Hi all,
We often see some of our users reporting the fake tech support scam.
Exemple of a compromised site here : page2rss.com
While the scam is hosted on cloud, and url may change, it looks like there is always the same url pattern :
"randomfirstpart".cloudfront.net/xxxch75xx88/"
(example : https://d378glj94x3qmi.cloudfront.net/xxxch75xx88/index.html)
1. How can i block url patterns with xxxchxx88 ?
2. Why isnt my fortigate able to protect me against that threat ? (it's always the local antivirus that does the job)
ty
Looks like that's one Fortinet hasn't properly categorized yet. You can report it from the FortiGate under (at least for 6.0) System, FortiGuard, Request re-evaluation of URL category.
Don't blame the fgt for an improper policy. Block uncategorized websites. Will it create more work for you? Most certainly it will but, these things this should get blocked. It is near an impossible task to classify as they come up. So you can expect to see a lot sites. This will really scale up as we move into election season in the US as local political sites will start popping up all over the place.
For the original question 1), you can use Static URL Filter with regex. Or if all at cloudfront.net to be blocked, just use a simple filter "cloudfront.net". In case you want to use regex, be careful not block other legit URLs simply because there is a same pattern in the URL. If you use too short one like "ch.*88", it matches many others like "www.schwab.com/archive/1988/..".
The best overall advise IMO is user education - those fake tech support scams mostly always rely heavily on social engineering, be it via email and/or voice communication and usually involves getting the "victim" to download something onto their computer. As for why the fgt isn't catching it may depend on a number of factors, starting with how are you monitoring/scanning/protecting your users. Is the Fortigate performing full SSL content inspection or only security certificate inspection? Is the fgt configured to look up both the host name and IP address (e.g. Rate URLs by domain and IP Address)? How are sites that return "rating error" handled - is the fgt configured to drop that connection or allow the connection to go through? Is the fgt configured to allow or block remote (.e.g. VNC) connections? Is the fgt configured to allow endpoint connections to IP addresses in foreign countries? Cloudfront.net is seen by the fgt as a content server, so it may be a bit difficult to differentiate legit traffic from illicit traffic. You can try URL web filtering, using either a wild card or regex and that's assuming the fgt is configured for full SSL content inspection.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
To all the said already (check you have deep SSL inspection, try to set category etc) I'd strongly suggest placing a complain with the Amazon AWS, as cloudfront.net is their CDN for hosting user's content, and they are very effective in abuse handling. Given that you see a recurring pattern in the phishers URLs the chance is high they all created by the same author, and if so, Amazon blocking their account would remove all their phishing sites and assets in one go.
https://aws.amazon.com/premiumsupport/knowledge-center/report-aws-abuse/
TY all for your answers.
You are right Yurisk. Adding deep ssl inspection allowed the Antivirus feature to catch that scam.
Also i will follow your advice and report to AWS.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.