[unisog] new University phishing kit

Rita Seplowitz Saltz rita at Princeton.EDU
Thu Jan 31 19:17:20 GMT 2008 

The scammers hit Princeton on Sunday, January 20, with 2,000 messages  
apparently from support at princeton.edu (an ID not active here).  The  
reply-to field, hidden by the most user-friendly mail clients, was  
princetonyou at yahoo.com.  Here, they specified the Webmail account and  
asked for the password to verify the account and keep it open.

The origin of the mail was a compromised account at another university.

Of the 30 accounts that replied, nine (and a possible tenth, still  
unreachable) sent the password, one of those realizing immediately  
her error and changing her password at once.

Four of the compromised Princeton accounts almost immediately began  
sending spam of the Nigerian money scam ilk, using Princeton Webmail  
and targeting addresses at AOL and other outside ISPs.

We filtered for incoming mail using the support at princeton.edu  
address, and prevented any further  responses via the central mail  
services to the princetonyou at yahoo.com address, and locked the  
accounts of any respondent our Help Desk was unable to contact swiftly.

Two interesting and dangerous things to watch out for with this gang  
(which seems international in nature):

	* One of our victims learned his account had been used to access the  
PeopleSoft self-service HR record with adresses, phone numbers, etc.   
An address had been changed.  Thanks to our not being able to effect  
our own name changes via self-service,  the name-change request  
caused HR to contact the victim to ask why he was wanting to change  
his (Asian-type) name to Kay Jefferson.  The connection to PeopleSoft  
for the session in which the alteration was made came from an IP  
address in a Nigerian domain.

	* Another victim whose account we re-enabled after he changed his  
password learned that replies to his e-mail from others were not  
reaching him.  They were going to an e-mail address in Iraq.  His  
reply-to field had been altered before we locked his account.

So if anyone had people send passwords, be aware that there could be  
added damage below the surface....

Rita Saltz
Senior Policy Advisor
Office of Information Technology (OIT)
Princeton University
and DMCA Agent for Princeton University
rita at princeton.edu

More information about the unisog mailing list