Educause Security Discussion mailing list archives
Re: FYI: Another round of spear Phishing
From: "Gregg, Christopher S." <csgregg () STTHOMAS EDU>
Date: Thu, 12 Jun 2008 09:52:58 -0500
Clyde, Steve, and the group, We are getting these as well too in increasing numbers. The last one this week raised the bar again by the fact that the entity initiating the attack used the exact term we use for our network identities vs. the generic "username", they included a school copyright message at the bottom to make it look more legit, and they used a reply to address that included our school name @gmail.com. Our clients are getting used to them now, and we manually blocked outbound responses before anyone replied (this time) but... with 30,000+ active accounts and the fact that it only takes 1 compromised account to make a mess, it is worrisome to rely on manually blocking responses once the phishing message has arrived. Thanks, Chris Gregg Director of Information Security Information Resources and Technologies University of St. Thomas 2115 Summit Avenue St. Paul, Minnesota 55105 csgregg () stthomas edu Phone: 651.962.6265 -----Original Message----- From: STEVE MAGRIBY [mailto:magriby () UT EDU] Sent: Thursday, June 12, 2008 9:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FYI: Another round of spear Phishing We would love to work with you in trying to determine how this can be stopped. Our email system has been under attack for more than a month. We have had the phishing attacks and have had "at least" several of our accounts hijacked and used for spam. We have spent hours on the phone with vendor support for our email, our spam filters and our virus software. All three vendors have told us that our systems were configured correctly (and yet our reputation also was in the toilet). We know that if our usernames and passwords are hijacked there is not much that can be done. However, we are still looking at how we could take a more "proactive" approach to preventing this instead of being forced to react continuously to a new wave of attacks. Please let us know if you come up with any solutions. Thanks. Steve Magriby Director of Instructional Technology The University of Tampa Tampa, FL 33606 smagriby () ut edu -----Original Message----- From: WILLIAM I ARNOLD Sent: Wednesday, June 11, 2008 4:16 PM To: Stephen Magriby; CARMEN GONZALEZ Cc: TRACEY POTTER Subject: FW: [SECURITY] FYI: Another round of spear Phishing FYI -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Clyde Hoadley Sent: Wednesday, June 11, 2008 4:06 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FYI: Another round of spear Phishing We have been targeted by three separate spear phishing attacks in the past six weeks. In spite of our efforts to filter incoming email, and to warn our campus community about these messages and not to respond to them, we have had a least 2 accounts (that we know about) hijacked and used to send spam. Right now our reputation scores are in the toilet. Two of the Phish were the familiar: Dear customer, We write to notify you that we will be carring out some temporary maintenance on our service due to congestion in all customers email account. Please be informed that customers will be restricted from accessing their e-mail account in fews days time. This is to guide against SPAM and will also enable us to update all e-mail account for a better services. In regards,you are required to send your account information to our MAIL CONTROL UNIT for the immediate maintenance and update. User id:........................ Password:....................... Date of Birth:.................. Country:........................ ALL ACCOUNT INFORMATION SHOULD BE SENT TO: account-update08 () live com We've done all we know how to do to warn people about these (and to filter them out) but it only takes one person to take the bait to give us a black eye - Two did take the bait so we've got two black eyes! The third one, came in this morning, was an IRS phish, targeted by name, institution and phone number. Bxxxx Hxxxxxxx Metropolitan State College of Denver (303) 35x-4xxx -NOTICE OF DEFICIENCY- Dear Bxxxx Hxxxxxxx, We have determined that you owe additional tax and other amounts, or both, for the tax year(s) identified above. This letter is your NOTICE OF DEFICIENCY, as required by law. The enclosed statement shows how we figured the deficiency. It included a link (only partial link is shown) "www DOT revenue-system DOT com" Clearly I and my team haven't been effective. I need fresh input. I would be interested in hearing your strategies to Prevent, Detect and Respond to these Phishing attacks - in particular the attacks aimed at hijacking Web Mail accounts. --- Clyde Hoadley Director of Information Security Metropolitan State College of Denver Campus Box 96, P.O. Box 173362, Denver Co 80217-3362 303-556-5074 | CELL 720-232-4737
Current thread:
- FYI: Another round of spear Phishing Clyde Hoadley (Jun 11)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing Paul Kendall (Jun 11)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jun 12)
- Re: FYI: Another round of spear Phishing Zach Jansen (Jun 12)
- Re: FYI: Another round of spear Phishing Basgen, Brian (Jun 12)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 12)
- Re: FYI: Another round of spear Phishing Gregg, Christopher S. (Jun 12)
- Re: FYI: Another round of spear Phishing Koerber, Jeff (Jun 12)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 12)
- Re: FYI: Another round of spear Phishing Paul Russell (Jun 12)
- Re: FYI: Another round of spear Phishing Robin Polak (Jun 17)
- Re: FYI: Another round of spear Phishing ram smith (Jun 17)
- Re: FYI: Another round of spear Phishing Gary Warner (Jun 17)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 18)
- Re: FYI: Another round of spear Phishing Matthew Gracie (Jun 19)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 19)
- Re: FYI: Another round of spear Phishing Dean Halter (Jun 19)
(Thread continues...)