Information Assurance


Botnets & Phishing - what you need to know.

by Shannon Simpson | Jan 24, 2014
By Edd Hardy

What is a Botnet ?

A BotNet is a network of compromised computers (servers, desktops, laptops etc) that are used to a common purpose, like attacking other systems.  Often the users do not realise that their computer has been compromised.  This means that attackers have at their disposal a huge amount of computing power and bandwidth that can be used to brutally attack other systems.  

Why do I care if its not attacking my network?

a) They may have breached your network or machine, so you need to know.

b)  If they have one machine in your network they can use that as a jumping off point to attack other things.

c) The Botnets are usually used to attack other companies and organisations like you.

d) If the system is used to attack a company they will often trace it and it will come to your doorstep.

How common are the botnets?

Its hard to say exactly as they are hidden and constantly changing, people fix the problem and remove systems from Botnets and new ones get added.  There are lots of different BotNets and they can range from a few hundred PCs hundreds of thousands of them, also its not unusual for a PC that is infected to be on multiple BotNets.  It is a very substantial problem.  

Do CNS probe or scan my network when looking for Botnets?

No, we won't send any traffic at all to your network.  We have a list of your IPs (supplied by you) and a constantly updated list of IPs potentially involved in malicious behaviour/botnets/spam etc.  We compare the two and if there is a match we alert you.

What happens if CNS detect a possible issue?

If we detect your IPs on a list of Botnets, we will alert you via email.  The next step for the client is to identify the machine that relates to that IP and investigate it.  This usually involves running AV and a selection of tools, also potentially examine firewall logs etc.  

What is a Phishing Attack?

A Phishing attack is an attacker sending out emails to your users, claiming to be you, they will copy your brand and website in an attempt to get users to hand over passwords, credit cards or other details.  

Why do I care?

It is your brand that is being attacked.  Whilst they are not attacking your systems, they are using a fake copy of your website or brand to attack your customers, in most cases your customers will blame you.  Its about Brand protection.  

How common are they?

They are very common, virtually everyone has received fake emails claiming to be from their bank.  It happens to most brands with an online presence.  They don't need to be hugely successful, the attacker can send out hundreds of thousand of emails for no real cost, they only need a few users to click on them and enter a password of their credit card to make it worthwhile.  

What do CNS do if a Phishing attack is found?

We trace the site, often it is on a hacked server.  We then contact the company hosting it and alert them, providing them with a detailed evidence pack, to get the site taken down, we will also contact ISPs, hosting providers, DNS providers and the police.  In addition we will have the site blacklisted so users who go to it with a modern browser will be warned.  We will continue to monitor the site until it is taken down.

How do we find them?

Most phishing attacks are reported by your users.  It is recommended that companies have a specific email address to report these attacks, and they can then be forwarded onto us.  In addition we will search the internet for phishing sites that relate to you, however it should be noted that the internet is very large an by the time we find the sites they have often moved. We are also subscribed to a large number of intelligence systems to get alerts on new phishing attacks.