Small cheap custom phishing

[Steve Bohrer <skbohrer () SIMONS-ROCK EDU>]

This stuff is likely old hat to many of you, but Simon's Rock is so tiny that this is our first exposure to a really 
custom phish email. It had our domain as the forged "From:" field, our proper institution name and address to make it 
look legitimate, and the text part of the bogus log-in anchor was also our domain. (The fake form was on phpforms.net, 
and they were very responsive about dropping it.) The phishers caught at least three of our users, so far all alumni 
accounts, and after trying general spamming with the first two, moved on to launching the same sort of attack from us 
targeting Rider.edu . (Sorry about that.)

With a little thought, we realized that this level of customization would be easy to automate, and, if you are a 
spammer with a big address database, easy to target. The info in the custom phish is built from widely available online 
data; they would not even need to visit our web site, but could pull all it from domain registrations. Then, simply 
find all the @simons-rock.edu addresses in your spam database, and send the phish on its way. Given the amount of spam 
that hits our filters, I'd say spammers in general have pretty good coverage of our entire user base.

FWIW, here's the sample text they sent our users:

> Subject:      ## all Mail-hub systems#
> Date: Mon, 11 Nov 2013 18:38:19 -0600
> From: Bard College at Simon's Rock <noreply () simons-rock edu>
> Reply-To:     noreply () simons-rock edu
> To:   noreply () simons-rock edu
>
> This Email is from Bard College at Simon's Rock,  we will be making some vital E-mail account maintenance to ensure 
> high quality in Internet connectivity in the 2013 fight against spam and improve security, all Mail-hub systems will 
> undergo regularly scheduled maintenance.
>
> To confirm and to keep your account active during and after this process Kindly Click the Universal Web Link and fill 
> the following information: http:/simons-rock.edu/hubsystems
>
> Bard College at Simon's Rock• 
> 84 Alford Rd, Great Barrington, MA 01230•
>  

The version of this phish to Rider was identical, except with their domain, name and address.

The phish link behind the text above was http://simonsrockedu.phpforms.net/f/firstform , and again, the exact same 
format for Rider. Clever how automatic it can be.

Obviously, we need to do more to automatically shut down high-volume senders, and it would also have been nice to have 
a system that could have stopped this phish as it came in, though not sure how easy that is. The original has a large 
amount of formatting code cluttering up the html, presumably intended to obfuscate the actual message.

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645