Re: Recent Phishing Uptick

[Peter Setlak <psetlak () COLGATE EDU>]

Bob,

Thanks for sharing the link. We actually got two since Monday that were
reported to us. The links went to:

http://www.ajir.com.br/keke/boxser/colboxfix/ - this is the nasty one with
the screen-scrape and banner...
http://colgateedu.webs.com/ & http://emailcolgateedu.webs.com/ on the same
day...

And I spoke too soon. We no longer see the VPN service banging at our
accounts but the Nigerian IPs are still coming at us...

- Peter


On Wed, Feb 19, 2014 at 6:41 PM, Bob Bayn <bob.bayn () usu edu> wrote:

>  If the message targets your institution by name and provides a link that
> looks like your real login pages, then I think the risk is high that they
> are going after something like Direct Deposit changes for the victim
> employees.   If they get a victim they login FAST with the credentials they
> just got and they change the bank code so the next paycheck goes to them.
> They also move the deposit out of their account to other places quickly.
>
> See the report about our victimization this way, at:
>
> http://it.usu.edu/computer-security/computer-security-threats/articleID=23694
>
>
>  Bob Bayn         SER 301         (435)797-2396       IT Security Team
> Office of Information Technology,                   Utah State University
>     Do you know the "Skeptical Hover Technique" and
>     how to tell where a web link really goes?  See:
>    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737
>
>   ------------------------------
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Peter Setlak [
> psetlak () COLGATE EDU]
> *Sent:* Wednesday, February 19, 2014 4:15 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Recent Phishing Uptick
>
>   Over the past few weeks we saw a dramatic increase in the level and
> sophistication of phishing against our domain. The phishers not only used
> compromised accounts from other Universities but from our own as well. They
> also copied some images from our main website as well as screen-scraped our
> accounts-reset page.
>
>  There seem to have been two different campaigns going; one more
> sophisticated than the other.
>
>  They only sent emails at night or early morning, none were sent to my
> inbox (security admin).
>
>  We use Google Apps and of course, they were of no real help.
>
>  I was able to track down the logins from an IP range owned by Spotflux
> VPN services (spotflux.com). The IP range was 162.210.196.160-175.
>
>  We also saw logins from a Nigerian IP range (41.203.69.x).
>
>  After contacting their support, one of their techs was able to correlate
> some information and found 142 different machines in the Nigerian IP range
> was using their VPN service. He null-routed them and it has been a few
> hours but we have not seen any logins since.
>
>  Has anyone else seen this uptick in phishing?
> Has anyone else seen these IP ranges knocking at their doors?
> Has anyone else seen this scenario before?
> Does anyone have suggestions for working with Google to get better
> reporting and options?
>
>  I would really like to see the ability to do two things through Google:
>
>  1. Deny certain IP ranges from successfully authenticating into our
> domain. Obviously, Google has to allow all users from anywhere use their
> services; if I could set our App domain to automatically log someone out if
> they logged-in from a certain IP range, that would be very helpful. We have
> no students in Nigeria (currently).
>
>  2. Pull an email from users' inboxes before they respond. In this case,
> perhaps the first 15 users in my domain might see and click on the email -
> hopefully at least one sends it to ITS. Then, we could pull that email from
> the remaining users' inboxes before they ever get a chance to open it.
>
>  Perhaps there is something Google offers or a Google-integrated
> third-party offers that would allow me to do this?
>
>  --
> Thank you,
>
> Peter J. Setlak
> Network Security Analyst, GSEC, GLEG, GCPM
> Colgate University
> ---
> psetlak () colgate edu
> (315) 228-7151
> Case-Geyer 450
> skype: petersetlak
>
> Think *Green!* Please consider the environment before printing this
> email.
>
>
> *Engage with Colgate University:  *
>  News blog <http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv>
> , Facebook <https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/>
> , Delicious <http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13>
> , Flickr <http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/>
> , LinkedIn <http://www.linkedin.com/company/colgate-university/>



-- 
Thank you,

Peter J. Setlak
Network Security Analyst, GSEC, GLEG, GCPM
Colgate University
---
psetlak () colgate edu
(315) 228-7151
Case-Geyer 450
skype: petersetlak

Think *Green!* Please consider the environment before printing this email.


*Engage with Colgate University: *
News blog <http://blogs.colgate.edu/>,
Twitter<https://twitter.com/#%21/colgateuniv>
, Facebook <https://www.facebook.com/colgateuniversity>,
Google+<https://plus.google.com/u/0/b/113333907606560373469/>
, Delicious <http://www.delicious.com/colgatenewsmakers>,
YouTube<http://www.youtube.com/cuatchannel13>
, Flickr <http://www.flickr.com/photos/colgateuniversity/>,
Pinterest<http://pinterest.com/colgateuniv/>
, LinkedIn <http://www.linkedin.com/company/colgate-university/>