Educause Security Discussion mailing list archives
Re: Interesting spear phising attempt against IT
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Fri, 8 Feb 2008 15:54:40 -0700
Thanks for all the data everyone. My best hypothesis is that he is out to usurp the competition. Our attacks came almost exclusively from Russian IPs (about 4/5 of them), with some Chinese just for good measure. I'd guess these are his competitors, and his response below about "Russian scumbags" seems to substantiate that hypothesis a bit. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: Brian Allen [mailto:ballen () WUSTL EDU] Sent: Wednesday, February 06, 2008 8:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Interesting spear phising attempt against IT I received an email from Tudor recently. I replied with a standard apology because at first I thought he was upset, and I just wanted to let him know I was investigating the incident. This was his reply: -=-=-=-=-=-=-=-=-=-= Brian, No appologies are necessary from Your end.. I purely like to see these russian scumbags shut down. Best regards & have a Great Day!! Tudor -=-=-=-=-=-=-=-=-=-= It sounds like he is a vigilante. Cheers, Brian Allen Network Security Analyst Washington University in St. Louis-----Original Message----- From: Basgen, Brian [mailto:bbasgen () PIMA EDU] Sent: Tuesday, February 05, 2008 1:46 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Interesting spear phising attempt against IT Today we received an email from someone who graciously informed usthatsome of our student web pages had been hacked. Of course,this happenson occasion for the usual reasons (php, brute force, etc). In thiscase,the webpages were converted into online Canadianpharmacies, and anytransaction would simply redirect to another domain name. The interesting thing is the fellow who told us about thehack. Hisemail included links to the hacked web pages. It was an html email,andthe embedded html had a few hidden links -- but many of them didn'tmakesense (case.edu and google searches against berkley.edu and hollywood.com). The most interesting thing is the domain name the email came from: tudorburden.com, which turns out to be registered to a"Tudor Burden"living in Canada. Apparently, he has lost quite a few lawsuitsregardingfraudulent domain names:http://www.wipo.int/amc/en/domains/decisions/html/2005/d2005-0313.htmlHas anyone heard of fraudsters hacking a web page and theninformingyou about the hack? We are diving into logs to try todiscern what hisgreater goal is: we've been looking for trojans and/or spyware but haven't found any yet. It is a bit strange, so I'mwondering if anyonehas had experience with this kind of thing in the past? ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Interesting spear phising attempt against IT Basgen, Brian (Feb 05)
- <Possible follow-ups>
- Re: Interesting spear phising attempt against IT Hunt,Keith A (Feb 06)
- Re: Interesting spear phising attempt against IT Brian Allen (Feb 06)
- Re: Interesting spear phising attempt against IT Joel Rosenblatt (Feb 06)
- Re: Interesting spear phising attempt against IT Ozzie Paez (Feb 06)
- Re: Interesting spear phising attempt against IT Basgen, Brian (Feb 08)