Educause Security Discussion mailing list archives
Re: Compromised accounts at other institutes
From: Frank Barton <bartonf () HUSSON EDU>
Date: Fri, 25 Apr 2014 13:02:44 -0400
What I've seen when trying to report using full headers is that the message is often blocked by spam filters (Occasionally having to release my own message on our outbound spam filter). The suggestion of using the REN-ISAC SOC that Brad mentioned a little while ago sounds like a good method. I wonder if they have a non-email based way to report such things Thank you all On Fri, Apr 25, 2014 at 12:32 PM, charlie derr <cderr () simons-rock edu>wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/25/2014 12:24 PM, Frank Barton wrote:We are seeing a massive increase in the number of spear-phishing attempts being directed at our users. Many of these are coming from compromised accounts at other universities. The couple of folks that we have had fall for these phishing attempts seem to have their accounts used to send further spear-phishing attempts to yet more universities. Aside from the obvious account security steps to take when we detect a compromised account on our system, what steps (if any) are others taking when you get messages that are symptomatic of compromised accounts at other universities? Thank You -- Frank Barton Apple Certified Mac Technician Technology Support Coordinator Husson UniversityWhen I become aware of such compromises (and I confess there may be traffic coming through our mailserver like this which I'm not explicitly aware of), I always pursue it until I'm sure I've gotten someone in a technical position (whether helpdesk or IT staff) at the school with the compromised account who understands what I'm reporting (by sending my full headers). Sometimes this is possible only using email, but if I get bounces from the obvious addresses (postmaster@ and abuse@), I usually pick up the phone and war dial individual named staff from the website of the institution until someone answers and I can feel satisfied that my report has made it far enough to be handled by a technical person who is capable of remediating. ~c -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWo42AAoJELuLPXMxqTZ/9pUP/RMjbU6Heu4zG2u3MH9Sinoc WgjEIjumItNCCM36RoTYx4pBsAVBEwjoIII2w7xkmaNPPjlQPsBPfpYWF/OXNVMy MOKZfXItaXvR6KrZPUYqecDaNouUhu4CuPHiG0Jp0vymBFku8cq9LSEj36eZNUeH U2wv8fbMZyZ1UyB6nhdGiy9ECSdSUsUSWbfWJyb7KDflMHHsnk437Nx5bafq+i7J 35Tk/PtRC0AjcI49Cuhr2zjz8TGXsmndM3Lmgs0FgY9QeNyV9qa0PqXHuVzMBinx OMV7mM8iFPjUIkBsWL1sfjN9h+AwC1rVGSR7Gz1dTAJEiygxsrzCEQMFSmP2T8Xm uvy4ZsjnoVU5BEPPxPfMzRHKxRsPE3y+GDj+TomzQ8nhCr4xyrfLt9DtDVm7mILb tioZoigMKOsL0X/tlWHcLH4E/fVBLRCXxVJ+6bjhBUusqopeTmnd9dq8LCrgDkVL YJ0CeE5ZIilMnN3Pt5nLqRMEC4vxDGgh+Ieunp8hN/BW6YwRkv/+VTUafQYB6zkS 3ONZeZMHEiz08xyWfyp+7mPASHNIA+/Egl7qbQ7FIdnw/FdOotpjMSo2tsyR9Zlp JJpWb0KLYLCJ6Guuk9ZboFZYc3Bh/yrYZMsSMlgIm7T2oHWYT6ZzaLnAtedGSsnX 3ZX6boZyuSgf1UztgRbh =n0xt -----END PGP SIGNATURE-----
-- Frank Barton Apple Certified Mac Technician Technology Support Coordinator Husson University
Current thread:
- Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Brad Judy (Apr 25)
- Re: Compromised accounts at other institutes Roger A Safian (Apr 25)
- Re: Compromised accounts at other institutes charlie derr (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Ken Connelly (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Bob Bayn (Apr 25)
- Re: Compromised accounts at other institutes Frank Barton (Apr 25)
- Re: Compromised accounts at other institutes Joel L. Rosenblatt (Apr 25)
- <Possible follow-ups>
- Re: Compromised accounts at other institutes Joe St Sauver (Apr 25)
- Re: Compromised accounts at other institutes Bob Bayn (Apr 25)