FYI: Another round of spear Phishing

[Clyde Hoadley <hoadleyc () MSCD EDU>]

We have been targeted by three separate spear phishing attacks in the past
six weeks.  In spite of our efforts to filter incoming email, and to
warn our campus community about these messages and not to respond to
them, we have had a least 2 accounts (that we know about) hijacked and
used to send spam.  Right now our reputation scores are in the toilet.

Two of the Phish were the familiar:

     Dear customer,

     We write to notify you that we will be carring out some temporary
     maintenance on our service due to congestion in all customers email
     account. Please be informed that customers will be restricted from
     accessing their e-mail account in fews days time. This is to guide
     against SPAM and will also enable us to update all e-mail account for
     a better services. In regards,you are required to send your account
     information to our MAIL CONTROL UNIT for the immediate maintenance and update.

     User id:........................
     Password:.......................
     Date of Birth:..................
     Country:........................

     ALL ACCOUNT INFORMATION SHOULD BE SENT TO: account-update08 () live com


We've done all we know how to do to warn people about these (and to filter
them out) but it only takes one person to take the bait to give us a
black eye - Two did take the bait so we've got two black eyes!

The third one, came in this morning, was an IRS phish, targeted by name,
institution and phone number.

     Bxxxx Hxxxxxxx
     Metropolitan State College of Denver
     (303) 35x-4xxx
                                    -NOTICE OF DEFICIENCY-

     Dear Bxxxx Hxxxxxxx,

          We have determined that you owe additional tax and other amounts, or both,
     for the tax year(s) identified above.  This letter is your NOTICE OF DEFICIENCY,
     as required by law.  The enclosed statement shows how we figured the deficiency.


It included a link (only partial link is shown) "www DOT revenue-system DOT com"

Clearly I and my team haven't been effective.  I need fresh input.  I would be
interested in hearing your strategies to Prevent, Detect and Respond to these
Phishing attacks - in particular the attacks aimed at hijacking Web Mail accounts.

---
Clyde Hoadley
Director of Information Security
Metropolitan State College of Denver
Campus Box 96, P.O. Box 173362, Denver Co 80217-3362
303-556-5074 | CELL 720-232-4737