[unisog] Nigerian scam via squirrelmail
markmont at umich.edu
Mon Oct 26 02:42:21 GMT 2009
I don't know whether there is a squirrelmail exploit, but we see
pretty much exactly what you describe all the time with both Horde/IMP
and Roundcube. In all the cases I am aware of, both web server logs
and follow-up with users show that the spammer logged in using the
user's username and password. In some cases, we've been able to track
down the compromise of the password to users responding to phishing
messages ("send us your password to help us upgrade our email system;
if you don't, your account will be deactivated). In other cases, we
found keylogging trojans on their personal computers. In one case, we
found the user's name and password on a list of stolen usernames and
passwords, but we have no idea how the user got on that list.
We have a variety of monitoring tools in place to help us detect the
type of activity the spammers engage in with stolen usernames and
passwords, and we disable most of those accounts not long after the
spammer starts abusing them.
ITS Web/Database Team
The University of Michigan
markmont at umich.edu
Quoting Andrew Daviel <advax at triumf.ca>:
> Has anyone heard of an active squirrelmail exploit ?
> We had an incident that I don't quite understand - a spammer (RIPE
> the ip is in Nigeria - honest!) got into a couple of our accounts
> sent a bunch of "you have won $$" mail. In one case, they edited
> Squirrelmail profile so that the signature was the message and the
> sending-address was changed (to a bad address, so I got a lot of
> postmaster DSN mail)
> We are using a RedHat Enterprise based system; I saw a note about
> fixing a cross-site scripting problem recently. But both our
> were very lightly used - unlikely to have been caught with CSS.
> Both still had their default passwords which we'd emailed to their
> supervisor with instructions to change, but it was a totally random
> string (not e.g. username_1), and unlikely to have been reused on
> or other sites.
> The Nigerian host had googled "login example.com", then a day or so
> had gone straight to a successful login on the webmail page over
> failures, no random messing around. The passwords themselves don't
> up on google (a long shot, I admit)
> I'm a bit baffled. It's just possible that the users had malware on
> client that found the "your password is xxxx; please change it"
> But they don't fit my image of someone always online, no idea what
> computer's running, infected with all sorts of spyware.
> I'd have thought if anyone had gotten into our mailstore itself
> seen a whole bunch more serious trouble long since. Unless it's
> smart lying low.
> There is also some evidence that half of the targets for the
> spam are people we normally deal with; the other half are things
> "foobar at a.com". But not on our network - as if the spammers had
> to examine mail stats or addressbooks. (not the exposed accounts,
> busier ones)
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376 (Pacific Time)
> Network Security Manager
> unisog mailing list
> unisog at lists.dshield.org
More information about the unisog