[unisog] phishing attack against email credentials at auckland.ac.nz

Tim Brooks tbrooks at ncsa.uiuc.edu
Tue Jun 7 04:16:56 GMT 2005


The same e-mail was seen at our site. 

-Tim

This is a multi-part message in MIME format.

------=_NextPart_000_0013_2E55FB47.388E0059
Content-Type: text/html;
	charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit


<html> 
<body> 
<BR><STRONG>Dear Valued Member, </STRONG><BR> 
<BR>According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.<BR> 
<BR><a href="http://209.67.220.164/confirm.php?email=imagelib@ncsa.uiuc.edu">http://www.ncsa.uiuc.edu/confirm.php?email=imagelib@ncsa.uiuc.edu</a><BR> 
<BR>Thank you for your attention to this question. We apologize for any inconvenience.<BR> 
<BR>Sincerely,Ncsa Security Department Assistant.<BR> 
</body> 
</html> 





------=_NextPart_000_0013_2E55FB47.388E0059--






Peter Van Epp wrote:

>On Mon, Jun 06, 2005 at 10:26:38PM -0400, Joseph Brennan wrote:
>  
>
>>--On Tuesday, June 7, 2005 10:00 AM +1200 Russell Fulton 
>><r.fulton at auckland.ac.nz> wrote:
>>
>>    
>>
>>>Dear Valued Member,
>>>
>>>According to our site policy you will have to confirm your account by
>>>the following link or else your account will be suspended within 24
>>>hours for security reasons.
>>>      
>>>
>>Just seen here too in New York, in mail supposedly from
>>webmaster at columbia.edu.  No one so far has submitted one with
>>headers or html code (thanks to client design... grrrrr).
>>
>>Joseph Brennan
>>postmaster at columbia.edu
>>
>>_______________________________________________
>>unisog mailing list
>>unisog at lists.sans.org
>>http://www.dshield.org/mailman/listinfo/unisog
>>    
>>
>
>	I can help with that one :-) although this is the only one I've 
>actually seen with full headers so far.
>
>
>>From service at fraser.sfu.ca Mon Jun  6 13:02:56 2005
>Return-Path: <service at fraser.sfu.ca>
>Received: from pobox.sfu.ca (pobox.sfu.ca [142.58.101.28])
>	by rm-rstar.sfu.ca (8.12.10/8.12.5/SFU-5.0H) with ESMTP id j56K2tCk011925
>	for <vanepp at rm-rstar.sfu.ca>; Mon, 6 Jun 2005 13:02:56 -0700 (PDT)
>Received: from fraser.sfu.ca ([12.5.162.2])
>	by pobox.sfu.ca (8.12.10/8.12.10/SFU-6.0G) with ESMTP id j56K2qvt021988
>	for <vanepp at fraser.sfu.ca>; Mon, 6 Jun 2005 13:02:52 -0700 (PDT)
>Message-Id: <200506062002.j56K2qvt021988 at pobox.sfu.ca>
>From: service at sfu.ca
>To: vanepp at sfu.ca
>Subject: Account Alert
>Date: Mon, 6 Jun 2005 15:02:37 -0500
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>	boundary="----=_NextPart_000_0013_EF487B9B.7C4FCABD"
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Virus-Scanned: by antibody.sfu.ca running antivirus scanner
>X-Whitelisted: SFU
>Status: RO
>Content-Length: 776
>Lines: 24
>
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_0013_EF487B9B.7C4FCABD
>Content-Type: text/html;
>	charset="ISO-8859-1"
>Content-Transfer-Encoding: 7bit
>
>
><html> 
><body> 
><BR><STRONG>Dear Valued Member, </STRONG><BR> 
><BR>According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.<BR> 
><BR><a href="http://209.67.220.164/confirm.php?email=vanepp@fraser.sfu.ca">http://www.fraser.sfu.ca/confirm.php?email=vanepp@fraser.sfu.ca</a><BR> 
><BR>Thank you for your attention to this question. We apologize for any inconvenience.<BR> 
><BR>Sincerely,Fraser Security Department Assistant.<BR> 
></body> 
></html> 
>
>
>
>
>
>------=_NextPart_000_0013_EF487B9B.7C4FCABD--
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>

-- 
Tim Brooks
Security Engineer

National Center for Supercomputing Applications




More information about the unisog mailing list