Educause Security Discussion mailing list archives

Re: .edu email phishing

From: Dick Jacobson <Dick.Jacobson () NDUS NODAK EDU>
Date: Wed, 2 Apr 2008 07:54:48 -0500

On Tue, 1 Apr 2008, Jimmy Kuo wrote:

We are seeing several of these in North Dakota.  It has been going on
since mid-February and a few people have bitten on this.  (There may also
be some simple passwords and cracking going on.)

If the gentleman from Verizon has any thoughts about how to coordinate
some of this, I would be interested .. since Verizon is one of the ISPs
blocking some of our domains. ;-)

Are you (general/educause) pretty well set up with takedown requests for
these email accounts at the various ISPs?  If not, I encourage you as a group
to set something up.

(I can only offer a little bit of help as my specialty is in another area of
security (antimalware).  I only have a few contacts.)

Jimmy
jkuo () microsoft com

----- Original Message ----- From: "Winders, Timothy A"
<twinders () southplainscollege edu>
To: "Jimmy Kuo" <cjkuo () verizon net>; <security () listserv educause edu>
Sent: Tuesday, April 01, 2008 11:57 AM
Subject: RE: [SECURITY] .edu email phishing


I had one user yesterday report receiving a message similar to this, but I
have personally not seen it.

Searching through our barracuda, I don't have anything from ask.helpdesk,
nothing with the subject ending with "email account now."

Ha!  Just found one with "UPDATE YOUR EMAIL ACCOUNT" in the subject from
"educationalwebmaster75 () yahoo com" routed through uoregon.edu,
128.223.142.41.

Anyone from uoregon on this list?

Tim Winders | Associate Dean of Information Technology | South Plains College

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jimmy Kuo
Sent: Tuesday, April 01, 2008 1:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] .edu email phishing

Was this a directed (against caltech.edu) attack or was this one of a
family
sent to other .edu lists?  Has anyone seen one like this for their
school?

The return address was actually set up for:

ask.helpdesk0 () gmail com

Jimmy

>> ----- Original Message -----
>> From: "ADMIN HELPDESK" <helpdesk () caltech edu>
>> To: <undisclosed-recipients:>
>> Sent: Monday, March 31, 2008 12:39 PM
>> Subject: VERIFY YOUR CALTECH.EDU EMAIL ACCOUNT NOW.
>>
>>
>>
>>
>> Dear caltech.edu Email Account Owner,
>>
>> This message is from caltech.edu messaging center to all caltech.edu
>> email
>> account owners. We are currently upgrading our data base and e-mail
>> account
>> center. We are deleting all unused caltech.edu email accounts to
create
>> more
>> space for new accounts.
>>
>> To prevent your account from being closed, you will have to update
it
>> below so
>> that we will know that it's a present used account.
>>
>> CONFIRM YOUR EMAIL IDENTITY BELOW
>>
>> Email Username : .......... .....
>> EMAIL Password : ................
>> Date of Birth : .................
>> Country or Territory : ..........
>>
>> Warning!!! Account owner that refuses to update his or her account
>> within Seven
>> days of receiving this warning will lose his or her account
permanently.
>>
>> Thank you for using caltech.edu
>> Warning Code:VX2G99AAJ
>>
>> caltech.edu Team
>>
>> www.caltech.edu
>>
>> Dear caltech.edu Email Account Owner,
>>
>> This message is from caltech.edu messaging center to all caltech.edu
>> email
>> account owners. We are currently upgrading our data base and e-mail
>> account
>> center. We are deleting all unused caltech.edu email accounts to
create
>> more
>> space for new accounts.
>>
>> To prevent your account from being closed, you will have to update
it
>> below so
>> that we will know that it's a present used account.
>>
>> CONFIRM YOUR EMAIL IDENTITY BELOW
>>
>> Email Username : .......... .....
>> EMAIL Password : ................
>> Date of Birth : .................
>> Country or Territory : ..........
>>
>> Warning!!! Account owner that refuses to update his or her account
>> within Seven
>> days of receiving this warning will lose his or her account
permanently.
>>
>> Thank you for using caltech.edu
>> Warning Code:VX2G99AAJ
>>
>> caltech.edu Team
>>
>> www.caltech.edu



-----------------------------------------------------------------------
Dick Jacobson                   e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer        office : IACC 206, NDSU
ND HECN MultiUser Host SysAd    phone  : 701-231-7385
-----------------------------------------------------------------------

Current thread:

Re: .edu email phishing, (continued)
- Re: .edu email phishing Winders, Timothy A (Apr 01)
- Re: .edu email phishing Joe St Sauver (Apr 01)
- Re: .edu email phishing Jimmy Kuo (Apr 01)
- Re: .edu email phishing Winders, Timothy A (Apr 01)
- Re: .edu email phishing Kees Leune (Apr 01)
- Re: .edu email phishing Jimmy Kuo (Apr 01)
- Re: .edu email phishing Brewer, Alex D (Apr 01)
- Re: .edu email phishing Lesli Sagan (Apr 01)
- Re: .edu email phishing Michael Behun (Apr 01)
- Re: .edu email phishing Zach Jansen (Apr 01)
- Re: .edu email phishing Dick Jacobson (Apr 02)
- Re: .edu email phishing Theresa Semmens (Apr 02)
- Re: .edu email phishing Jesse Thompson (Apr 02)
- Re: .edu email phishing Winders, Timothy A (Apr 02)
- Re: .edu email phishing Christopher Webber (Apr 02)
- Re: .edu email phishing Jesse Thompson (Apr 02)
- Re: .edu email phishing Winders, Timothy A (Apr 02)
- Re: .edu email phishing Jesse Thompson (Apr 02)
- Re: .edu email phishing Winders, Timothy A (Apr 02)
- Re: .edu email phishing Dave Koontz (Apr 02)
- Re: .edu email phishing Jeffrey I. Schiller (Apr 02)

(Thread continues...)