[unisog] Nigerian scam via squirrelmail

Andrew Daviel advax at triumf.ca
Sat Oct 24 02:07:38 GMT 2009


Has anyone heard of an active squirrelmail exploit ?

We had an incident that I don't quite understand - a spammer (RIPE says 
the ip is in Nigeria - honest!) got into a couple of our accounts and 
sent a bunch of "you have won $$" mail. In one case, they edited the 
Squirrelmail profile so that the signature was the message and the 
sending-address was changed (to a bad address, so I got a lot of 
postmaster DSN mail)

We are using a RedHat Enterprise based system; I saw a note about them 
fixing a cross-site scripting problem recently. But both our accounts 
were very lightly used - unlikely to have been caught with CSS.
Both still had their default passwords which we'd emailed to their 
supervisor with instructions to change, but it was a totally random 
string (not e.g. username_1), and unlikely to have been reused on Hotmail 
or other sites.
The Nigerian host had googled "login example.com", then a day or so later 
had gone straight to a successful login on the webmail page over SSL. No 
failures, no random messing around. The passwords themselves don't show 
up on google (a long shot, I admit)

I'm a bit baffled. It's just possible that the users had malware on their 
client that found the "your password is xxxx; please change it" message.
But they don't fit my image of someone always online, no idea what their 
computer's running, infected with all sorts of spyware.
I'd have thought if anyone had gotten into our mailstore itself we'd have 
seen a whole bunch more serious trouble long since. Unless it's someone 
smart lying low.

There is also some evidence that half of the targets for the outgoing 
spam are people we normally deal with; the other half are things like 
"foobar at a.com". But not on our network - as if the spammers had been able 
to examine mail stats or addressbooks. (not the exposed accounts, but 
busier ones)

-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager


More information about the unisog mailing list