Educause Security Discussion mailing list archives
Re: InfoSec Alert from University of Cincinnati
From: Bob Bayn <Bob.Bayn () USU EDU>
Date: Mon, 28 Jan 2008 08:53:08 -0700
We received a similar phish at cc.usu.edu last week, about 800 copies. Since one copy went to our student newspaper address and our followup message did, too, there was an article in that paper about it. Then the local newspaper picked up on it and ran a headline article (on a slow newsday here, obviously). See: http://tinyurl.com/2jf834 or http://media.www.utahstatesman.com/media/storage/paper243/news/2008/01/25/CampusNews/Phishing.Message.Targets.Usu.Webmail.Users-3169098.shtml and http://hjnews.townnews.com/articles/2008/01/26/news/news02.txt We also received a message this morning from cert () SURFnet nl asking for confirmation of the source IP because a similar phish ("in Dutch, of course") was seen at TU Delft. Bob Bayn IT Security Team coord Utah State University Logan, Utah
We were hit by a very similar spear phishing attack early last week.=20 Ours was mostly sent to faculty/employees. A couple of them forwarded us =
the email and shortly after that I blocked our mailservers from=20 receiving or sending email to either of the addresses. I checked our=20 logs and luckily no one had tried to reply to that message (using our=20 mailservers anyway ) before I was able to block it.
I didn't notice the attack at first mainly because my spamassassin=20 settings caused it to get a high enough score that it went into my spam=20 folder. Obviously this was not the case for everyone.
A little more info available here:=20 http://coreservices.blog.gustavus.edu/2008/01/23/phishing-email-sent-to-g= ustavus-accounts-yesterday/
Thanks, Dan Oachs Gustavus Adolphus College
Mclaughlin, Kevin (mclaugkl) wrote:Hi Everyone: Just some information I thought you might be interested in. We were hit by a Spear Phishing attack on Friday. This attack proved=20 to be pretty successful against the members of our community and=20 caused a lot of extra work for our email services team over the=20 weekend. The attack basically asked members of our student email=20 community to send their passwords to a member of the UC email support=20 team (see actual email below). We had put an alert out via our IT and=20 technology listserve groups early Friday when we got wind of this but=20 surprisingly (or not surprisingly) a large percentage of our students=20 fell for this particular attack. What was even more interesting was=20 that our Mirapoint SPAM filters assigned this a low likelihood of SPAM =
value even though the =93From=94 and =93Reply To=94 addresses were comp=letely=20different domains. -Kevin
Current thread:
- InfoSec Alert from University of Cincinnati Mclaughlin, Kevin (mclaugkl) (Jan 28)
- <Possible follow-ups>
- Re: InfoSec Alert from University of Cincinnati Ken Connelly (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Dan Oachs (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Bob Bayn (Jan 28)
- Re: InfoSec Alert from University of Cincinnati David A. Batastini (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Gene Spafford (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Greg Vickers (Jan 28)