[nsp-sec] Ping: Google/GMail

Krista Hickey Krista.Hickey at cogeco.com
Thu Feb 28 16:36:18 EST 2008 

On Feb 28, 2008, Seth Hall wrote:

>We have the same attack going on against us and would  appreciate any
intel you have from the account too.

Since approx July 2007 I've been seeing a combo of spear phising against
our customers + logins from foreign netblocks to our webmail with stolen
credentials to relay lottery scams + logins to our SelfCare services
where the miscreants are actually creating accounts for their spear
phishing or lottery scams. Sometimes Gmail is the dropbox, sometimes
it's yahoo or hotmail or live.com, etc. 

Recently we applied some rather aggressive IP filters, (in particular AS
33775, 16422, 22351 and 12491) to our webmail and saw mail and abuse
reports drop by almost 50% overnight with no customer complaints or
apparent collateral damage. I've tried to engage a few of these ASNs to
report the abuse but haven't received a response to date...oddly enough
I just received an email from 12491 today inquiring if they are filtered
as one of their /29 customers is complaining, I replied with a small
novel along with examples of the abuse so will be interesting to see if
I get any response to that.

I've discussed this subject in various forums (ie: GIAIS, talking with
my Canadian ISP cohorts, etc) and it seems that most of us are
experiencing this. I tried to get GIAIS interested before xmas as
figured I could leverage their resources but it never really went
anywhere so just recently we moved to whack-a-mole filtering and so far
that's reduced a lot of the volume although we are still seeing the odd
spear phish. 

Personally I feel that the all four elements are related and the same
crew(s) are using the spear phishing to get credentials to then login to
account management to create new aliases to then use to spear phish more
or relay lottery scams. It's also my opinion that some of these ASNs
and/or their clients are not altogether legit, for example here's RIPE
contact info for 80.255.61.29 (I particularly like the asterisks drawing
attn to where to send abuse reports, a tactic I've seen while
investigating other IPs involved in this)

remarks:
*************************************************************
remarks:         *
*
remarks:         *  For issues of abuse related to this IP address
block,    *
remarks:         *  including spam, please send email to at:
*
remarks:         *
*
remarks:         *                   eabajue at yahoo.co.uk
*
remarks:         *                   mydely02 at yahoo.com
*
remarks:
*************************************************************

In addition to the funky RIPE results for the IP the AS itself (22351)
doesn't necessarily strike me as the most legit and/or caring operation
and I've yet to hear back from regarding the detailed report I sent to
multiple operational addresses there on Jan 21, 2008.

So while chasing dropboxes might provide some insight I'd also be
interested to know if those of you experiencing this phenomena have been
also seeing it come from the ASNs I cited above...maybe that will also
provide some insight and if it's actually as related and big as it seems
maybe we can hand off to LE. 

since I just created it for my small novel to them earlier today I've
attached the list of 12491 IPs that successfully logged into our webmail
using stolen credentials to relay lottery scams from Jan 1-23, 2008 -
maybe this will ring some bells with your logs (timestamps EST)

Krista
7992


-----Original Message-----
From: nsp-security-bounces at puck.nether.net 
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Seth Hall
Sent: Thursday, February 28, 2008 2:58 PM
To: Peter Moody
Cc: nsp-security NSP
Subject: Re: [nsp-sec] Ping: Google/GMail

----------- nsp-security Confidential --------


On Feb 28, 2008, at 2:42 PM, John Fraizer wrote:

> They are being used as drops for several spear-phishing 
campaigns that 
> are currently underway against our customers.
>
> It would be even cooler if we could get the contents of those 
drops so 
> we have a list of compromised or potentially compromised accounts 
> resulting from this campaign.


We have the same attack going on against us and would 
appreciate any intel you have from the account too.

Address used in our spear phish:
    customercare.osu.edu at gmail.com

Thanks,
  .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721 
 
Do you really need to print this email? Help preserve our environment! Devez-vous vraiment imprimer ce courriel? Pensons a l'environnement!
__________________________________________________________
 
The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be.
 
L'information apparaissant dans ce message electronique et dans les documents qui y sont joints est de nature confidentielle ou privilegiee. Si ce message vous est parvenu par erreur et que vous n'en etes pas le destinataire vise, vous etes par les presentes avise que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous etes donc prie d'en informer immediatement l'expediteur et de detruire ce message, ainsi que les documents qui y sont joints, le cas echeant.

__________________________________________________________
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: jan_12491.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080228/17f93e0b/attachment-0001.txt>

More information about the nsp-security mailing list