Educause Security Discussion mailing list archives
Re: Compromised accounts at other institutes
From: Bob Bayn <bob.bayn () USU EDU>
Date: Fri, 25 Apr 2014 17:20:56 +0000
I try to send direct notification to the "abuse" and "helpdesk" address at any .edu, .k12, .org or health organization that is spamming us with phish. If they both bounce, I will generally search the site to find another technical contact address or contact form. (Do YOU have those default reporting addresses?) I have a few hundred "Internet Skeptics" who report novel phish sites to me, along with a target list of about 3 dozen web form hosting services that we alert on but do not block in our inbound email. As a result I respond about 2 dozen different phish attacks per day. In addition to notifying the host of the sender address, we report the phish link to google and to the hosting sites, whether free web hosts or hacked sites. Those actions help the whole community, I hope. The phish links that we take action against are all reported on a public google docs spreadsheet at: https://docs.google.com/spreadsheet/ccc?key=0AlMnxApOMKl_dEhVa3RCRG5uclVZNFZrY3hOSmFpaUE&usp=sharing The target list of web form hosting sites that we alert on is at: https://it.usu.edu/computer-security/be-an-internet-skeptic/form-services/ Some of the hosting services respond very promptly to our abuse reports, others not so much. Phish victims are very infrequent here and I hope to keep it that way. (We did lose one to a Direct Deposit phish a few months ago, though.) Bob Bayn SER 301 (435)797-2396 IT Security Team Office of Information Technology, Utah State University Do you know the "Skeptical Hover Technique" and how to tell where a web link really goes? See: https://it.usu.edu/computer-security/computer-security-threats/articleID=23737 ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Frank Barton [bartonf () HUSSON EDU] Sent: Friday, April 25, 2014 10:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Compromised accounts at other institutes We are seeing a massive increase in the number of spear-phishing attempts being directed at our users. Many of these are coming from compromised accounts at other universities. The couple of folks that we have had fall for these phishing attempts seem to have their accounts used to send further spear-phishing attempts to yet more universities. Aside from the obvious account security steps to take when we detect a compromised account on our system, what steps (if any) are others taking when you get messages that are symptomatic of compromised accounts at other universities? Thank You -- Frank Barton Apple Certified Mac Technician Technology Support Coordinator Husson University
Current thread:
- Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Brad Judy (Apr 25)
- Re: Compromised accounts at other institutes Roger A Safian (Apr 25)
- Re: Compromised accounts at other institutes charlie derr (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Ken Connelly (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Bob Bayn (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Joel L. Rosenblatt (Apr 25)
- <Possible follow-ups>
- Re: Compromised accounts at other institutes Joe St Sauver (Apr 25)
- Re: Compromised accounts at other institutes Bob Bayn (Apr 25)