[unisog] phishing attack against email credentials at auckland.ac.nz

Seth Hall seth at net.ohio-state.edu
Mon Jun 6 23:00:03 GMT 2005


On Jun 6, 2005, at 6:45 PM, Peter Van Epp wrote:



> On Tue, Jun 07, 2005 at 10:00:25AM +1200, Russell Fulton wrote:
>
>
>
>>  FYI -- starting about an hour ago we are being flooding with  
>> phishing
>> emails directed at our email creds many users have received multiple
>> emails with instruction to verify their credentials at
>> "www.auckland.ac.nz" which is actually (in my case)
>> http://209.67.220.164/confirm.php?email=r.fulton@auckland.ac.nz  
>> almost
>> all connection attempts (mostly from concerned IT support staff)  
>> bounced
>> but one user got through twice?????  and what is even odder that  
>> others
>> got bounced between the two attempts.  (by bounced I mean that the
>> connection timed out -- i.e. no response to the SYN).
>>
>>
>
>     Us too (in the form of me, nice of them to send it to the  
> person most
> able to do something useful with it first :-)), same IP. So far  
> only a couple
> of other people this way have tried to get there (many less than I  
> expected :-))
> according to argus, and all after I blocked it. I did give the  
> listed abuse
> address for this site a heads up earlier this morning (only an  
> automated reply
> so far though). No other reports from anyone local so I didn't  
> think to send
> an alert.
>
>

I've grabbed some more copies of the email, and we're actually seeing  
205.138.199.146 in addition to 209.67.220.164.  Anyone attempting to  
block this at their border may want to add that ip address as well.

It also turns out that this doesn't seem to be a phishing attack.   
When I connected to the url on 205.138.199.146 I was sent a window  
executable.

   .Seth




More information about the unisog mailing list