Educause Security Discussion mailing list archives

Re: InfoSec Alert from University of Cincinnati

From: "David A. Batastini" <DavidB () URI EDU>
Date: Mon, 28 Jan 2008 11:02:28 -0500

Kevin,

                The University of Rhode Island was also hit by a very
similar (the same) attack. Ours started Saturday morning around 10am. We
received ~60 rounds of the e-mail to an unknown number of recipients, and
are still in the process of cleaning up. Thankfully, we were able to
intercept all but 2 outgoing replies which significantly mitigated the risk.




We are using this as a means to educate our users. We've been in touch with
our campus newspaper and the Communications group to ensure something like
this does not have the same effect in the future.



The message sent to University of Rhode Island accounts:



To: helpdesk () uri edu

Subject: Confirm Your E-mail Address

Message-ID: <1201358899.479b4833a13e7 () arrowana singnet com sg>

Date: Sat, 26 Jan 2008 22:48:19 +0800 (SGT)

From: URI SUPPORT TEAM <huixian6 () singnet com sg>

Reply-To: verificationteam24 () hotmail com

MIME-Version: 1.0

Content-Type: text/plain

Content-Transfer-Encoding: 8bit

User-Agent: SingNet WebMail





-----Original Message-----

From: URI SUPPORT TEAM [mailto:huixian6 () singnet com sg]

Sent: Saturday, January 26, 2008 9:48 AM

To: helpdesk () uri edu

Subject: Confirm Your E-mail Address



Dear uri Subscriber,



To complete your uri account, you must reply to this email immediately and
enter your password here (*********)



Failure to do this will immediately render your email address in-active from
our database.



You can also confirm your email address by logging into your uri  account

at: https://webmail.uri.edu/



Thank you for using uri.edu!

THE URI.EDU TEAM







--
David Batastini, GCIH
URI ITS Security
DavidB <mailto:davidb () uri edu> <at>uri.edu
048 Tyler Hall
p. (401) 874-2663





From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Monday, January 28, 2008 10:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] InfoSec Alert from University of Cincinnati



Hi Everyone:



Just some information I thought you might be interested in.



We were hit by a Spear Phishing attack on Friday.  This attack proved to be
pretty successful against the members of our community and caused a lot of
extra work for our email services team over the weekend.  The attack
basically asked members of our student email community to send their
passwords to a member of the UC email support team (see actual email below).
We had put an alert out via our IT and technology listserve groups early
Friday when we got wind of this but surprisingly (or not surprisingly) a
large percentage of our students fell for this particular attack. What was
even more interesting was that our Mirapoint SPAM filters assigned this a
low likelihood of SPAM value even though the "From" and "Reply To" addresses
were completely different domains.



-Kevin



========================================= Information Security Alert
========================================================



UC Information Security has received a report of a new spear-phishing
attempt against UC email users.  Spear-Phishing is a phishing campaign
tailored to a specific target group, using language or information to pacify
suspicions of the target group.



This phishing attempt requests the user to send their password in a reply
email. Please alert your communities to this threat and remind them that
UCit will never ask for a password to be sent by email!



The Phishing message looks like this.  (Note that the return address is a
yahoo account):



      From: "EMAIL.UC.EDU SUPPORT" <support () email uc edu>

Date: January 24, 2008 9:36:14 AM EST

      To: undisclosed-recipients:;

Subject: Confirm Your E-mail Address

      Reply-To: youfidnet () yahoo com





        Dear Email.uc.edu Subscriber,



        To complete your email.uc.edu account, you must reply to this email



        immediately and enter your password here (*********)



        Failure to do this will immediately render your email address



        deactivated from our database.



        You can also confirm your email address by logging into your



        email.uc.edu account at https://email.uc.edu





        Thank you for using EMAIL.UC.EDU !



        EMAIL.UC.EDU TEAM



=================================== End Information Security Alert
==========================================





Kevin L. McLaughlin

CISM, CISSP, GIAC,PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)





 UC-Logo-800




CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.

Current thread:

InfoSec Alert from University of Cincinnati Mclaughlin, Kevin (mclaugkl) (Jan 28)
- <Possible follow-ups>
- Re: InfoSec Alert from University of Cincinnati Ken Connelly (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Dan Oachs (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Bob Bayn (Jan 28)
- Re: InfoSec Alert from University of Cincinnati David A. Batastini (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Gene Spafford (Jan 28)
- Re: InfoSec Alert from University of Cincinnati Greg Vickers (Jan 28)