Educause Security Discussion mailing list archives

Re: FYI: Another round of spear Phishing

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Thu, 12 Jun 2008 07:36:16 -0700

 FWIW, I don't recommend it. Several years ago I was a systems
administrator for a pharmaceutical company, and my boss was unhappy
about the same spam showing up time and again. So, we put in a few real
simple rules. About 9 months later, naturally, the rules had long since
stopped being effective due to various and sundry new spam. Meanwhile, a
Director was having e-mail troubles, and strange ones at that. She
received emails without a problem, but for some reason, very select
e-mails would never show up.

 You can guess where the story ends. When she finally figured out that
it must be an e-mail problem and contacted us, we dug around in the mail
logs, and found that these mails had been rejected by one of our old
filters! Suffice it to say, most people do not have a high tolerance for
false negatives, considering that they are often found as a result of
missing important e-mail. :) 

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew
Sent: Wednesday, June 11, 2008 3:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing

Well, I was considering "Password:..." with the semicolon and a few
periods.  Most of the phising attempts seem to have this pattern.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu

<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.

fairmontstate.edu/>

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of
Paul Kendall
Sent: Wed 6/11/2008 6:20 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing

The one problem I see with programming your spam filter to block
"Password" is that anyone who needs to reset a password for an online
service they use would probably never receive the emails from the
provider.

plk

========================================
Paul L. Kendall, CHS-III, CISM, CISSP
PCI Qualified Security Assessor
Senior Security Consultant
Accudata Systems, Inc.
15305 Dallas Parkway, Suite 300
Dallas, TX 75001
(817) 496-6450 Fort Worth Office
(877) 832-6013 Fort Worth FAX
(800) 246-4908 Corporate Office
(281) 897-5001 Corporate FAX
(713) 446-5259 Cell
http//www.accudatasystems.com

"What we do in Life echoes in Eternity..."

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jenkins, Matthew
Sent: Wednesday, June 11, 2008 5:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing

I saw the one about the revenue-system on DShield.  We don't have an
easy way to block hostnames since we don't have a proxy, so I put a
bogus entry in our internal DNS for it to prevent our users from being
exploited.

I am considering programming our spam filters to search for
"Password:..." and other similar phrases to stop these phishing
attempts.  Has anyone else taken such drastic actions?

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
Visit us online at www.fairmontstate.edu

<https://fsmail.fairmontstate.edu/exchweb/bin/redir.asp?URL=http://www.

fairmontstate.edu/>

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of
Clyde Hoadley
Sent: Wed 6/11/2008 4:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FYI: Another round of spear Phishing

We have been targeted by three separate spear phishing attacks in the
past
six weeks.  In spite of our efforts to filter incoming email, and to
warn our campus community about these messages and not to respond to
them, we have had a least 2 accounts (that we know about) hijacked and
used to send spam.  Right now our reputation scores are in the toilet.

Two of the Phish were the familiar:

      Dear customer,

      We write to notify you that we will be carring out some

temporary

      maintenance on our service due to congestion in all customers
email
      account. Please be informed that customers will be restricted
from
      accessing their e-mail account in fews days time. This is to
guide
      against SPAM and will also enable us to update all e-mail

account

for
      a better services. In regards,you are required to send your
account
      information to our MAIL CONTROL UNIT for the immediate
maintenance and update.

      User id:........................
      Password:.......................
      Date of Birth:..................
      Country:........................

      ALL ACCOUNT INFORMATION SHOULD BE SENT TO: account-
update08 () live com


We've done all we know how to do to warn people about these (and to
filter
them out) but it only takes one person to take the bait to give us a
black eye - Two did take the bait so we've got two black eyes!

The third one, came in this morning, was an IRS phish, targeted by
name,
institution and phone number.

      Bxxxx Hxxxxxxx
      Metropolitan State College of Denver
      (303) 35x-4xxx
                                     -NOTICE OF DEFICIENCY-

      Dear Bxxxx Hxxxxxxx,

           We have determined that you owe additional tax and other
amounts, or both,
      for the tax year(s) identified above.  This letter is your

NOTICE

OF DEFICIENCY,
      as required by law.  The enclosed statement shows how we figured
the deficiency.


It included a link (only partial link is shown) "www DOT

revenue-system

DOT com"

Clearly I and my team haven't been effective.  I need fresh input.  I
would be
interested in hearing your strategies to Prevent, Detect and Respond

to

these
Phishing attacks - in particular the attacks aimed at hijacking Web
Mail accounts.

---
Clyde Hoadley
Director of Information Security
Metropolitan State College of Denver
Campus Box 96, P.O. Box 173362, Denver Co 80217-3362
303-556-5074 | CELL 720-232-4737

Current thread:

FYI: Another round of spear Phishing Clyde Hoadley (Jun 11)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing Paul Kendall (Jun 11)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jun 12)
- Re: FYI: Another round of spear Phishing Zach Jansen (Jun 12)
- Re: FYI: Another round of spear Phishing Basgen, Brian (Jun 12)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 12)
- Re: FYI: Another round of spear Phishing Gregg, Christopher S. (Jun 12)
- Re: FYI: Another round of spear Phishing Koerber, Jeff (Jun 12)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 12)
- Re: FYI: Another round of spear Phishing Paul Russell (Jun 12)
- Re: FYI: Another round of spear Phishing Robin Polak (Jun 17)
- Re: FYI: Another round of spear Phishing ram smith (Jun 17)
- Re: FYI: Another round of spear Phishing Gary Warner (Jun 17)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 18)
- Re: FYI: Another round of spear Phishing Matthew Gracie (Jun 19)

(Thread continues...)