Re: Compromised accounts at other institutes

[Bob Bayn <bob.bayn () USU EDU>]

I try to send direct notification to the "abuse" and "helpdesk" address at any .edu, .k12, .org or health organization 
that is spamming us with phish.  If they both bounce, I will generally search the site to find another technical 
contact address or contact form.  (Do YOU have those default reporting addresses?)

I have a few hundred "Internet Skeptics" who report novel phish sites to me, along with a target list of about 3 dozen 
web form hosting services that we alert on but do not block in our inbound email.  As a result I respond about 2 dozen 
different phish attacks per day.  In addition to notifying the host of the sender address, we report the phish link to 
google and to the hosting sites, whether free web hosts or hacked sites.  Those actions help the whole community, I 
hope.

The phish links that we take action against are all reported on a public google docs spreadsheet at:  
https://docs.google.com/spreadsheet/ccc?key=0AlMnxApOMKl_dEhVa3RCRG5uclVZNFZrY3hOSmFpaUE&usp=sharing

The target list of web form hosting sites that we alert on is at:
https://it.usu.edu/computer-security/be-an-internet-skeptic/form-services/
Some of the hosting services respond very promptly to our abuse reports, others not so much.

Phish victims are very infrequent here and I hope to keep it that way.   (We did lose one to a Direct Deposit phish a 
few months ago, though.)


Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Frank Barton 
[bartonf () HUSSON EDU]
Sent: Friday, April 25, 2014 10:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Compromised accounts at other institutes

We are seeing a massive increase in the number of spear-phishing attempts being directed at our users. Many of these 
are coming from compromised accounts at other universities. The couple of folks that we have had fall for these 
phishing attempts seem to have their accounts used to send further spear-phishing attempts to yet more universities.

Aside from the obvious account security steps to take when we detect a compromised account on our system, what steps 
(if any) are others taking when you get messages that are symptomatic of compromised accounts at other universities?

Thank You

--
Frank Barton
Apple Certified Mac Technician
Technology Support Coordinator
Husson University