Re: Recent Phishing Uptick

[Gary Warner <gar () CIS UAB EDU>]

Peter,

Please forgive me if any of this is remedial and common sense to you already ... 

Not sure if you have access to the log files for your main website? www.colgate.edu?

You'll notice on the Brazilian webserver that when you Enter your name, username, and password and click "Continue to 
update your account" the program "mailform.php" sends your information to the criminal and then forwards you to the 
website www.colgate.edu.

This can be used in two ways.  

First, as an "early warning system".  If the criminal makes several more phishing websites against you using the same 
technique, you will have the ability to check the "Referring URL" in your log files.  Anyone coming to your site being 
REFERRED there by a URL ending in "mailform.php" may be an indication of someone who just gave themselves up to a 
phishing site.  You may want to see if you can automate a warning message based on that action.  (Fairly trivial to do, 
but check with your team to decide if you want to.  ADDING the warning message may tip off future phishers and cause 
them to decide NOT to forward you ... however it may also just convince them that they should go look for a softer 
target.  It's also possible to geocode that, so you only warn people who come from a mailform.php *AND* meet your 
criteria (people in your state, people in the US, people who have a colgate.edu cookie or who have visited your site 
previously...)

Second, the FIRST VISITOR who comes to your site from a referring "mailform.php" URL that you haven't seen before is 
almost certainly the phisher.  Traditionally they don't start their spam campaigns until they have tested the phish 
themselves.  Their test will leave their own IP address in your logs.  Sharing that data with the rest of us could be 
darn handy.

FYI, these guys are not always in Nigeria.  We work many of these cases with the FBI and have had successful state-side 
collars in some of these university phishing cases already.  If you (or anyone else) wants to have us grab forensics 
data off any of your phish, you are more than welcome to shoot the URL over to us or for fully automated service just 
plug it in at https://phishiq.com/submit 

Good luck!

(Would you like me to have the Brazilian site pulled down? or have you left it up for any reason?)

----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
gar () cis uab edu

-----------------------------------------------------------

----- Original Message -----
From: "Peter Setlak" <psetlak () COLGATE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Wednesday, February 19, 2014 6:13:08 PM
Subject: Re: [SECURITY] Recent Phishing Uptick


Bob, 


Thanks for sharing the link. We actually got two since Monday that were reported to us. The links went to: 


http://www.ajir.com.br/keke/boxser/colboxfix/ - this is the nasty one with the screen-scrape and banner... 

http://colgateedu.webs.com/ & http://emailcolgateedu.webs.com/ on the same day... 



And I spoke too soon. We no longer see the VPN service banging at our accounts but the Nigerian IPs are still coming at 
us.... 


- Peter 



On Wed, Feb 19, 2014 at 6:41 PM, Bob Bayn < bob.bayn () usu edu > wrote: 




If the message targets your institution by name and provides a link that looks like your real login pages, then I think 
the risk is high that they are going after something like Direct Deposit changes for the victim employees. If they get 
a victim they login FAST with the credentials they just got and they change the bank code so the next paycheck goes to 
them. They also move the deposit out of their account to other places quickly. 

See the report about our victimization this way, at: 
http://it.usu.edu/computer-security/computer-security-threats/articleID=23694 





Bob Bayn SER 301 (435)797-2396 IT Security Team 
Office of Information Technology, Utah State University 
Do you know the "Skeptical Hover Technique" and 
how to tell where a web link really goes? See: 
https://it.usu.edu/computer-security/computer-security-threats/articleID=23737 




From: The EDUCAUSE Security Constituent Group Listserv [ SECURITY () LISTSERV EDUCAUSE EDU ] on behalf of Peter Setlak 
[ psetlak () COLGATE EDU ] 
Sent: Wednesday, February 19, 2014 4:15 PM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: [SECURITY] Recent Phishing Uptick 






Over the past few weeks we saw a dramatic increase in the level and sophistication of phishing against our domain. The 
phishers not only used compromised accounts from other Universities but from our own as well. They also copied some 
images from our main website as well as screen-scraped our accounts-reset page. 


There seem to have been two different campaigns going; one more sophisticated than the other. 


They only sent emails at night or early morning, none were sent to my inbox (security admin). 


We use Google Apps and of course, they were of no real help. 


I was able to track down the logins from an IP range owned by Spotflux VPN services ( spotflux.com ). The IP range was 
162.210.196.160-175. 


We also saw logins from a Nigerian IP range (41.203.69.x). 


After contacting their support, one of their techs was able to correlate some information and found 142 different 
machines in the Nigerian IP range was using their VPN service. He null-routed them and it has been a few hours but we 
have not seen any logins since. 


Has anyone else seen this uptick in phishing? 
Has anyone else seen these IP ranges knocking at their doors? 
Has anyone else seen this scenario before? 
Does anyone have suggestions for working with Google to get better reporting and options? 


I would really like to see the ability to do two things through Google: 


1. Deny certain IP ranges from successfully authenticating into our domain. Obviously, Google has to allow all users 
from anywhere use their services; if I could set our App domain to automatically log someone out if they logged-in from 
a certain IP range, that would be very helpful. We have no students in Nigeria (currently). 


2. Pull an email from users' inboxes before they respond. In this case, perhaps the first 15 users in my domain might 
see and click on the email - hopefully at least one sends it to ITS. Then, we could pull that email from the remaining 
users' inboxes before they ever get a chance to open it. 


Perhaps there is something Google offers or a Google-integrated third-party offers that would allow me to do this? 


-- 

Thank you, 

Peter J. Setlak 
Network Security Analyst, GSEC, GLEG, GCPM 
Colgate University 
--- 
psetlak () colgate edu 
(315) 228-7151 
Case-Geyer 450 
skype: petersetlak 

Think Green! Please consider the environment before printing this email. 



Engage with Colgate University: 

News blog , Twitter , Facebook , Google+ , Delicious , YouTube , Flickr , Pinterest , LinkedIn 



-- 

Thank you, 

Peter J. Setlak 
Network Security Analyst, GSEC, GLEG, GCPM 
Colgate University 
--- 
psetlak () colgate edu 
(315) 228-7151 
Case-Geyer 450 
skype: petersetlak 

Think Green! Please consider the environment before printing this email. 



Engage with Colgate University: 

News blog , Twitter , Facebook , Google+ , Delicious , YouTube , Flickr , Pinterest , LinkedIn