Re: Small cheap custom phishing

[Pete Hickey <pete () SHADOWS UOTTAWA CA>]

Ok... you have three that were caught... Out of how many sent?
100?... 200?...
Think of this... if there were only 3 caught aout of 100, that<s 97% 
of people not fooled....  In any other kind of thing, 97% success
would be considered FANTASTIC!  Look at a normal curve.  You'll
always have some on the fringe.

In general, most people are smarter than we 'security people'
give them credit for.


On Tue, Nov 12, 2013 at 05:43:29PM -0500, Steve Bohrer wrote:
> This stuff is likely old hat to many of you, but Simon's Rock is so tiny that this is our first exposure to a really 
> custom phish email. It had our domain as the forged "From:" field, our proper institution name and address to make it 
> look legitimate, and the text part of the bogus log-in anchor was also our domain. (The fake form was on 
> phpforms.net, and they were very responsive about dropping it.) The phishers caught at least three of our users, so 
> far all alumni accounts, and after trying general spamming with the first two, moved on to launching the same sort of 
> attack from us targeting Rider.edu . (Sorry about that.)
>
> With a little thought, we realized that this level of customization would be easy to automate, and, if you are a 
> spammer with a big address database, easy to target. The info in the custom phish is built from widely available 
> online data; they would not even need to visit our web site, but could pull all it from domain registrations. Then, 
> simply find all the @simons-rock.edu addresses in your spam database, and send the phish on its way. Given the amount 
> of spam that hits our filters, I'd say spammers in general have pretty good coverage of our entire user base.
>
> FWIW, here's the sample text they sent our users:
>
> > Subject:    ## all Mail-hub systems#
> > Date:       Mon, 11 Nov 2013 18:38:19 -0600
> > From:       Bard College at Simon's Rock <noreply () simons-rock edu>
> > Reply-To:   noreply () simons-rock edu
> > To: noreply () simons-rock edu
> >
> > This Email is from Bard College at Simon's Rock,  we will be making some vital E-mail account maintenance to ensure 
> > high quality in Internet connectivity in the 2013 fight against spam and improve security, all Mail-hub systems 
> > will undergo regularly scheduled maintenance.
> >
> > To confirm and to keep your account active during and after this process Kindly Click the Universal Web Link and 
> > fill the following information: http:/simons-rock.edu/hubsystems
> >
> > Bard College at Simon's Rock? 
> > 84 Alford Rd, Great Barrington, MA 01230?
> >  
>
> The version of this phish to Rider was identical, except with their domain, name and address.
>
> The phish link behind the text above was http://simonsrockedu.phpforms.net/f/firstform , and again, the exact same 
> format for Rider. Clever how automatic it can be.
>
> Obviously, we need to do more to automatically shut down high-volume senders, and it would also have been nice to 
> have a system that could have stopped this phish as it came in, though not sure how easy that is. The original has a 
> large amount of formatting code cluttering up the html, presumably intended to obfuscate the actual message.
>
> Steve Bohrer
> Network Admin, ITS
> Bard College at Simon's Rock
> 413-528-7645

-- 
Pete Hickey                         "The best diplomat I know
The University of Ottawa             is a fully activated phaser bank."
Ottawa, Ontario                            -- Scottie
Canada