Re: strange campus "surveys"

["Pace, Guy" <gpace () CIS CTC EDU>]

Well, all the domains are owned by:

Tech Organization:NameCheap.com
Tech Street1:8939 S. Sepulveda Blvd. #110 -
Tech Street2:732
Tech Street3:
Tech City:Westchester
Tech State/Province:CA
Tech Postal Code:90045
Tech Country:US
Tech Phone:+1.6613102107
Tech Phone Ext.:

Registrant Contact:
   NameCheap.com
   NameCheap.com NameCheap.com (support () NameCheap com)
   +1.6613102107
   Fax: +1.6613102107
   8939 S. Sepulveda Blvd. #110 - 732
   Westchester, CA 90045
   US

Sounds like one of those sleazy outfits that try to build sites that look like your school, but just used to lure 
students in and inundate them with loan come-ons and credit card scams. The email is probably a first pass recruiting 
tool. Once they get students to bite, they then turn those students into recruiters or "opinion leaders." Yeah, the BS 
meter should be pegged hard 'bout now. I would treat it like any other SPAM and filter it.
Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724
gpace () cis ctc edu
From: John Quigley [mailto:jquigley () TENNESSEE EDU]
Sent: Friday, February 08, 2008 10:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] strange campus "surveys"

All,

Our users have been receiving messages asking for their participation in a survey. In most cases I've seen, the content 
of the email and the linked survey are similar but the domain names are different. After I saw the first of these, my 
impression was that this was some student-run company trying to bootstrap their market research by soliciting feedback 
from potential customers. The "About our project" link on the web pages supports this theory. After the examples 
started to pour in, though, I'm afraid something else might be going on.

If the surveys asked for sensitive information (account information, passwords, identifiers, etc), I would have this 
pigeonholed as classic phishing, but the survey only asks for information related to the user's preferences regarding 
IM, text messages, social networking, etc. In this regard it seems like a regular survey. I'm concerned as to why there 
are so many variants of this. Could it be that 10 or more legitimate startups are using the same email and web 
templates to solicit the same information from the same people in a short spam of time? Maybe, but my BS-meter is 
pegged right now.

Perhaps it's a drive-by browser attack. Because of that possibility, visiting the following links is not necessarily 
recommended without taking precautions. Surfer beware.

Below are some links we've seen in these emails and examples of 3 variants. If anyone has figured this one out, please 
contact me on or off list.

http://www.CampusOpinion.org/mem/b_1969307
http://www.IdealCampus.org/mem/d_2122123
http://www.CollegeBody.org/mem/a_1724126<http://www.collegebody.org/mem/a_1724126>
http://www.PollBoard.org/mem/a_757732<http://www.pollboard.org/mem/a_757732>
http://www.CampusInput.org/mem/e_41883<http://www.campusinput.org/mem/e_41883>
http://www.SocialCampus.org/mem/f_1214130
http://www.CollegeInput.org/mem/b_1214130


==========================================================================

This year, the PollBoard.org project is working on establishing new
social and academic web systems for students and faculty on campus.  The
goal is to make academic life easier and give students better access to
more resources.  We have put together a few questions regarding features
you may like to see implemented.  Please take the time to visit the
brief survey page on the website below to give us your feedback.  Thank
you for your help!

http://www.PollBoard.org/mem/a_757732

A few times a year, brief survey requests are sent to students and
faculty.  If you do not wish to help us in the future, please let us
know:

http://www.PollBoard.org/web.php
===========================================================================

As we move forward with more useful online systems for both students and faculty, we would like to get your feedback.  
Please take a moment to fill out a brief (12 question) online survey to help us understand the demands of the campus 
better.  All responses will be carefully considered in our upcoming web software release.  Thank you for your help!

http://www.SocialCampus.org/mem/f_1214130

A few times a year, brief survey requests are sent to students and faculty.  If you do not wish to help us in the 
future, please let us know:

http://www.SocialCampus.org/web.php
===========================================================================
This semester, we have begun working on new web systems to better assist students and faculty with communication and 
academic resources.  Some of the work has already started; however, we need your input!  Please take a minute or so to 
answer a few insightful questions.  Your input will be used for our future releases.  Thanks again!

http://www.CollegeInput.org/mem/b_1214130

Once again, thank you for your help.  If you do not wish to provide feedback in the future, please tell us:

http://www.CollegeInput.org/web.php
===========================================================================



--
John Quigley

Security Infrastructure Team Lead
Information Security Office
University of Tennessee

jquigley () tennessee edu<mailto:jquigley () tennessee edu>
(865) 974-1591