Educause Security Discussion mailing list archives

Re: FYI: Another round of spear Phishing

From: "Jenkins, Matthew" <matthew.jenkins () FAIRMONTSTATE EDU>
Date: Wed, 11 Jun 2008 18:30:16 -0400

Well, I was considering "Password:..." with the semicolon and a few periods.  Most of the phising attempts seem to have 
this pattern.
 
Matt
 
Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu 
<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/> 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Paul Kendall
Sent: Wed 6/11/2008 6:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing


The one problem I see with programming your spam filter to block "Password" is that anyone who needs to reset a 
password for an online service they use would probably never receive the emails from the provider.
 
plk
 
========================================
Paul L. Kendall, CHS-III, CISM, CISSP
PCI Qualified Security Assessor
Senior Security Consultant
Accudata Systems, Inc.
15305 Dallas Parkway, Suite 300
Dallas, TX 75001
(817) 496-6450 Fort Worth Office
(877) 832-6013 Fort Worth FAX
(800) 246-4908 Corporate Office
(281) 897-5001 Corporate FAX
(713) 446-5259 Cell
http//www.accudatasystems.com
 
"What we do in Life echoes in Eternity..."
 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, 
Matthew
Sent: Wednesday, June 11, 2008 5:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing


I saw the one about the revenue-system on DShield.  We don't have an easy way to block hostnames since we don't have a 
proxy, so I put a bogus entry in our internal DNS for it to prevent our users from being exploited.
 
I am considering programming our spam filters to search for "Password:..." and other similar phrases to stop these 
phishing attempts.  Has anyone else taken such drastic actions?
 
Matt
 
Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu 
<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.fairmontstate.edu/> 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Clyde Hoadley
Sent: Wed 6/11/2008 4:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FYI: Another round of spear Phishing



We have been targeted by three separate spear phishing attacks in the past
six weeks.  In spite of our efforts to filter incoming email, and to
warn our campus community about these messages and not to respond to
them, we have had a least 2 accounts (that we know about) hijacked and
used to send spam.  Right now our reputation scores are in the toilet.

Two of the Phish were the familiar:

      Dear customer,

      We write to notify you that we will be carring out some temporary
      maintenance on our service due to congestion in all customers email
      account. Please be informed that customers will be restricted from
      accessing their e-mail account in fews days time. This is to guide
      against SPAM and will also enable us to update all e-mail account for
      a better services. In regards,you are required to send your account
      information to our MAIL CONTROL UNIT for the immediate maintenance and update.

      User id:........................
      Password:.......................
      Date of Birth:..................
      Country:........................

      ALL ACCOUNT INFORMATION SHOULD BE SENT TO: account-update08 () live com


We've done all we know how to do to warn people about these (and to filter
them out) but it only takes one person to take the bait to give us a
black eye - Two did take the bait so we've got two black eyes!

The third one, came in this morning, was an IRS phish, targeted by name,
institution and phone number.

      Bxxxx Hxxxxxxx
      Metropolitan State College of Denver
      (303) 35x-4xxx
                                     -NOTICE OF DEFICIENCY-

      Dear Bxxxx Hxxxxxxx,

           We have determined that you owe additional tax and other amounts, or both,
      for the tax year(s) identified above.  This letter is your NOTICE OF DEFICIENCY,
      as required by law.  The enclosed statement shows how we figured the deficiency.


It included a link (only partial link is shown) "www DOT revenue-system DOT com"

Clearly I and my team haven't been effective.  I need fresh input.  I would be
interested in hearing your strategies to Prevent, Detect and Respond to these
Phishing attacks - in particular the attacks aimed at hijacking Web Mail accounts.

---
Clyde Hoadley
Director of Information Security
Metropolitan State College of Denver
Campus Box 96, P.O. Box 173362, Denver Co 80217-3362
303-556-5074 | CELL 720-232-4737

Current thread:

FYI: Another round of spear Phishing Clyde Hoadley (Jun 11)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing Paul Kendall (Jun 11)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jun 12)
- Re: FYI: Another round of spear Phishing Zach Jansen (Jun 12)
- Re: FYI: Another round of spear Phishing Basgen, Brian (Jun 12)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 12)
- Re: FYI: Another round of spear Phishing Gregg, Christopher S. (Jun 12)
- Re: FYI: Another round of spear Phishing Koerber, Jeff (Jun 12)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 12)
- Re: FYI: Another round of spear Phishing Paul Russell (Jun 12)
- Re: FYI: Another round of spear Phishing Robin Polak (Jun 17)
- Re: FYI: Another round of spear Phishing ram smith (Jun 17)

(Thread continues...)