Educause Security Discussion mailing list archives

Re: Phishing at U-M

From: William Rhee <willrhee () UMICH EDU>
Date: Fri, 5 Jun 2015 11:04:24 -0400

Hi Joel,

Yes!  We use distinct, single-use, fake usernames that we use to bait a
phishing form and then never use again, so we can associate later attempts
with a specific phishing scam.  We use splunk to alert on failed logins.

We've seen the same flavor of highly-personalized "academic paper" phishing
scams for at least a year.  They appear to be motivated by access to
library and VPN resources.  Beware: sometimes we've had to wait three
months or more before getting an alert about failed logins by fake
usernames associated with this scam.

best regards,

Will Rhee
IT User Advocate, University of Michigan
(734) 936-8356



On Fri, Jun 5, 2015 at 10:35 AM, Joel Anderson <joela () umn edu> wrote:

FWIW, it's been useful to us to drop fake credentials (I call them
"honeypeeps") in these fake login forms, and monitor for failed logins -
it's allowed us to discover phisher IP endpoints, and detect phished
accounts.

On Fri, Jun 5, 2015 at 7:11 AM, Donald Welch <djwelch () umich edu> wrote:

Colleagues,
Starting Wed, we've been undergoing a serious phishing attack.  The
attacker has used compromised accounts to send the e-mails and collect the
information on forms in U-M google drives.  Still they are "from the IRS,"
but from a umich e-mail. As we shut down accounts, the attacker moves on to
the next account.  The scam subject lines he has used are:

E-Services
Record Validation
Important Mail
=?UTF-8?B?SW1wb3J0YW50IE1haWzigI/igI8=?=
Quick Validation

We think about 150 people have given up their PII so far.  In some cases
we have been fast to close down the form so the attacker may not have
captured the info.

We have also been seeing an attack aimed at faculty when the e-mail is
asking for a copy of a person's paper, and when they click the link they
get a copy of our login page.  This one is annoying, but we don't think the
attack is working in that the faculty realize they have been scamed and
change their password quickly.

As our campus becomes wiser to this attack the attacker may move on to
another campus.

Don

Donald J. Welch, Ph.D.
Chief Information Security Officer
University of Michigan
734-615-0334




--
--
   ---------------------------------------------------
   joel anderson * joela () umn edu *  @joelpetera
   -->  612-625-7389  --> pager: 612-648-6823
   Security Analyst
   University Information Security - University of Minnesota
   http://it.umn.edu/practices-information-security-policy

Current thread:

Phishing at U-M Donald Welch (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 05)
  - Re: Phishing at U-M William Rhee (Jun 05)
    - Re: Phishing at U-M Joel Anderson (Jun 05)
    - VPN Security Kevin Reedy (Jun 05)
    - Re: VPN Security Rossella Mariotti-Jones (Jun 05)
    - Re: Phishing at U-M Frank Barton (Jun 05)
    - Re: Phishing at U-M Joel Anderson (Jun 07)