Re: Feedback on threatpost article: University Email Hijacking Attacks Push Phishing, Malware

[Daniel Johnson <dj () SFSU EDU>]

Alex, Jim:

  I too am unfamiliar with Inky or their methods, but I speculate that they are running something like an email 
honeypot. Publish a number of legitimate email addresses to publically accessible sites, located in just the right 
(wrong?) areas of the web, and harvest all the spam and phishing email possible. Over the course of one year, a 
researcher could amass quite the collection of malicious email, some of it possibly originating from compromised 
university accounts. 

Analyzing the collection of messages could reveal some interesting patterns and trends. You would hope Inky would send 
a courtesy note to affected institutions, but their objectives and motives may be more commercial in nature.

Daniel.

----
Daniel Johnson
Systems Administrator
Academic Technology
Email: dj () sfsu edu
Web: https://at.sfsu.edu



-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Alex Keller
Sent: Tuesday, November 3, 2020 2:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Feedback on threatpost article: University Email Hijacking Attacks Push Phishing, Malware

hi Jim et al,

Thanks for sending this over. Threatpost article is just a synopsis of the Inky.com marketing report found here:
https://www.inky.com/hubfs/2020%20Report%20Hijacked%20University%20Accounts.pdf

Very curious how Inky is collecting these emails (to: field is redacted in their screenshots), how they compiled these 
statistics, and if they bothered to reach out to any of the schools during the course of their research.

At first glance I am concerned with the approach.

Best,
Alex 

Alex Keller
Stanford | Engineering
Information Technology
axkeller () stanford edu
(650)736-6421


-----Original Message-----
From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jim A. Bole
Sent: Monday, November 2, 2020 6:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Feedback on threatpost article: University Email Hijacking Attacks Push Phishing, Malware

I'm not familiar with Inky, the group that did this research:

https://threatpost.com/university-email-hijacking-phishing-malwarephishing-malware/160735/

Curious what other think of these findings. I do find that many phishing attacks use email accounts with valid 
DMARC/SPF, such as hijack google accounts.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community