely heavily on social engineering, be it via email and/or voice communication and usually involves getting the "victim" to download something onto their computer.

    As for why the fgt isn't catching it may depend on a number of factors, starting with how are you monitoring/scanning/protecting your users.  Is the Fortigate performing full SSL content inspection or only security certificate inspection?  Is the fgt configured to look up both the host name and IP address  (e.g. Rate URLs by domain and IP Address)?  How are sites that return "rating error" handled - is the fgt configured to drop that connection or allow the connection to go through?  Is the fgt configured to allow or block remote (.e.g. VNC) connections?  Is the fgt configured to allow endpoint connections to IP addresses in foreign countries?

    Cloudfront.net is seen by the fgt as a content server, so it may be a bit difficult to differentiate legit traffic from illicit traffic.  You can try URL web filtering, using either a wild card or regex and that's assuming the fgt is configured for full SSL content inspection. 

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #5
    Yurisk
    Silver Member
    • Total Posts : 98
    • Scores: 22
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: Compromised site and fake tech support not blocked y fortigate 2020/01/24 02:29:45 (permalink)
    5 (1)
    To all the said already (check you have deep SSL inspection, try to set category etc) I'd strongly suggest placing a complain with the Amazon AWS, as cloudfront.net is their CDN for hosting user's content, and they are very effective in abuse handling.  Given that you see a recurring pattern in the phishers URLs the chance is high they all created by the same author, and if so, Amazon blocking their account would remove all their phishing sites and assets in one go.
     
    https://aws.amazon.com/premiumsupport/knowledge-center/report-aws-abuse/
     
    #6
    diardnic
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2006/11/23 03:59:22
    • Status: offline
    Re: Compromised site and fake tech support not blocked y fortigate 2020/01/24 02:42:30 (permalink)
    0
    TY all for your answers.
    You are right Yurisk. Adding deep ssl inspection allowed the Antivirus feature to catch that scam.
    Also i will follow your advice and report to AWS.
     
     
    #7
    Jump to:
    © 2020 APG vNext Commercial Version 5.5