Re: .edu email phishing

[Theresa Semmens <theresa.semmens () NDSU EDU>]

I believe Yahoo has set up some sort of filter against the nodak domain as
well.  I've had reports of users not receiving .edu email to their yahoo
accounts.

Theresa Semmens, CISA
NDSU IT Security Officer
PO Box 5164
North Dakota State University
Fargo, ND
Phone: 701-231-5870
FAX: 701-231-8541
Theresa.Semmens () ndsu edu

"Opportunity is missed by most people because it is dressed in overalls and
looks like work."  Thomas Edison

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dick Jacobson
Sent: Wednesday, April 02, 2008 7:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] .edu email phishing

On Tue, 1 Apr 2008, Jimmy Kuo wrote:

We are seeing several of these in North Dakota.  It has been going on
since mid-February and a few people have bitten on this.  (There may also
be some simple passwords and cracking going on.)

If the gentleman from Verizon has any thoughts about how to coordinate
some of this, I would be interested .. since Verizon is one of the ISPs
blocking some of our domains. ;-)

> Are you (general/educause) pretty well set up with takedown requests for
> these email accounts at the various ISPs?  If not, I encourage you as a
group
> to set something up.
>
> (I can only offer a little bit of help as my specialty is in another area
of
> security (antimalware).  I only have a few contacts.)
>
> Jimmy
> jkuo () microsoft com
>
> ----- Original Message ----- From: "Winders, Timothy A"
> <twinders () southplainscollege edu>
> To: "Jimmy Kuo" <cjkuo () verizon net>; <security () listserv educause edu>
> Sent: Tuesday, April 01, 2008 11:57 AM
> Subject: RE: [SECURITY] .edu email phishing
>
>
> I had one user yesterday report receiving a message similar to this, but I

> have personally not seen it.
>
> Searching through our barracuda, I don't have anything from ask.helpdesk,
> nothing with the subject ending with "email account now."
>
> Ha!  Just found one with "UPDATE YOUR EMAIL ACCOUNT" in the subject from
> "educationalwebmaster75 () yahoo com" routed through uoregon.edu,
> 128.223.142.41.
>
> Anyone from uoregon on this list?
>
> Tim Winders | Associate Dean of Information Technology | South Plains
College
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jimmy Kuo
> > Sent: Tuesday, April 01, 2008 1:47 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] .edu email phishing
> >
> > Was this a directed (against caltech.edu) attack or was this one of a
> > family
> > sent to other .edu lists?  Has anyone seen one like this for their
> > school?
> >
> > The return address was actually set up for:
> >
> > ask.helpdesk0 () gmail com
> >
> > Jimmy
> >
> > > > ----- Original Message -----
> > > > From: "ADMIN HELPDESK" <helpdesk () caltech edu>
> > > > To: <undisclosed-recipients:>
> > > > Sent: Monday, March 31, 2008 12:39 PM
> > > > Subject: VERIFY YOUR CALTECH.EDU EMAIL ACCOUNT NOW.
> > > >
> > > >
> > > >
> > > >
> > > > Dear caltech.edu Email Account Owner,
> > > >
> > > > This message is from caltech.edu messaging center to all caltech.edu
> > > > email
> > > > account owners. We are currently upgrading our data base and e-mail
> > > > account
> > > > center. We are deleting all unused caltech.edu email accounts to
> > create
> > > > more
> > > > space for new accounts.
> > > >
> > > > To prevent your account from being closed, you will have to update
> > it
> > > > below so
> > > > that we will know that it's a present used account.
> > > >
> > > > CONFIRM YOUR EMAIL IDENTITY BELOW
> > > >
> > > > Email Username : .......... .....
> > > > EMAIL Password : ................
> > > > Date of Birth : .................
> > > > Country or Territory : ..........
> > > >
> > > > Warning!!! Account owner that refuses to update his or her account
> > > > within Seven
> > > > days of receiving this warning will lose his or her account
> > permanently.
> > > > Thank you for using caltech.edu
> > > > Warning Code:VX2G99AAJ
> > > >
> > > > caltech.edu Team
> > > >
> > > > www.caltech.edu
> > > >
> > > > Dear caltech.edu Email Account Owner,
> > > >
> > > > This message is from caltech.edu messaging center to all caltech.edu
> > > > email
> > > > account owners. We are currently upgrading our data base and e-mail
> > > > account
> > > > center. We are deleting all unused caltech.edu email accounts to
> > create
> > > > more
> > > > space for new accounts.
> > > >
> > > > To prevent your account from being closed, you will have to update
> > it
> > > > below so
> > > > that we will know that it's a present used account.
> > > >
> > > > CONFIRM YOUR EMAIL IDENTITY BELOW
> > > >
> > > > Email Username : .......... .....
> > > > EMAIL Password : ................
> > > > Date of Birth : .................
> > > > Country or Territory : ..........
> > > >
> > > > Warning!!! Account owner that refuses to update his or her account
> > > > within Seven
> > > > days of receiving this warning will lose his or her account
> > permanently.
> > > > Thank you for using caltech.edu
> > > > Warning Code:VX2G99AAJ
> > > >
> > > > caltech.edu Team
> > > >
> > > > www.caltech.edu


-----------------------------------------------------------------------
Dick Jacobson                   e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer        office : IACC 206, NDSU
ND HECN MultiUser Host SysAd    phone  : 701-231-7385
-----------------------------------------------------------------------