Re: Compromised accounts at other institutes

[Frank Barton <bartonf () HUSSON EDU>]

Yes I do have both the abuse and postmaster reporting addresses set up
(Courtesy of the Google Apps setup, and the associated mailing lists)

Good call on the encryption to "bypass" spam filters

Thank you everybody for your responses


On Fri, Apr 25, 2014 at 1:20 PM, Bob Bayn <bob.bayn () usu edu> wrote:

>  I try to send direct notification to the "abuse" and "helpdesk" address
> at any .edu, .k12, .org or health organization that is spamming us with
> phish.  If they both bounce, I will generally search the site to find
> another technical contact address or contact form.  (Do YOU have those
> default reporting addresses?)
>
> I have a few hundred "Internet Skeptics" who report novel phish sites to
> me, along with a target list of about 3 dozen web form hosting services
> that we alert on but do not block in our inbound email.  As a result I
> respond about 2 dozen different phish attacks per day.  In addition to
> notifying the host of the sender address, we report the phish link to
> google and to the hosting sites, whether free web hosts or hacked sites.
> Those actions help the whole community, I hope.
>
> The phish links that we take action against are all reported on a public
> google docs spreadsheet at:
> https://docs.google.com/spreadsheet/ccc?key=0AlMnxApOMKl_dEhVa3RCRG5uclVZNFZrY3hOSmFpaUE&usp=sharing
>
> The target list of web form hosting sites that we alert on is at:
> https://it.usu.edu/computer-security/be-an-internet-skeptic/form-services/
> Some of the hosting services respond very promptly to our abuse reports,
> others not so much.
>
> Phish victims are very infrequent here and I hope to keep it that way.
> (We did lose one to a Direct Deposit phish a few months ago, though.)
>
>
>  Bob Bayn      SER 301      (435)797-2396    IT Security Team
> Office of Information Technology,         Utah State University
>     Do you know the "*Skeptical Hover Technique*" and
>     how to tell where a web link really goes?  See:
>    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737
>
>    ------------------------------
> *From:* The EDUCAUSE Security Constituent Group Listserv [
> SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Frank Barton [
> bartonf () HUSSON EDU]
>
> *Sent:* Friday, April 25, 2014 10:24 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Compromised accounts at other institutes
>
>   We are seeing a massive increase in the number of spear-phishing
> attempts being directed at our users. Many of these are coming from
> compromised accounts at other universities. The couple of folks that we
> have had fall for these phishing attempts seem to have their accounts used
> to send further spear-phishing attempts to yet more universities.
>
>  Aside from the obvious account security steps to take when we detect a
> compromised account on our system, what steps (if any) are others taking
> when you get messages that are symptomatic of compromised accounts at other
> universities?
>
>  Thank You
>
>  --
>  Frank Barton
>  Apple Certified Mac Technician
> Technology Support Coordinator
> Husson University



-- 
Frank Barton
Apple Certified Mac Technician
Technology Support Coordinator
Husson University