Educause Security Discussion mailing list archives
Re: Phishing at U-M
From: Frank Barton <bartonf () HUSSON EDU>
Date: Fri, 5 Jun 2015 16:39:51 -0400
Makes me wonder if the stolen credentials were then sold, or "Acquired" by a second or even third group of malcontents. Frank On Fri, Jun 5, 2015 at 11:21 AM, Joel Anderson <joela () umn edu> wrote:
Three months? That's nothin'! I've had some that come back in *years.* (I've taken this as an object lesson in the power of 1) changing your password, and 2) *never* reusing them.) On Fri, Jun 5, 2015 at 10:04 AM, William Rhee <willrhee () umich edu> wrote:Hi Joel, Yes! We use distinct, single-use, fake usernames that we use to bait a phishing form and then never use again, so we can associate later attempts with a specific phishing scam. We use splunk to alert on failed logins. We've seen the same flavor of highly-personalized "academic paper" phishing scams for at least a year. They appear to be motivated by access to library and VPN resources. Beware: sometimes we've had to wait three months or more before getting an alert about failed logins by fake usernames associated with this scam. best regards, Will Rhee IT User Advocate, University of Michigan (734) 936-8356 On Fri, Jun 5, 2015 at 10:35 AM, Joel Anderson <joela () umn edu> wrote:FWIW, it's been useful to us to drop fake credentials (I call them "honeypeeps") in these fake login forms, and monitor for failed logins - it's allowed us to discover phisher IP endpoints, and detect phished accounts. On Fri, Jun 5, 2015 at 7:11 AM, Donald Welch <djwelch () umich edu> wrote:Colleagues, Starting Wed, we've been undergoing a serious phishing attack. The attacker has used compromised accounts to send the e-mails and collect the information on forms in U-M google drives. Still they are "from the IRS," but from a umich e-mail. As we shut down accounts, the attacker moves on to the next account. The scam subject lines he has used are: E-Services Record Validation Important Mail =?UTF-8?B?SW1wb3J0YW50IE1haWzigI/igI8=?= Quick Validation We think about 150 people have given up their PII so far. In some cases we have been fast to close down the form so the attacker may not have captured the info. We have also been seeing an attack aimed at faculty when the e-mail is asking for a copy of a person's paper, and when they click the link they get a copy of our login page. This one is annoying, but we don't think the attack is working in that the faculty realize they have been scamed and change their password quickly. As our campus becomes wiser to this attack the attacker may move on to another campus. Don Donald J. Welch, Ph.D. Chief Information Security Officer University of Michigan 734-615-0334-- -- --------------------------------------------------- joel anderson * joela () umn edu * @joelpetera --> 612-625-7389 --> pager: 612-648-6823 Security Analyst University Information Security - University of Minnesota http://it.umn.edu/practices-information-security-policy-- -- --------------------------------------------------- joel anderson * joela () umn edu * @joelpetera --> 612-625-7389 --> pager: 612-648-6823 Security Analyst University Information Security - University of Minnesota http://it.umn.edu/practices-information-security-policy
-- Frank Barton ACMT IT Systems Administrator Husson University
Current thread:
- Phishing at U-M Donald Welch (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 05)
- Re: Phishing at U-M William Rhee (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 05)
- VPN Security Kevin Reedy (Jun 05)
- Re: VPN Security Rossella Mariotti-Jones (Jun 05)
- Re: Phishing at U-M Frank Barton (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 07)
- Re: Phishing at U-M William Rhee (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 05)