[unisog] phishing attack against email credentials at auckland.ac.nz

Peter Van Epp vanepp at sfu.ca
Tue Jun 7 03:13:37 GMT 2005


On Mon, Jun 06, 2005 at 10:26:38PM -0400, Joseph Brennan wrote:
> 
> 
> --On Tuesday, June 7, 2005 10:00 AM +1200 Russell Fulton 
> <r.fulton at auckland.ac.nz> wrote:
> 
> >
> > Dear Valued Member,
> >
> > According to our site policy you will have to confirm your account by
> > the following link or else your account will be suspended within 24
> > hours for security reasons.
> 
> 
> Just seen here too in New York, in mail supposedly from
> webmaster at columbia.edu.  No one so far has submitted one with
> headers or html code (thanks to client design... grrrrr).
> 
> Joseph Brennan
> postmaster at columbia.edu
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	I can help with that one :-) although this is the only one I've 
actually seen with full headers so far.


>From service at fraser.sfu.ca Mon Jun  6 13:02:56 2005
Return-Path: <service at fraser.sfu.ca>
Received: from pobox.sfu.ca (pobox.sfu.ca [142.58.101.28])
	by rm-rstar.sfu.ca (8.12.10/8.12.5/SFU-5.0H) with ESMTP id j56K2tCk011925
	for <vanepp at rm-rstar.sfu.ca>; Mon, 6 Jun 2005 13:02:56 -0700 (PDT)
Received: from fraser.sfu.ca ([12.5.162.2])
	by pobox.sfu.ca (8.12.10/8.12.10/SFU-6.0G) with ESMTP id j56K2qvt021988
	for <vanepp at fraser.sfu.ca>; Mon, 6 Jun 2005 13:02:52 -0700 (PDT)
Message-Id: <200506062002.j56K2qvt021988 at pobox.sfu.ca>
From: service at sfu.ca
To: vanepp at sfu.ca
Subject: Account Alert
Date: Mon, 6 Jun 2005 15:02:37 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0013_EF487B9B.7C4FCABD"
X-Priority: 3
X-MSMail-Priority: Normal
X-Virus-Scanned: by antibody.sfu.ca running antivirus scanner
X-Whitelisted: SFU
Status: RO
Content-Length: 776
Lines: 24

This is a multi-part message in MIME format.

------=_NextPart_000_0013_EF487B9B.7C4FCABD
Content-Type: text/html;
	charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit


<html> 
<body> 
<BR><STRONG>Dear Valued Member, </STRONG><BR> 
<BR>According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.<BR> 
<BR><a href="http://209.67.220.164/confirm.php?email=vanepp@fraser.sfu.ca">http://www.fraser.sfu.ca/confirm.php?email=vanepp@fraser.sfu.ca</a><BR> 
<BR>Thank you for your attention to this question. We apologize for any inconvenience.<BR> 
<BR>Sincerely,Fraser Security Department Assistant.<BR> 
</body> 
</html> 





------=_NextPart_000_0013_EF487B9B.7C4FCABD--



More information about the unisog mailing list