Educause Security Discussion mailing list archives
Re: phishing attack using copied University website
From: Martin Manjak <mm376 () ALBANY EDU>
Date: Tue, 14 Jul 2009 12:08:03 -0400
We had a very similar incident in the spring where the phishers sent a message with a link rather than a reply-to. The link went to an exact replica of our webmail (SquirrelMail) log-in page. Like the NCSU incident, they were pulling the images live from our server. The page was hosted by brinskter.net in Phoenix, AZ. Our state Cyber Security agency was successful in contacting the hosting company to have the site taken down. Jonathan Byrne wrote:
On 7/13/09 4:03 PM, "TIMOTHY S GURGANUS" <tsgurgan () NCSU EDU> wrote:NCSU email users were the target of a phishing attack last Thursday night. This attack was different from others we have been receiving and I hope it is not a harbinger of things to come. I have read of this happening to other schools, but I'm wondering how common this attack is versus the usual phishing that uses only email.Interesting. I own the anti-phishing ruleset at IronPort, this is the first instance I've seen of a decent website copy being used in a credential phishing attack. Heretofore, it's been mostly email response, and from time to time a fairly generic webform. Sometimes the form is sent as an attachment with JavaScript to hand the info off to a server. In the world of financial phishing, the copied website approach is standard, of course, and some of the fake sites are very, very good. We have a lot of evidence that the credential phishing attacks are mostly being driven by 419 scammers, and my working theory for why they usually ask for an email response is because running scams from free webmail accounts is what 419ers know. Most of them seem to have little knowledge of technology, being mostly old-style con men (and women) operating in a new medium. Financial phishing, on the other hand, is mostly carried out by Russians and other eastern Europeans, and they bring a lot more technical skill to the table. It may be the case that they are starting to cross over to credential phishing. Cheers, Jonathan
-- Martin Manjak Information Security Officer University at Albany CISSP, GIAC GSEC-G, GCIH, GCWN
Current thread:
- phishing attack using copied University website TIMOTHY S GURGANUS (Jul 13)
- <Possible follow-ups>
- Re: phishing attack using copied University website Andrew Daviel (Jul 13)
- Re: phishing attack using copied University website Jonathan Byrne (Jul 13)
- Re: phishing attack using copied University website Martin Manjak (Jul 14)