Educause Security Discussion mailing list archives

Re: FYI: Another round of spear Phishing

From: "Koerber, Jeff" <jkoerber () TOWSON EDU>
Date: Thu, 12 Jun 2008 11:14:38 -0400

Since our spam filters don't seem to be working for these Phishing attempts, education is the only other alterative.  I 
was thinking about sending out a phony phishing message to all students.  It would direct users to a lighthearted 
website (entitled "You shouldn't have clicked on this link") and it would educate them about Phishing and let them know 
that we would never ask for their password and how they should never give out their password to anyone.  That will 
target the people we want to receive the message.

Has anyone tried something like this?
Do you think it is a good idea?  I could see some saying that they were upset to find out that we were behind this 
stunt.

Jeff Koerber
Supervisor, Student Service Desk & Lab Support
Office of Technology Services
Towson University
Towson, MD




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gregg, 
Christopher S.
Sent: Thursday, June 12, 2008 10:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing

Clyde, Steve, and the group,

We are getting these as well too in increasing numbers.  The last one this week raised the bar again by the fact that 
the entity initiating the attack used the exact term we use for our network identities vs. the generic "username", they 
included a school copyright message at the bottom to make it look more legit, and they used a reply to address that 
included our school name @gmail.com.

Our clients are getting used to them now, and we manually blocked outbound responses before anyone replied (this time) 
but...  with 30,000+ active accounts and the fact that it only takes 1 compromised account to make a mess, it is 
worrisome to rely on manually blocking responses once the phishing message has arrived.

Thanks,

Chris Gregg
Director of Information Security
Information Resources and Technologies
University of St. Thomas
2115 Summit Avenue
St. Paul, Minnesota 55105
csgregg () stthomas edu


Phone: 651.962.6265 -----Original Message-----
From: STEVE MAGRIBY [mailto:magriby () UT EDU]
Sent: Thursday, June 12, 2008 9:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing

We would love to work with you in trying to determine how this can be stopped.

Our email system has been under attack for more than a month. We have had the phishing attacks and have had "at least" 
several of our accounts hijacked and used for spam.

We have spent hours on the phone with vendor support for our email, our spam filters and our virus software. All three 
vendors have told us that our systems were configured correctly (and yet our reputation also was in the toilet).

We know that if our usernames and passwords are hijacked there is not much that can be done. However, we are still 
looking at how we could take a more "proactive" approach to preventing this instead of being forced to react 
continuously to a new wave of attacks.

Please let us know if you come up with any solutions.

Thanks.

Steve Magriby
Director of Instructional Technology
The University of Tampa
Tampa, FL  33606
smagriby () ut edu

-----Original Message-----
From: WILLIAM I ARNOLD
Sent: Wednesday, June 11, 2008 4:16 PM
To: Stephen Magriby; CARMEN GONZALEZ
Cc: TRACEY POTTER
Subject: FW: [SECURITY] FYI: Another round of spear Phishing

FYI

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Clyde 
Hoadley
Sent: Wednesday, June 11, 2008 4:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] FYI: Another round of spear Phishing

We have been targeted by three separate spear phishing attacks in the past six weeks.  In spite of our efforts to 
filter incoming email, and to warn our campus community about these messages and not to respond to them, we have had a 
least 2 accounts (that we know about) hijacked and used to send spam.  Right now our reputation scores are in the 
toilet.

Two of the Phish were the familiar:

      Dear customer,

      We write to notify you that we will be carring out some temporary
      maintenance on our service due to congestion in all customers email
      account. Please be informed that customers will be restricted from
      accessing their e-mail account in fews days time. This is to guide
      against SPAM and will also enable us to update all e-mail account for
      a better services. In regards,you are required to send your account
      information to our MAIL CONTROL UNIT for the immediate maintenance and update.

      User id:........................
      Password:.......................
      Date of Birth:..................
      Country:........................

      ALL ACCOUNT INFORMATION SHOULD BE SENT TO:
account-update08 () live com


We've done all we know how to do to warn people about these (and to filter them out) but it only takes one person to 
take the bait to give us a black eye - Two did take the bait so we've got two black eyes!

The third one, came in this morning, was an IRS phish, targeted by name, institution and phone number.

      Bxxxx Hxxxxxxx
      Metropolitan State College of Denver
      (303) 35x-4xxx
                                     -NOTICE OF DEFICIENCY-

      Dear Bxxxx Hxxxxxxx,

           We have determined that you owe additional tax and other amounts, or both,
      for the tax year(s) identified above.  This letter is your NOTICE OF DEFICIENCY,
      as required by law.  The enclosed statement shows how we figured the deficiency.


It included a link (only partial link is shown) "www DOT revenue-system DOT com"

Clearly I and my team haven't been effective.  I need fresh input.  I would be interested in hearing your strategies to 
Prevent, Detect and Respond to these Phishing attacks - in particular the attacks aimed at hijacking Web Mail accounts.

---
Clyde Hoadley
Director of Information Security
Metropolitan State College of Denver
Campus Box 96, P.O. Box 173362, Denver Co 80217-3362
303-556-5074 | CELL 720-232-4737

Current thread:

FYI: Another round of spear Phishing Clyde Hoadley (Jun 11)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing Paul Kendall (Jun 11)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 11)
- Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jun 12)
- Re: FYI: Another round of spear Phishing Zach Jansen (Jun 12)
- Re: FYI: Another round of spear Phishing Basgen, Brian (Jun 12)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 12)
- Re: FYI: Another round of spear Phishing Gregg, Christopher S. (Jun 12)
- Re: FYI: Another round of spear Phishing Koerber, Jeff (Jun 12)
- Re: FYI: Another round of spear Phishing Jenkins, Matthew (Jun 12)
- Re: FYI: Another round of spear Phishing Paul Russell (Jun 12)
- Re: FYI: Another round of spear Phishing Robin Polak (Jun 17)
- Re: FYI: Another round of spear Phishing ram smith (Jun 17)
- Re: FYI: Another round of spear Phishing Gary Warner (Jun 17)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 18)
- Re: FYI: Another round of spear Phishing Matthew Gracie (Jun 19)
- Re: FYI: Another round of spear Phishing Cal Frye (Jun 19)
- Re: FYI: Another round of spear Phishing Dean Halter (Jun 19)
- Re: FYI: Another round of spear Phishing Bob Bayn (Jun 19)

(Thread continues...)