[unisog] phishing attack against email credentials at auckland.ac.nz

H. Morrow Long morrow.long at yale.edu
Tue Jun 7 12:31:20 GMT 2005


Russell -

We saw one of them  come to our mail servers from an
IP belonging to a MCI/UUNET ISP corporate customer.

This is different from the one reported earlier which was
routed via MessageLabs (which typically filters all spam).

I've received auto-reply confirmation messages from both
MCI (where the email came from) and LayeredTech.COM
(the web hosting 'provider' site for the phishing site) abuse
aliases.  The website at 209.67.220.164 seems to be down
anyway.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

On Jun 6, 2005, at 10:02 PM, Ken Connelly wrote:
> Is there a consistent envelope-from address on these, or are they  
> coming
> from all over via infected machines?
>
> - ken
>
> Russell Fulton wrote:
>
>
>> FYI -- starting about an hour ago we are being flooding with phishing
>> emails directed at our email creds many users have received multiple
>> emails with instruction to verify their credentials at
>> "www.auckland.ac.nz" which is actually (in my case)
>> http://209.67.220.164/confirm.php?email=r.fulton@auckland.ac.nz  
>> almost
>> all connection attempts (mostly from concerned IT support staff)  
>> bounced
>> but one user got through twice?????  and what is even odder that  
>> others
>> got bounced between the two attempts.  (by bounced I mean that the
>> connection timed out -- i.e. no response to the SYN).
>>
>> I've blocked traffic to the address on the firewall now.
>>
>> I've appended a copy of variants. One of which was routed through
>> messagelabs (yes the headers confirm this).
>>
>> Cheers, Russell
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/unisog/attachments/20050607/cac24c83/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2946 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050607/cac24c83/smime-0001.bin


More information about the unisog mailing list