Re: Compromised accounts at other institutes

[charlie derr <cderr () SIMONS-ROCK EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 04/25/2014 12:24 PM, Frank Barton wrote:
> We are seeing a massive increase in the number of spear-phishing 
> attempts being directed at our users. Many of these are coming
> from compromised accounts at other universities. The couple of
> folks that we have had fall for these phishing attempts seem to
> have their accounts used to send further spear-phishing attempts to
> yet more universities.
>
> Aside from the obvious account security steps to take when we
> detect a compromised account on our system, what steps (if any) are
> others taking when you get messages that are symptomatic of
> compromised accounts at other universities?
>
> Thank You
>
> -- Frank Barton Apple Certified Mac Technician Technology Support
> Coordinator Husson University

When I become aware of such compromises (and I confess there may be
traffic coming through our mailserver like this which I'm not
explicitly aware of), I always pursue it until I'm sure I've gotten
someone in a technical position (whether helpdesk or IT staff) at the
school with the compromised account who understands what I'm reporting
(by sending my full headers).  Sometimes this is possible only using
email, but if I get bounces from the obvious addresses (postmaster@
and abuse@), I usually pick up the phone and war dial individual named
staff from the website of the institution until someone answers and I
can feel satisfied that my report has made it far enough to be handled
by a technical person who is capable of remediating.

    ~c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCAAGBQJTWo42AAoJELuLPXMxqTZ/9pUP/RMjbU6Heu4zG2u3MH9Sinoc
WgjEIjumItNCCM36RoTYx4pBsAVBEwjoIII2w7xkmaNPPjlQPsBPfpYWF/OXNVMy
MOKZfXItaXvR6KrZPUYqecDaNouUhu4CuPHiG0Jp0vymBFku8cq9LSEj36eZNUeH
U2wv8fbMZyZ1UyB6nhdGiy9ECSdSUsUSWbfWJyb7KDflMHHsnk437Nx5bafq+i7J
35Tk/PtRC0AjcI49Cuhr2zjz8TGXsmndM3Lmgs0FgY9QeNyV9qa0PqXHuVzMBinx
OMV7mM8iFPjUIkBsWL1sfjN9h+AwC1rVGSR7Gz1dTAJEiygxsrzCEQMFSmP2T8Xm
uvy4ZsjnoVU5BEPPxPfMzRHKxRsPE3y+GDj+TomzQ8nhCr4xyrfLt9DtDVm7mILb
tioZoigMKOsL0X/tlWHcLH4E/fVBLRCXxVJ+6bjhBUusqopeTmnd9dq8LCrgDkVL
YJ0CeE5ZIilMnN3Pt5nLqRMEC4vxDGgh+Ieunp8hN/BW6YwRkv/+VTUafQYB6zkS
3ONZeZMHEiz08xyWfyp+7mPASHNIA+/Egl7qbQ7FIdnw/FdOotpjMSo2tsyR9Zlp
JJpWb0KLYLCJ6Guuk9ZboFZYc3Bh/yrYZMsSMlgIm7T2oHWYT6ZzaLnAtedGSsnX
3ZX6boZyuSgf1UztgRbh
=n0xt
-----END PGP SIGNATURE-----