Educause Security Discussion mailing list archives
Re: phishing attack using copied University website
From: Jonathan Byrne <jbyrne () IRONPORT COM>
Date: Mon, 13 Jul 2009 17:26:20 -0700
On 7/13/09 4:03 PM, "TIMOTHY S GURGANUS" <tsgurgan () NCSU EDU> wrote:
NCSU email users were the target of a phishing attack last Thursday night. This attack was different from others we have been receiving and I hope it is not a harbinger of things to come. I have read of this happening to other schools, but I'm wondering how common this attack is versus the usual phishing that uses only email.
Interesting. I own the anti-phishing ruleset at IronPort, this is the first instance I've seen of a decent website copy being used in a credential phishing attack. Heretofore, it's been mostly email response, and from time to time a fairly generic webform. Sometimes the form is sent as an attachment with JavaScript to hand the info off to a server. In the world of financial phishing, the copied website approach is standard, of course, and some of the fake sites are very, very good. We have a lot of evidence that the credential phishing attacks are mostly being driven by 419 scammers, and my working theory for why they usually ask for an email response is because running scams from free webmail accounts is what 419ers know. Most of them seem to have little knowledge of technology, being mostly old-style con men (and women) operating in a new medium. Financial phishing, on the other hand, is mostly carried out by Russians and other eastern Europeans, and they bring a lot more technical skill to the table. It may be the case that they are starting to cross over to credential phishing. Cheers, Jonathan -- Jonathan Byrne Software Engineer Cisco IronPort Systems, LLC
Current thread:
- phishing attack using copied University website TIMOTHY S GURGANUS (Jul 13)
- <Possible follow-ups>
- Re: phishing attack using copied University website Andrew Daviel (Jul 13)
- Re: phishing attack using copied University website Jonathan Byrne (Jul 13)
- Re: phishing attack using copied University website Martin Manjak (Jul 14)