Educause Security Discussion mailing list archives
Re: Are you getting lots of phishing spam with links to hosts at webs[.]com?
From: Will Froning <will.froning () GMAIL COM>
Date: Sat, 25 May 2013 07:36:54 +0400
Hello Bob, I'm all in for some collective pressure. We saw jimdo and webs last week. With finals coming up (next week), we always see an increase in phishing this time of the semester. abuse () aus edu goes to me. Thanks, Will On Sat, May 25, 2013 at 12:12 AM, Bob Bayn <bob.bayn () usu edu> wrote:
support () jimdo com is fairly responsive. My collection of all email
received here during the month of May includes 70 different phish message
episodes with links to jimdo and 3 individual messages with "benign" links
to jimdo - all in mailing list messages.
Bob Bayn SER 301 (435)797-2396 IT Security Team
Office of Information Technology, Utah State University
three common hazardous email scams to watch out for:
*1) unfamiliar transaction report from familiar business
2) attachment with no explanation in message body
3) "phishing" for your email password*
------------------------------
*From:* The EDUCAUSE Security Constituent Group Listserv [
SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Thorpe, Glenn [
Glenn.Thorpe () UNTSYSTEM EDU]
*Sent:* Friday, May 24, 2013 1:44 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Are you getting lots of phishing spam with
links to hosts at webs[.]com?
Ditto here (the entire story).
We were hit pretty consistently with sites from this domain during
March/April. We finally started having to block those emails at our
gateway unfortunately; now they are moving towards jimdo.
Glenn Thorpe III
Asst. Director, Information Security
University of North Texas System
T: 940.369.8884
E: glenn.thorpe () untsystem edu
From: Bob Bayn <bob.bayn () USU EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, May 24, 2013 10:44 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Are you getting lots of phishing spam with links to
hosts at webs[.]com?
I get phish messages reported by my users. There are generally several
different ones a day that have links to a password collection web form at a
host at webs[.]com. I submit a complaint about the URL to the webs[.]com
report page and they generally remove the page within a day. But phishers
probably get most of their passwords within the first day anyhow.
Six months ago, we were being phished with google spreadsheet form pages,
but since the Oxford fiasco, Google has placed "do not enter your password
on Google Forms" right above the submit button. We hardly see Google forms
linked in phish messages anymore.
Like Google, the Webs service is used for many non-hazardous purposes,
too. A brief attempt here to blacklist all of webs[.]com resulted in some
complaints from people who actually use that service to host their
personal/professional home page. And I've seen other benign links to
webs[.]com in newsletters and list messages. Back on the bad side, I see
lots of webs[.]com links in spammy posts to webpage comment boxes.
Is anyone else interested in applying some group pressure to webs[.]com to
make them more responsive and proactive about phishing abuses of their
service? Then the phishers would probably move to jimdo, coffeecup,
atwebpages, mooform, survsoft or formbuddy. BTW, ajayr@formbuddy[.]com
is VERY responsive when a phish collection page is reported there. He
never sleeps. ;-)
By the way, do you all have an abuse () yourhost edu address? I try to
report to the host site about the compromised accounts that are used to
send us phish messages.
Bob Bayn SER 301 (435)797-2396 IT Security Team
Office of Information Technology, Utah State University
three common hazardous email scams to watch out for:
*1) unfamiliar transaction report from familiar business
2) attachment with no explanation in message body
3) "phishing" for your email password*
-- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning
Current thread:
- Are you getting lots of phishing spam with links to hosts at webs[.]com? Bob Bayn (May 24)
- Re: Are you getting lots of phishing spam with links to hosts at webs[.]com? Mark Rogowski (May 24)
- Re: Are you getting lots of phishing spam with links to hosts at webs[.]com? David Curry (May 24)
- Re: Are you getting lots of phishing spam with links to hosts at webs[.]com? Thorpe, Glenn (May 24)
- Re: Are you getting lots of phishing spam with links to hosts at webs[.]com? Bob Bayn (May 24)
- Re: Are you getting lots of phishing spam with links to hosts at webs[.]com? Will Froning (May 24)
- Re: Are you getting lots of phishing spam with links to hosts at webs[.]com? Bob Bayn (May 24)
- Re: Are you getting lots of phishing spam with links to hosts at webs[.]com? Mark Rogowski (May 24)