Re: Interesting spear phising attempt against IT

["Basgen, Brian" <bbasgen () PIMA EDU>]

 Thanks for all the data everyone.

 My best hypothesis is that he is out to usurp the competition. Our
attacks came almost exclusively from Russian IPs (about 4/5 of them),
with some Chinese just for good measure. I'd guess these are his
competitors, and his response below about "Russian scumbags" seems to
substantiate that hypothesis a bit. 


~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
 
 
 

> -----Original Message-----
> From: Brian Allen [mailto:ballen () WUSTL EDU] 
> Sent: Wednesday, February 06, 2008 8:55 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Interesting spear phising attempt against IT
>
> I received an email from Tudor recently.  I replied with a 
> standard apology because at first I thought he was upset, and 
> I just wanted to let him know I was investigating the incident.  
>
> This was his reply:
> -=-=-=-=-=-=-=-=-=-=
> Brian,
>
> No appologies are necessary from Your end.. I purely like to 
> see these russian scumbags shut down.
>
> Best regards & have a Great Day!!
>
> Tudor
> -=-=-=-=-=-=-=-=-=-=
>
> It sounds like he is a vigilante.
>
> Cheers,
> Brian Allen
> Network Security Analyst
> Washington University in St. Louis
>
> > -----Original Message-----
> > From: Basgen, Brian [mailto:bbasgen () PIMA EDU]
> > Sent: Tuesday, February 05, 2008 1:46 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Interesting spear phising attempt against IT
> >
> >  Today we received an email from someone who graciously informed us
> that
> > some of our student web pages had been hacked. Of course, 
> this happens 
> > on occasion for the usual reasons (php, brute force, etc). In this
> case,
> > the webpages were converted into online Canadian 
> pharmacies, and any 
> > transaction would simply redirect to another domain name.
> >
> >  The interesting thing is the fellow who told us about the 
> hack. His 
> > email included links to the hacked web pages. It was an html email,
> and
> > the embedded html had a few hidden links -- but many of them didn't
> make
> > sense (case.edu and google searches against berkley.edu and 
> > hollywood.com).
> >
> >  The most interesting thing is the domain name the email came from:
> > tudorburden.com, which turns out to be registered to a 
> "Tudor Burden"
> > living in Canada. Apparently, he has lost quite a few lawsuits
> regarding
> > fraudulent domain names:
> http://www.wipo.int/amc/en/domains/decisions/html/2005/d2005-0313.html
> >  Has anyone heard of fraudsters hacking a web page and then 
> informing 
> > you about the hack? We are diving into logs to try to 
> discern what his 
> > greater goal is: we've been looking for trojans and/or spyware but 
> > haven't found any yet. It is a bit strange, so I'm 
> wondering if anyone 
> > has had experience with this kind of thing in the past?
> >
> > ~~~~~~~~~~~~~~~~~~
> > Brian Basgen
> > Information Security
> > Pima Community College