[unisog] phishing attack against email credentials at auckland.ac.nz

H. Morrow Long morrow.long at yale.edu
Tue Jun 7 12:11:57 GMT 2005


Russell -- We also saw some of these yesterday.

     I've appended a sanitized version below -- the
     URL underneath the visible one was actually:

http://209.67.220.164/confirm.php?email=first.last.netid@yale.edu

     I note that the IP # in the real URL above is the
     same as in the phish you received in NZ and it
     belongs to the LayerTech.COM company -- I've
     Cc:ed their Abuse Team so that they can take
     down the web site if they have not already.  Cheers!

     I suspect other Universities are also seeing these.

Received: from yale.edu ([208.248.116.10]) by mrX.its.yale.edu  
(8.12.11/8.12.11)
         with ESMTP id j56KnpXg022219 for ; Mon, 6 Jun 2005 16:49:51  
-0400
Message-Id: <200506062049.j56KnpXg022219 at mrX.its.yale.edu>
From: info at yale.edu
To: first.last.netid at yale.edu
Subject: Account Alert
Date: Mon, 6 Jun 2005 16:49:50 -0400

Dear Valued Member,

According to our site policy you will have to confirm your account by  
the following link or else your account will be suspended within 24  
hours for security reasons.

http://www.yale.edu/confirm.php?email=first.last.netid@yale.edu

Thank you for your attention to this question. We apologize for any  
inconvenience.

Sincerely,Yale Security Department Assistant.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS



On Jun 6, 2005, at 6:00 PM, Russell Fulton wrote:

>  FYI -- starting about an hour ago we are being flooding with phishing
> emails directed at our email creds many users have received multiple
> emails with instruction to verify their credentials at
> "www.auckland.ac.nz" which is actually (in my case)
> http://209.67.220.164/confirm.php?email=r.fulton@auckland.ac.nz almost
> all connection attempts (mostly from concerned IT support staff)  
> bounced
> but one user got through twice?????  and what is even odder that  
> others
> got bounced between the two attempts.  (by bounced I mean that the
> connection timed out -- i.e. no response to the SYN).
>
> I've blocked traffic to the address on the firewall now.
>
> I've appended a copy of variants. One of which was routed through
> messagelabs (yes the headers confirm this).
>
> Cheers, Russell
> -- 
> Russell Fulton, Information Security Officer, The University of  
> Auckland
> New Zealand
>
>
>                               From:
> service at auckland.ac.nz
>                                 To:
> r.fulton at auckland.ac.nz
>                            Subject:
> *IMPORTANT* Please Confirm Your
> Account
>                               Date:
> Mon, 6 Jun 2005 16:03:46 -0500
> (Tue, 09:03 NZST)
>
>
> Dear Valued Member,
>
> According to our site policy you will have to confirm your account by
> the following link or else your account will be suspended within 24
> hours for security reasons.
>
> http://www.auckland.ac.nz/confirm.php?email=r.fulton@auckland.ac.nz
>
> Thank you for your attention to this question. We apologize for any
> inconvenience.
>
> Sincerely,Auckland Security Department Assistant.
>
>
>                               From:
> service at auckland.ac.nz
>                                 To:
> r.fulton at auckland.ac.nz
>                            Subject:
> Important Notification
>                               Date:
> Mon, 6 Jun 2005 13:14:02 -0800
> (Tue, 09:14 NZST)
>
>
> Dear Valued Member,
>
> According to our site policy you will have to confirm your account by
> the following link or else your account will be suspended within 24
> hours for security reasons.
>
> http://www.auckland.ac.nz/confirm.php?email=r.fulton@auckland.ac.nz
>
> Thank you for your attention to this question. We apologize for any
> inconvenience.
>
> Sincerely,Auckland Security Department Assistant.
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050607/2579cc6a/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2946 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050607/2579cc6a/smime-0001.bin


More information about the unisog mailing list