Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FYI: Another round of spear Phishing

From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Thu, 12 Jun 2008 09:52:58 -0500
Clyde, Steve, and the group,

We are getting these as well too in increasing numbers.  The last one this
week raised the bar again by the fact that the entity initiating the attack
used the exact term we use for our network identities vs. the generic
"username", they included a school copyright message at the bottom to make
it look more legit, and they used a reply to address that included our
school name @gmail.com.

Our clients are getting used to them now, and we manually blocked outbound
responses before anyone replied (this time) but...  with 30,000+ active
accounts and the fact that it only takes 1 compromised account to make a
mess, it is worrisome to rely on manually blocking responses once the
phishing message has arrived.

Thanks,

Chris Gregg
Director of Information Security
Information Resources and Technologies
University of St. Thomas
2115 Summit Avenue
St. Paul, Minnesota 55105
csgregg () stthomas edu


Phone: 651.962.6265 -----Original Message-----
From: STEVE MAGRIBY [mailto:magriby () UT EDU]
Sent: Thursday, June 12, 2008 9:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing

We would love to work with you in trying to determine how this can be
stopped.

Our email system has been under attack for more than a month. We have
had the phishing attacks and have had "at least" several of our accounts
hijacked and used for spam.

We have spent hours on the phone with vendor support for our email, our
spam filters and our virus software. All three vendors have told us that
our systems were configured correctly (and yet our reputation also was
in the toilet).

We know that if our usernames and passwords are hijacked there is not
much that can be done. However, we are still looking at how we could
take a more "proactive" approach to preventing this instead of being
forced to react continuously to a new wave of attacks.

Please let us know if you come up with any solutions.

Thanks.

Steve Magriby
Director of Instructional Technology
The University of Tampa
Tampa, FL  33606
smagriby () ut edu

-----Original Message-----
From: WILLIAM I ARNOLD
Sent: Wednesday, June 11, 2008 4:16 PM
To: Stephen Magriby; CARMEN GONZALEZ
Cc: TRACEY POTTER
Subject: FW: [SECURITY] FYI: Another round of spear Phishing

FYI

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Clyde Hoadley
Sent: Wednesday, June 11, 2008 4:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FYI: Another round of spear Phishing

We have been targeted by three separate spear phishing attacks in the
past
six weeks.  In spite of our efforts to filter incoming email, and to
warn our campus community about these messages and not to respond to
them, we have had a least 2 accounts (that we know about) hijacked and
used to send spam.  Right now our reputation scores are in the toilet.

Two of the Phish were the familiar:

      Dear customer,

      We write to notify you that we will be carring out some temporary
      maintenance on our service due to congestion in all customers
email
      account. Please be informed that customers will be restricted from
      accessing their e-mail account in fews days time. This is to guide
      against SPAM and will also enable us to update all e-mail account
for
      a better services. In regards,you are required to send your
account
      information to our MAIL CONTROL UNIT for the immediate maintenance
and update.

      User id:........................
      Password:.......................
      Date of Birth:..................
      Country:........................

      ALL ACCOUNT INFORMATION SHOULD BE SENT TO:
account-update08 () live com


We've done all we know how to do to warn people about these (and to
filter
them out) but it only takes one person to take the bait to give us a
black eye - Two did take the bait so we've got two black eyes!

The third one, came in this morning, was an IRS phish, targeted by name,
institution and phone number.

      Bxxxx Hxxxxxxx
      Metropolitan State College of Denver
      (303) 35x-4xxx
                                     -NOTICE OF DEFICIENCY-

      Dear Bxxxx Hxxxxxxx,

           We have determined that you owe additional tax and other
amounts, or both,
      for the tax year(s) identified above.  This letter is your NOTICE
OF DEFICIENCY,
      as required by law.  The enclosed statement shows how we figured
the deficiency.


It included a link (only partial link is shown) "www DOT revenue-system
DOT com"

Clearly I and my team haven't been effective.  I need fresh input.  I
would be
interested in hearing your strategies to Prevent, Detect and Respond to
these
Phishing attacks - in particular the attacks aimed at hijacking Web Mail
accounts.

---
Clyde Hoadley
Director of Information Security
Metropolitan State College of Denver
Campus Box 96, P.O. Box 173362, Denver Co 80217-3362
303-556-5074 | CELL 720-232-4737
Previous By Date Next
Previous By Thread Next

Current thread: