[unisog] Nigerian scam via squirrelmail

Mark Montague markmont at umich.edu
Mon Oct 26 02:42:21 GMT 2009

I don't know whether there is a squirrelmail exploit, but we see  
pretty much exactly what you describe all the time with both Horde/IMP  
and Roundcube.  In all the cases I am aware of, both web server logs  
and follow-up with users show that the spammer logged in using the  
user's username and password.  In some cases, we've been able to track  
down the compromise of the password to users responding to phishing  
messages ("send us your password to help us upgrade our email system;  
if you don't, your account will be deactivated).  In other cases, we  
found keylogging trojans on their personal computers.  In one case, we  
found the user's name and password on a list of stolen usernames and  
passwords, but we have no idea how the user got on that list.

We have a variety of monitoring tools in place to help us detect the  
type of activity the spammers engage in with stolen usernames and  
passwords, and we disable most of those accounts not long after the  
spammer starts abusing them.

                 Mark Montague
                 ITS Web/Database Team
                 The University of Michigan
                 markmont at umich.edu

Quoting Andrew Daviel <advax at triumf.ca>:

> Has anyone heard of an active squirrelmail exploit ?
> We had an incident that I don't quite understand - a spammer (RIPE
> the ip is in Nigeria - honest!) got into a couple of our accounts
> sent a bunch of "you have won $$" mail. In one case, they edited
> Squirrelmail profile so that the signature was the message and the
> sending-address was changed (to a bad address, so I got a lot of
> postmaster DSN mail)
> We are using a RedHat Enterprise based system; I saw a note about
> fixing a cross-site scripting problem recently. But both our
> were very lightly used - unlikely to have been caught with CSS.
> Both still had their default passwords which we'd emailed to their
> supervisor with instructions to change, but it was a totally random
> string (not e.g. username_1), and unlikely to have been reused on
> or other sites.
> The Nigerian host had googled "login example.com", then a day or so
> had gone straight to a successful login on the webmail page over
> failures, no random messing around. The passwords themselves don't
> up on google (a long shot, I admit)
> I'm a bit baffled. It's just possible that the users had malware on
> client that found the "your password is xxxx; please change it"
> But they don't fit my image of someone always online, no idea what
> computer's running, infected with all sorts of spyware.
> I'd have thought if anyone had gotten into our mailstore itself
we'd have
> seen a whole bunch more serious trouble long since. Unless it's
> smart lying low.
> There is also some evidence that half of the targets for the
> spam are people we normally deal with; the other half are things
> "foobar at a.com". But not on our network - as if the spammers had
been able
> to examine mail stats or addressbooks. (not the exposed accounts,
> busier ones)
> --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376  (Pacific Time)
> Network Security Manager
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list