Educause Security Discussion mailing list archives

Re: FYI: Another round of spear Phishing

From: STEVE MAGRIBY <magriby () UT EDU>
Date: Tue, 1 Jul 2008 12:33:27 -0400

We are still experiencing problems with usernames that have been
compromised.

Although there is not much that can be done when users send his/her
username and password to a spammer, I am trying to find out if
universities are still allowing users to POP mail and, if so, is it
secure POP??

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jesse Thompson
Sent: Friday, June 27, 2008 11:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FYI: Another round of spear Phishing

Clyde Hoadley wrote:

We have been targeted by three separate spear phishing attacks in the

past

six weeks.  In spite of our efforts to filter incoming email, and to
warn our campus community about these messages and not to respond to
them, we have had a least 2 accounts (that we know about) hijacked and
used to send spam.  Right now our reputation scores are in the toilet.


See this list for discussion and more reports of attacks:
http://catalist.lsoft.com/scripts/wl.exe?SL1=HIED-EMAILADMIN&H=LISTSERV.
ND.EDU

We are tracking the reply-to addresses here:
http://code.google.com/p/anti-phishing-email-reply/

The list is useful for detecting users that reply to the phishing.  You
could also potentially use the list for scanning for incoming attacks,
at your own risk.  Please report the reply addresses to the
hied-emailadmin list until we find a better way to collect them.

Yahoo has been very good at shutting down the accounts in response to
complaints.  Microsoft and Google are essentially ignoring the
complaints.

Zack's jest of outsourcing email as a solution to the problem should not
be taken seriously.  Consider what other systems use the same login
credentials.  Sticking your head in the sand and hoping that your
outsourcing vendor will be more effective than you at stopping the
attacks/replies is reckless.

Other techniques that have been useful for us, in addition to what was
already said:
- look for blocked/deferred messages in your outbound mail queues
- look in your users' webmail signatures for suspicious content
- make your anti-spam vendor aware of the incoming attacks and help them
improve detection

Jesse

Current thread:

Re: FYI: Another round of spear Phishing STEVE MAGRIBY (Jul 01)
- <Possible follow-ups>
- Re: FYI: Another round of spear Phishing scott hollatz (Jul 01)
- Re: FYI: Another round of spear Phishing Jesse Thompson (Jul 01)
- Re: FYI: Another round of spear Phishing Sweeny, Jonny (Jul 02)
- Re: FYI: Another round of spear Phishing Gasper, Rick (Jul 02)
- Re: FYI: Another round of spear Phishing Joel Rosenblatt (Jul 02)
- Re: FYI: Another round of spear Phishing Lucas, Bryan (Jul 02)
- Re: FYI: Another round of spear Phishing Ken Connelly (Jul 02)
- Re: FYI: Another round of spear Phishing J. Fowler (Jul 02)
- Re: FYI: Another round of spear Phishing Joel Rosenblatt (Jul 02)
- Re: FYI: Another round of spear Phishing Paul Russell (Jul 02)

(Thread continues...)