Educause Security Discussion mailing list archives

Re: New e-mail attack using valid webmail accounts

From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 14 Mar 2008 11:10:13 -0500

Got one here also - here are the relevant headers


Received: from mailhub131.itcs.purdue.edu (mailhub131.itcs.purdue.edu
[128.210.5.131])
        by cstmta4.siu.edu (Switch-3.3.0/Switch-3.3.0) with ESMTP id
m2EB6TYg026110
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=OK);
        Fri, 14 Mar 2008 06:06:30 -0500 (CDT)
Received: from mailhub209.itcs.purdue.edu (mailhub209.itcs.purdue.edu
[128.210.5.209])
        by mailhub131.itcs.purdue.edu (8.14.2/8.14.2/smtp.purdue.edu)
with ESMTP id m2EB4HBH000423;
        Fri, 14 Mar 2008 07:04:17 -0400
Received: from mailhub209.itcs.purdue.edu (localhost.localdomain
[127.0.0.1])
        by mailhub209.itcs.purdue.edu
(8.12.11.20060308/8.12.11/webmail-httpd) with ESMTP id m2EB4GkM022261;
        Fri, 14 Mar 2008 07:04:17 -0400
Received: (from apache@localhost)
        by mailhub209.itcs.purdue.edu (8.12.11.20060308/8.12.11/Submit)
id m2EB45P7022257;
        Fri, 14 Mar 2008 07:04:05 -0400
X-Authentication-Warning: mailhub209.itcs.purdue.edu: apache set sender
to arippy () purdue edu using -f
Received: from 80.255.59.244 ([80.255.59.244])
        by webmail.purdue.edu (IMP) with HTTP
        for <arippy () arippy mail purdue edu>; Fri, 14 Mar 2008 07:04:03
-0400
Message-ID: <1205492643.47da5ba36e388 () webmail purdue edu>
Date: Fri, 14 Mar 2008 07:04:03 -0400
From: EDU ACCOUNT UPGRADE TEAM <arippy () purdue edu>
Reply-to: accountupgrades.2008 () live com
Subject: FINAL VERIFICATION OF YOUR EMAIL ACCOUNT
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 3.2-cvs
X-PMX-Version: 5.4.0.320885
X-PerlMx-Virus-Scanned: Yes
X-Spam-Score: 0.00%
X-MASF: 0.00%
Bcc:
Return-Path: arippy () purdue edu
X-OriginalArrivalTime: 14 Mar 2008 11:06:32.0092 (UTC)
FILETIME=[75C375C0:01C885C3]


Brian Friday wrote:

Just got a user reporting to have received on of these messages just
this morning. Unfortunately they forwarded the message without headers
so still waiting for the juicy details.

 From address was "EDU ACCOUNT UPGRADE TEAM <arippy () purdue edu>"
And of course the reply to went to a live.com address

Brian Friday
Manager, La Sierra University's IT: Infrastructure Department
Tel: (951) 785-2900 / Fax: (951) 785-2908
Riverside, CA 92515
Email: bfriday () lasierra edu

Infrastructure: It is the telephone on your desk, the wires in your
walls, the email you check daily, and the network that ties it all
together.


On Mar 14, 2008, at 6:41 AM, Zach Jansen wrote:

For the good of the group, below is the phishing email that we've been
seeing. There are typically minor variations between each version
including the use of the term "webmail" or minor customization
targeted towards the specific institution ("CALVIN WEBMAIL TEAM"). In
doing some research on one that we received today I found that Purdue
put out on alert on it:
http://www.purdue.edu/securePurdue/news/detail.cfm?NewsID=189

Replies typically go to a hotmail, live.com, or yahoo address. All of
the emails we have received have come through .edu mail servers.

Here's the message:

VERIFY YOUR EMAIL ACCOUNT NOW

Dear Email Account Owner,

This message is from educational messaging center to all our email
account owners. We are currently upgrading our data base and e-mail
account
center. We are deleting all our edu email accounts to create more
space for new
accounts.

To prevent your edu account from closing you will have to update it below
so that we will know that it's a presently used account.

We have been sending this notice to all our email account owners and
this is
the last notice/verification exercise.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username : .......... .....
EMAIL Password : ................
Date of Birth : .................
Country or Territory : ..........

Warning!!! Account owner that refuses to update his or her account
within Seven days of receiving this warning will lose his or her account
permanently.

Thank you for using edu!
Warning Code:VX2G99AAJ
Thanks,
Edu Account Upgrade Team


--

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

Current thread:

Re: New e-mail attack using valid webmail accounts, (continued)
- Re: New e-mail attack using valid webmail accounts Jesse Thompson (Mar 07)
- Re: New e-mail attack using valid webmail accounts Jesse Thompson (Mar 07)
- Re: New e-mail attack using valid webmail accounts Bruggeman, John (Mar 07)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 10)
- Re: New e-mail attack using valid webmail accounts Zach Jansen (Mar 10)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 10)
- Re: New e-mail attack using valid webmail accounts Zach Jansen (Mar 14)
- New e-mail attack using valid webmail accounts Kenneth Arnold (Mar 14)
- Re: New e-mail attack using valid webmail accounts Brian Friday (Mar 14)
- Re: New e-mail attack using valid webmail accounts Jenkins, Matthew (Mar 14)
- Re: New e-mail attack using valid webmail accounts Curt Wilson (Mar 14)