[unisog] phishing attack against email credentials at auckland.ac.nz

Ken Connelly Ken.Connelly at uni.edu
Tue Jun 7 02:02:20 GMT 2005


Is there a consistent envelope-from address on these, or are they coming 
from all over via infected machines?

- ken

Russell Fulton wrote:

> FYI -- starting about an hour ago we are being flooding with phishing
>emails directed at our email creds many users have received multiple
>emails with instruction to verify their credentials at
>"www.auckland.ac.nz" which is actually (in my case)
>http://209.67.220.164/confirm.php?email=r.fulton@auckland.ac.nz almost
>all connection attempts (mostly from concerned IT support staff) bounced
>but one user got through twice?????  and what is even odder that others
>got bounced between the two attempts.  (by bounced I mean that the
>connection timed out -- i.e. no response to the SYN).
>
>I've blocked traffic to the address on the firewall now.
>
>I've appended a copy of variants. One of which was routed through
>messagelabs (yes the headers confirm this).
>
>Cheers, Russell
>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>


More information about the unisog mailing list