Re: InfoSec Alert from University of Cincinnati

[Dan Oachs <doachs () GAC EDU>]

We were hit by a very similar spear phishing attack early last week. 
Ours was mostly sent to faculty/employees. A couple of them forwarded us 
the email and shortly after that I blocked our mailservers from 
receiving or sending email to either of the addresses. I checked our 
logs and luckily no one had tried to reply to that message (using our 
mailservers anyway ) before I was able to block it.

I didn't notice the attack at first mainly because my spamassassin 
settings caused it to get a high enough score that it went into my spam 
folder. Obviously this was not the case for everyone.

A little more info available here: 
http://coreservices.blog.gustavus.edu/2008/01/23/phishing-email-sent-to-gustavus-accounts-yesterday/

Thanks,
Dan Oachs
Gustavus Adolphus College



Mclaughlin, Kevin (mclaugkl) wrote:
> Hi Everyone:
>
> Just some information I thought you might be interested in.
>
> We were hit by a Spear Phishing attack on Friday. This attack proved 
> to be pretty successful against the members of our community and 
> caused a lot of extra work for our email services team over the 
> weekend. The attack basically asked members of our student email 
> community to send their passwords to a member of the UC email support 
> team (see actual email below). We had put an alert out via our IT and 
> technology listserve groups early Friday when we got wind of this but 
> surprisingly (or not surprisingly) a large percentage of our students 
> fell for this particular attack. What was even more interesting was 
> that our Mirapoint SPAM filters assigned this a low likelihood of SPAM 
> value even though the “From” and “Reply To” addresses were completely 
> different domains.
>
> -Kevin
>
> *========================================= Information Security Alert 
> ======================================================== *
>
> UC Information Security has received a report of a new spear-phishing 
> attempt against UC email users. Spear-Phishing is a phishing campaign 
> tailored to a specific target group, using language or information to 
> pacify suspicions of the target group.
>
> This phishing attempt requests the user to send their password in a 
> reply email. Please alert your communities to this threat and remind 
> them that UCit will never ask for a password to be sent by email!
>
> *The Phishing message looks like this. (Note that the return address 
> is a yahoo account): *
>
> From: "EMAIL.UC.EDU SUPPORT" <support () email uc edu>
>
> Date: January 24, 2008 9:36:14 AM EST
>
> To: undisclosed-recipients:;
>
> Subject: Confirm Your E-mail Address
>
> Reply-To: youfidnet () yahoo com
>
> Dear Email.uc.edu Subscriber,
>
> To complete your email.uc.edu account, you must reply to this email
>
> immediately and enter your password here (*********)
>
> Failure to do this will immediately render your email address
>
> deactivated from our database.
>
> You can also confirm your email address by logging into your
>
> email.uc.edu account at https://email.uc.edu
>
> Thank you for using EMAIL.UC.EDU !
>
> EMAIL.UC.EDU TEAM
>
> *=================================== End Information Security Alert 
> ========================================== *
>
> Kevin L. McLaughlin
>
> CISM, CISSP, GIAC,PMP, ITIL Master Certified
>
> Director, Information Security
>
> University of Cincinnati
>
> 513-556-9177 (w)
>
> 513-703-3211 (m)
>
> 513-558-ISEC (department)
>
> UC-Logo-800
>
>
> CONFIDENTIALITY NOTICE: This e-mail message and its content is 
> confidential, intended solely for the addressee, and may be legally 
> privileged. Access to this message and its content by any individual 
> or entity other than those identified in this message is unauthorized. 
> If you are not the intended recipient, any disclosure, copying or 
> distribution of this e-mail may be unlawful. Any action taken or 
> omitted due to the content of this message is prohibited and may be 
> unlawful.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature