Educause Security Discussion mailing list archives
Re: FYI: Another round of spear Phishing
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Wed, 11 Jun 2008 17:20:39 -0500
The one problem I see with programming your spam filter to block "Password" is that anyone who needs to reset a password for an online service they use would probably never receive the emails from the provider. plk ======================================== Paul L. Kendall, CHS-III, CISM, CISSP PCI Qualified Security Assessor Senior Security Consultant Accudata Systems, Inc. 15305 Dallas Parkway, Suite 300 Dallas, TX 75001 (817) 496-6450 Fort Worth Office (877) 832-6013 Fort Worth FAX (800) 246-4908 Corporate Office (281) 897-5001 Corporate FAX (713) 446-5259 Cell http//www.accudatasystems.com "What we do in Life echoes in Eternity..." ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew Sent: Wednesday, June 11, 2008 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FYI: Another round of spear Phishing I saw the one about the revenue-system on DShield. We don't have an easy way to block hostnames since we don't have a proxy, so I put a bogus entry in our internal DNS for it to prevent our users from being exploited. I am considering programming our spam filters to search for "Password:..." and other similar phrases to stop these phishing attempts. Has anyone else taken such drastic actions? Matt Matthew Jenkins Network/Server Administrator Fairmont State University 304.367.4955 Visit us online at www.fairmontstate.edu <https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.f airmontstate.edu/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Clyde Hoadley Sent: Wed 6/11/2008 4:06 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FYI: Another round of spear Phishing We have been targeted by three separate spear phishing attacks in the past six weeks. In spite of our efforts to filter incoming email, and to warn our campus community about these messages and not to respond to them, we have had a least 2 accounts (that we know about) hijacked and used to send spam. Right now our reputation scores are in the toilet. Two of the Phish were the familiar: Dear customer, We write to notify you that we will be carring out some temporary maintenance on our service due to congestion in all customers email account. Please be informed that customers will be restricted from accessing their e-mail account in fews days time. This is to guide against SPAM and will also enable us to update all e-mail account for a better services. In regards,you are required to send your account information to our MAIL CONTROL UNIT for the immediate maintenance and update. User id:........................ Password:....................... Date of Birth:.................. Country:........................ ALL ACCOUNT INFORMATION SHOULD BE SENT TO: account-update08 () live com We've done all we know how to do to warn people about these (and to filter them out) but it only takes one person to take the bait to give us a black eye - Two did take the bait so we've got two black eyes! The third one, came in this morning, was an IRS phish, targeted by name, institution and phone number. Bxxxx Hxxxxxxx Metropolitan State College of Denver (303) 35x-4xxx -NOTICE OF DEFICIENCY- Dear Bxxxx Hxxxxxxx, We have determined that you owe additional tax and other amounts, or both, for the tax year(s) identified above. This letter is your NOTICE OF DEFICIENCY, as required by law. The enclosed statement shows how we figured the deficiency. It included a link (only partial link is shown) "www DOT revenue-system DOT com" Clearly I and my team haven't been effective. I need fresh input. I would be interested in hearing your strategies to Prevent, Detect and Respond to these Phishing attacks - in particular the attacks aimed at hijacking Web Mail accounts. --- Clyde Hoadley Director of Information Security Metropolitan State College of Denver Campus Box 96, P.O. Box 173362, Denver Co 80217-3362 303-556-5074 | CELL 720-232-4737
Current thread:
- FYI: Another round of spear Phishing Clyde Hoadley (Jun 11)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing Paul Kendall (Jun 11)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jun 12)
- Re: FYI: Another round of spear Phishing Zach Jansen (Jun 12)
- Re: FYI: Another round of spear Phishing Basgen, Brian (Jun 12)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 12)
- Re: FYI: Another round of spear Phishing Gregg, Christopher S. (Jun 12)
- Re: FYI: Another round of spear Phishing Koerber, Jeff (Jun 12)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 12)
- Re: FYI: Another round of spear Phishing Paul Russell (Jun 12)
- Re: FYI: Another round of spear Phishing Robin Polak (Jun 17)
(Thread continues...)