[unisog] new University phishing kit

Martin Manjak MManjak at uamail.albany.edu
Thu Jan 31 18:25:15 GMT 2008 

Tim:

An excellent description of the spear phishing attacks that have
targeted many colleges and universities recently. Our turn came on 1/21.
The reply-to was a Hotmail account. 

And, as you pointed out, the attackers know how to leverage Squirrel
mail systems. In fact, that's where our attacked was launched from, a
squirrel mail server located in Russia.


Marty Manjak
ISO
University at Albany


-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Tim Gurganus
Sent: Thursday, January 31, 2008 12:47 PM
To: unisog at lists.sans.org
Subject: [unisog] new University phishing kit


    Yesterday, our domain, ncsu.edu and Duke was hit with a new phishing

attack that is hitting other universities today.  Phishers create 
accounts on yahoo.com, live.com or hotmail.com to receive phished 
information.  Where possible, the account name has the name of the 
targeted .edu in the name, like ncsuhelpdesk at yahoo.com, in our case.  
The tailored messages go to all the email addresses they have, over 
2300, in our case.  The message doesn't have grammar errors, supposedly 
comes from the support team for the targeted school and tells the user 
to send their username and password to the phishers.  The From address 
will be something  like support at ncsu.edu, but the Reply-to address will 
be the yahoo, live or hotmail acccount.   The message body says that 
changes are being made to the email system and that they need to verify 
there account by sending their login information.  The subject of the 
message will be something like:  Confirm your email address

    Any phished accounts are used to send lottery spam or more phishing 
emails.  I know there are messages going to vanderbilt.edu and others 
today.  They used one of our phish accounts to send some before we could

stop it.  We have responded to this by sending email to all our staff 
and faculty to let them know the emails are a scam and that IT will 
never ask them for their password.  If you haven't been hit by this 
attack yet, you may want to post a warning somewhere or broadcast a 
message depending on your policy for broadcasts.  We also programmed our

mail relays not to deliver anymore messages to the phishers email 
accounts.  These phishers have scripts for using Squirrel mail to send 
spam.  If anyone wants a sample email from this attack, let me know off 
list.  It might be useful for user training.  We get hit with phishing 
attacks for PayPal, Hotmail, eBay,etc all the time.  This is the first 
big one that targeted our domain and phished for email account
passwords.

Tim Gurganus
IT Security Officer
NC State University
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list