Re: Are you getting lots of phishing spam with links to hosts at webs[.]com?

[Bob Bayn <bob.bayn () USU EDU>]

support () jimdo com is fairly responsive.  My collection of all email received here during the month of May  includes 
70 different phish message episodes with links to jimdo and 3 individual messages with "benign" links to jimdo - all in 
mailing list messages.

Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Thorpe, Glenn 
[Glenn.Thorpe () UNTSYSTEM EDU]
Sent: Friday, May 24, 2013 1:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Are you getting lots of phishing spam with links to hosts at webs[.]com?

Ditto here (the entire story).

We were hit pretty consistently with sites from this domain during March/April.  We finally started having to block 
those emails at our gateway unfortunately; now they are moving towards jimdo.


Glenn Thorpe III
Asst. Director, Information Security
University of North Texas System
T: 940.369.8884
E: glenn.thorpe () untsystem edu<mailto:glenn.thorpe () untsystem edu>
[cid:D425ED7D-EBCB-4415-895D-146D90CD09F1]


From: Bob Bayn <bob.bayn () USU EDU<mailto:bob.bayn () USU EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Friday, May 24, 2013 10:44 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Are you getting lots of phishing spam with links to hosts at webs[.]com?

I get phish messages reported by my users.  There are generally several different ones a day that have links to a 
password collection web form at a host at webs[.]com.   I submit a complaint about the URL to the webs[.]com report 
page and they generally remove the page within a day.  But phishers probably get most of their passwords within the 
first day anyhow.

Six months ago, we were being phished with google spreadsheet form pages, but since the Oxford fiasco, Google has 
placed "do not enter your password on Google Forms" right above the submit button.  We hardly see Google forms linked 
in phish messages anymore.

Like Google, the Webs service is used for many non-hazardous purposes, too.  A brief attempt here to blacklist all of 
webs[.]com resulted in some complaints from people who actually use that service to host their personal/professional 
home page.  And I've seen other benign links to webs[.]com in newsletters and list messages.  Back on the bad side, I 
see lots of webs[.]com links in spammy posts to webpage comment boxes.

Is anyone else interested in applying some group pressure to webs[.]com to make them more responsive and proactive 
about phishing abuses of their service?  Then the phishers would probably move to jimdo, coffeecup, atwebpages, 
mooform, survsoft or formbuddy.   BTW, ajayr@formbuddy[.]com is VERY responsive when a phish collection page is 
reported there.  He never sleeps.  ;-)

By the way, do you all have an abuse () yourhost edu<mailto:abuse () yourhost edu> address?  I try to report to the 
host site about the compromised accounts that are used to send us phish messages.

Bob Bayn    SER 301    (435)797-2396       IT Security Team
Office of Information Technology,     Utah State University
     three common hazardous email scams to watch out for:
     1) unfamiliar transaction report from familiar business
     2) attachment with no explanation in message body
     3) "phishing" for your email password