Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Recent Phishing Uptick

From: Peter Setlak <psetlak () COLGATE EDU>
Date: Wed, 19 Feb 2014 18:15:18 -0500
Over the past few weeks we saw a dramatic increase in the level and
sophistication of phishing against our domain. The phishers not only used
compromised accounts from other Universities but from our own as well. They
also copied some images from our main website as well as screen-scraped our
accounts-reset page.

There seem to have been two different campaigns going; one more
sophisticated than the other.

They only sent emails at night or early morning, none were sent to my inbox
(security admin).

We use Google Apps and of course, they were of no real help.

I was able to track down the logins from an IP range owned by Spotflux VPN
services (spotflux.com). The IP range was 162.210.196.160-175.

We also saw logins from a Nigerian IP range (41.203.69.x).

After contacting their support, one of their techs was able to correlate
some information and found 142 different machines in the Nigerian IP range
was using their VPN service. He null-routed them and it has been a few
hours but we have not seen any logins since.

Has anyone else seen this uptick in phishing?
Has anyone else seen these IP ranges knocking at their doors?
Has anyone else seen this scenario before?
Does anyone have suggestions for working with Google to get better
reporting and options?

I would really like to see the ability to do two things through Google:

1. Deny certain IP ranges from successfully authenticating into our domain.
Obviously, Google has to allow all users from anywhere use their services;
if I could set our App domain to automatically log someone out if they
logged-in from a certain IP range, that would be very helpful. We have no
students in Nigeria (currently).

2. Pull an email from users' inboxes before they respond. In this case,
perhaps the first 15 users in my domain might see and click on the email -
hopefully at least one sends it to ITS. Then, we could pull that email from
the remaining users' inboxes before they ever get a chance to open it.

Perhaps there is something Google offers or a Google-integrated third-party
offers that would allow me to do this?

-- 
Thank you,

Peter J. Setlak
Network Security Analyst, GSEC, GLEG, GCPM
Colgate University
---
psetlak () colgate edu
(315) 228-7151
Case-Geyer 450
skype: petersetlak

Think *Green!* Please consider the environment before printing this email.


*Engage with Colgate University: *
News blog <http://blogs.colgate.edu/>,
Twitter<https://twitter.com/#%21/colgateuniv>
, Facebook <https://www.facebook.com/colgateuniversity>,
Google+<https://plus.google.com/u/0/b/113333907606560373469/>
, Delicious <http://www.delicious.com/colgatenewsmakers>,
YouTube<http://www.youtube.com/cuatchannel13>
, Flickr <http://www.flickr.com/photos/colgateuniversity/>,
Pinterest<http://pinterest.com/colgateuniv/>
, LinkedIn <http://www.linkedin.com/company/colgate-university/>
Previous By Date Next
Previous By Thread Next

Current thread: