Recent (since July 2013) Phishing vs. University accounts

[Gary Warner <gar () CIS UAB EDU>]

I've had a few conversations lately regarding phishing sites against US-based universities that have been attacked 
using a very similar technique.  This week we learned of a new set of phishing sites that make it even more evident 
that these sites may all be conclusively linked.

If you are aware of a recent "university-as-victim" phishing attack, would you please reach out to me off-list?  We are 
trying to determine how many of these cases are DEFINITELY the same bad guy and how many are merely similar.

These seemed, at face value, to be similar . . . each has a similarly structured email.  In fact, I found these by 
doing a google search phrase match of this phrase:

"This is an automated message to notify you that we detected a login attempt"

Each of these is a University web page warning it's users about a phish:

University of Minnesota - http://blog.lib.umn.edu/it-comm/phishing/2013/07/phishing-example-9-the-umn-helpdesk.html

Clemson - http://www.clemson.edu/ccit/help_support/safe_computing/cyber_threat_alerts.html

University of Chicago - https://itservices.uchicago.edu/page/latest-email-scams

Washburn - http://blog.washburn.edu/technology/2013/07/14/multiple-reports-of-czech-republic-phishing-messages/

Kansas State U - https://blogs.k-state.edu/scams/2013/07/09/phishing-scam-7913-termination-of-your-webmail-account/

This week, a new attack against University of Minnesota was seen on a server that was simultaneously also hosting phish 
for 

University of Southern California:
blog.eurostargym.com/wp-admin/meta/usc/

Arizona State University:
blog.eurostargym.com/wp-admin/meta/asu/

University of Minnesota:
blog.eurostargym.com/wp-admin/meta/umn/

We have not yet conclusively linked any of the above (other than the last three, obviously).

If anyone has samples of the emails sent to employees or students, for these or any other recent University-targeted 
phish, please send them directly to me off-list.  In the interest of not having them caught in spam filters, please 
forward them to my unfiltered personal email, with a subject line of "University Phishing" ==> gar () askgar com

Thank you for any assistance in this matter.

I'll go ahead and say that one technique for identifying "commonality" is a review of the "referring URLs" from the 
weblogs where the university logo is being pulled.  There is interest from law enforcement that we can discuss off-list 
if anyone is in a position to be able to help provide emails-with-headers, evidence of "abuse" of the stolen 
credentials, or those referring URLs with IP addresses.  (Hint: the FIRST PERSON to visit your university graphic from 
a referring URL on a phishing site is ALMOST CERTAINLY the phisher, especially when it happens over and over again on 
many phishing sites from the same IP address.)

Again, some of this is quickly going to head to the "on-going investigation" level of privacy.  Please go off-list if 
you are sharing significant attack details, but I will be happy to summarize back to the list what I can.




----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
gar () cis uab edu

-----------------------------------------------------------