Re: New e-mail attack using valid webmail accounts

["Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>]

Just so everyone knows how serious this is, and for a good laugh for you
all and a sore forehead for me (after banging my head on the desk):

Our helpdesk folks sent out a message to our campus telling people not
to reply to this e-mail or similar e-mails.  One user responded back to
their e-mail with the requested information.  Yep, username, password,
DOB, and country.

The ignorance and carelessness of people astounds me.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian Friday
Sent: Friday, March 14, 2008 11:11 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New e-mail attack using valid webmail accounts

Just got a user reporting to have received on of these messages just  
this morning. Unfortunately they forwarded the message without headers  
so still waiting for the juicy details.

 From address was "EDU ACCOUNT UPGRADE TEAM <arippy () purdue edu>"
And of course the reply to went to a live.com address

Brian Friday
Manager, La Sierra University's IT: Infrastructure Department
Tel: (951) 785-2900 / Fax: (951) 785-2908
Riverside, CA 92515
Email: bfriday () lasierra edu

Infrastructure: It is the telephone on your desk, the wires in your  
walls, the email you check daily, and the network that ties it all  
together.


On Mar 14, 2008, at 6:41 AM, Zach Jansen wrote:

> For the good of the group, below is the phishing email that we've  
> been seeing. There are typically minor variations between each  
> version including the use of the term "webmail" or minor  
> customization targeted towards the specific institution ("CALVIN  
> WEBMAIL TEAM"). In doing some research on one that we received today  
> I found that Purdue put out on alert on it:
http://www.purdue.edu/securePurdue/news/detail.cfm?NewsID=189
> Replies typically go to a hotmail, live.com, or yahoo address. All  
> of the emails we have received have come through .edu mail servers.
>
> Here's the message:
>
> VERIFY YOUR EMAIL ACCOUNT NOW
>
> Dear Email Account Owner,
>
> This message is from educational messaging center to all our email
> account owners. We are currently upgrading our data base and e-mail  
> account
> center. We are deleting all our edu email accounts to create more  
> space for new
> accounts.
>
> To prevent your edu account from closing you will have to update it  
> below
> so that we will know that it's a presently used account.
>
> We have been sending this notice to all our email account owners and  
> this is
> the last notice/verification exercise.
>
> CONFIRM YOUR EMAIL IDENTITY BELOW
>
> Email Username : .......... .....
> EMAIL Password : ................
> Date of Birth : .................
> Country or Territory : ..........
>
> Warning!!! Account owner that refuses to update his or her account
> within Seven days of receiving this warning will lose his or her  
> account
> permanently.
>
> Thank you for using edu!
> Warning Code:VX2G99AAJ
> Thanks,
> Edu Account Upgrade Team
>
>
> -- 
>
> Zach Jansen
> Information Security Officer
> Calvin College
> Phone: 616.526.6776
> Fax: 616.526.8550