[unisog] phishing attack against email credentials at auckland.ac.nz
j.riden at massey.ac.nz
Tue Jun 7 03:12:27 GMT 2005
Joseph Brennan <brennan at columbia.edu> writes:
> --On Tuesday, June 7, 2005 10:00 AM +1200 Russell Fulton
> <r.fulton at auckland.ac.nz> wrote:
> > Dear Valued Member,
> > According to our site policy you will have to confirm your account by
> > the following link or else your account will be suspended within 24
> > hours for security reasons.
> Just seen here too in New York, in mail supposedly from
> webmaster at columbia.edu. No one so far has submitted one with
> headers or html code (thanks to client design... grrrrr).
Looks like a new Mytob variant - the executable I downloaded has the
% md5sum Confirm.com
Virustotal says the following:
BitDefender 7.0 06.07.2005 Win32.Worm.Mytob.BD
Fortinet 184.108.40.206 06.07.2005 suspicious
Kaspersky 220.127.116.11 06.07.2005 Net-Worm.Win32.Mytob.bd
McAfee 4507 06.06.2005 New Malware.f
NOD32v2 1.1131 06.06.2005 a variant of Win32/Mytob
Sybari 7.5.1314 06.07.2005 Net-Worm.Win32.Mytob.bd
all others were 'nothing found' as of this 12noon GMT+1200.
Forged sender addresses are mail, admin, administrator, webmaster,
mail, support and service at domain.example.com.
HTML code here was just:
"According to our site policy you will have to confirm your account by
the following link or else your account will be suspended within 24
hours for security reasons.
Thank you for your attention to this question. We
apologize for any inconvenience.
Sincerely,Massey Security Department Assistant."
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
More information about the unisog