[unisog] phishing attack against email credentials at auckland.ac.nz

Russell Fulton r.fulton at auckland.ac.nz
Tue Jun 7 08:05:55 GMT 2005


On Tue, 2005-06-07 at 10:00 +1200, Russell Fulton wrote:
>  FYI -- starting about an hour ago we are being flooding with phishing
> emails directed at our email creds many users have received multiple
> emails with instruction to verify their credentials at
> "www.auckland.ac.nz" which is actually (in my case)
> http://209.67.220.164/confirm.php?email=r.fulton@auckland.ac.nz almost
> all connection attempts (mostly from concerned IT support staff) bounced
> but one user got through twice?????  and what is even odder that others
> got bounced between the two attempts.  (by bounced I mean that the
> connection timed out -- i.e. no response to the SYN).

Here's a summary of the days events:

as my mail above indicated we got hit first thing in the morning as
people arrived at work. Surprise.  Only one infection occurred during
this phase before I blocked the IP address of the server.  This server
was either under DOS or simply overloaded by the demand.  Either way
only two out of about 50 connection attempts succeeded.

At around 1100 (local time) we started seeing emails pointing to a new
server (thanks to Seth Hall for alerting us to this) and I got this
blocked at about 1120).  During that 20 minutes we had about 90 machines
download the worm.

We were able to use our argus logs to quickly identify all machines that
had downloaded the worm and faculty IT staff were notified around mid
day.

Also  around mid day we got an email out to all staff warning them about
the bogus emails.  If we could have got that out an hour earlier we may
have saved quite a lot of grief.  This *is* something that we can work
on.

Through the early afternoon we picked up machines trying to send mail
directly off campus and these invariably matched our list of suspected
infections.  Last one disappeared at around 1500.  It took around 4
hours to contain the infection.

Our analysis of the worm revealed that it had an IRC component and I
then looked at my snort logs and got what I think is a fairly definitive
list of infected machines form the SDBot sigs.  There were 30.

What is depressing is that our message about being cautious about
following links in emails is clearly not getting through to enough
people to cause serious problems.  On reflection I think there are two
main reasons for this:
      * users are used to getting emails with links in them for all
        sorts of things.  So this was just another...
      * over the last year we have managed to almost completely contain
        the 'virus' problem on campus leading users to believe that we
        have the problem beaten. (i.e. we are victims of our own
        success, sigh...) I notice that some others have raised this
        exact issue in the current AV thread on the list.

I'm not sure how we can address these issues, both are fairly
intractable.  The first may be addressed on a policy basis by publicly
spelling out when we will use links in emails but we then fall back to
the second problem that people stop being alert when they perceive that
the threat is distant.  Even if we were to sign every official email I
still doubt it would have much effect.

Ideas solicited.

Cheers, Russell.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050607/25e0aba2/smime-0001.bin


More information about the unisog mailing list