Re: FYI: Another round of spear Phishing

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

Clyde Hoadley wrote:
> We have been targeted by three separate spear phishing attacks in the past
> six weeks.  In spite of our efforts to filter incoming email, and to
> warn our campus community about these messages and not to respond to
> them, we have had a least 2 accounts (that we know about) hijacked and
> used to send spam.  Right now our reputation scores are in the toilet.

See this list for discussion and more reports of attacks:
http://catalist.lsoft.com/scripts/wl.exe?SL1=HIED-EMAILADMIN&H=LISTSERV.ND.EDU

We are tracking the reply-to addresses here:
http://code.google.com/p/anti-phishing-email-reply/

The list is useful for detecting users that reply to the phishing.  You
could also potentially use the list for scanning for incoming attacks,
at your own risk.  Please report the reply addresses to the
hied-emailadmin list until we find a better way to collect them.

Yahoo has been very good at shutting down the accounts in response to
complaints.  Microsoft and Google are essentially ignoring the complaints.

Zack's jest of outsourcing email as a solution to the problem should not
be taken seriously.  Consider what other systems use the same login
credentials.  Sticking your head in the sand and hoping that your
outsourcing vendor will be more effective than you at stopping the
attacks/replies is reckless.

Other techniques that have been useful for us, in addition to what was
already said:
- look for blocked/deferred messages in your outbound mail queues
- look in your users' webmail signatures for suspicious content
- make your anti-spam vendor aware of the incoming attacks and help them
improve detection

Jesse

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature