[unisog] new University phishing kit

Paul Russell prussell at nd.edu
Thu Jan 31 20:54:22 GMT 2008 

On 1/31/2008 2:41 PM, Joseph Brennan wrote:
> There seem to be two kinds.
> 
> Purdue.edu got the first kind on Monday, as I can see from our users
> reporting forwarded mail to us.  These were sent from Purdue's own
> web mail system, IMP, which may have evaded filtering.  The envelope
> sender and the header From were the purdue.edu account that was
> used to send, although the header From had the name changed to be
> EDU ACCOUNT UPGRADE TEAM.  The subject was VERIFY YOUR EMAIL ACCOUNT
> NOW.  The recipient is asked to reply giving address, password, date
> of birth, and country.  Is the date of birth requested so that the
> spammer can call in and have the account reactivated?
>

A similar message was sent to approximately 200 recipients at nd.edu
last Saturday night. The messages originated from webmail.hccnet.nl,
which is a Squirrelmail service. According to the service provider's
response to my abuse report, a compromised account was used to send
the messages. We blocked inbound from the sender address and outbound
to the reply-to address.


--- Begin original message ---
Date: Mon, 28 Jan 2008 03:07:39 +0100 (CET)
Subject: Verify Your Nd Account Now
From: accountupgrade at nd.edu
Reply-To: account.upgrade at hotmail.co.uk

Verify Your Nd Account Now

Dear Nd Account Owner,

  This message is from Nd messaging center to all Nd email account owners.
We are currently upgrading our data base and e-mail account center. We
are deleting all Nd email account to create more space for new accounts.

  To prevent your account from closing you will have to update it below so
that we will know that it's a present used account.

***********************************************************
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username : ......... .....
EMAIL Password : ...............
Date of Birth : ................
Country or Territory : .........
***********************************************************

  Warning!!! Account owner that refuses to update his or her account within
Seven days of receiving this warning will lose his or her account
permanently.

Thank you for using Nd!
Warning Code:VX2G99AAJ

Thanks,
Nd Team
Nd.edu BETA
--- End of original message ---

-- 
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
prussell at nd.edu

More information about the unisog mailing list