Educause Security Discussion mailing list archives
Re: Compromised accounts at other institutes
From: charlie derr <cderr () SIMONS-ROCK EDU>
Date: Fri, 25 Apr 2014 12:32:54 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/25/2014 12:24 PM, Frank Barton wrote:
We are seeing a massive increase in the number of spear-phishing attempts being directed at our users. Many of these are coming from compromised accounts at other universities. The couple of folks that we have had fall for these phishing attempts seem to have their accounts used to send further spear-phishing attempts to yet more universities. Aside from the obvious account security steps to take when we detect a compromised account on our system, what steps (if any) are others taking when you get messages that are symptomatic of compromised accounts at other universities? Thank You -- Frank Barton Apple Certified Mac Technician Technology Support Coordinator Husson University
When I become aware of such compromises (and I confess there may be traffic coming through our mailserver like this which I'm not explicitly aware of), I always pursue it until I'm sure I've gotten someone in a technical position (whether helpdesk or IT staff) at the school with the compromised account who understands what I'm reporting (by sending my full headers). Sometimes this is possible only using email, but if I get bounces from the obvious addresses (postmaster@ and abuse@), I usually pick up the phone and war dial individual named staff from the website of the institution until someone answers and I can feel satisfied that my report has made it far enough to be handled by a technical person who is capable of remediating. ~c -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWo42AAoJELuLPXMxqTZ/9pUP/RMjbU6Heu4zG2u3MH9Sinoc WgjEIjumItNCCM36RoTYx4pBsAVBEwjoIII2w7xkmaNPPjlQPsBPfpYWF/OXNVMy MOKZfXItaXvR6KrZPUYqecDaNouUhu4CuPHiG0Jp0vymBFku8cq9LSEj36eZNUeH U2wv8fbMZyZ1UyB6nhdGiy9ECSdSUsUSWbfWJyb7KDflMHHsnk437Nx5bafq+i7J 35Tk/PtRC0AjcI49Cuhr2zjz8TGXsmndM3Lmgs0FgY9QeNyV9qa0PqXHuVzMBinx OMV7mM8iFPjUIkBsWL1sfjN9h+AwC1rVGSR7Gz1dTAJEiygxsrzCEQMFSmP2T8Xm uvy4ZsjnoVU5BEPPxPfMzRHKxRsPE3y+GDj+TomzQ8nhCr4xyrfLt9DtDVm7mILb tioZoigMKOsL0X/tlWHcLH4E/fVBLRCXxVJ+6bjhBUusqopeTmnd9dq8LCrgDkVL YJ0CeE5ZIilMnN3Pt5nLqRMEC4vxDGgh+Ieunp8hN/BW6YwRkv/+VTUafQYB6zkS 3ONZeZMHEiz08xyWfyp+7mPASHNIA+/Egl7qbQ7FIdnw/FdOotpjMSo2tsyR9Zlp JJpWb0KLYLCJ6Guuk9ZboFZYc3Bh/yrYZMsSMlgIm7T2oHWYT6ZzaLnAtedGSsnX 3ZX6boZyuSgf1UztgRbh =n0xt -----END PGP SIGNATURE-----
Current thread:
- Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Brad Judy (Apr 25)
- Re: Compromised accounts at other institutes Roger A Safian (Apr 25)
- Re: Compromised accounts at other institutes charlie derr (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Ken Connelly (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Bob Bayn (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Joel L. Rosenblatt (Apr 25)
- <Possible follow-ups>
- Re: Compromised accounts at other institutes Joe St Sauver (Apr 25)
- Re: Compromised accounts at other institutes Bob Bayn (Apr 25)