[nsp-sec] Paging Yahoo! - Phishing account

White, Gerard Gerard.White at aliant.ca
Mon Jun 2 07:11:33 EDT 2008 

Looks like an account on the Jundi-Shapur University's web-mail server
got abused to target
your folks.  Unfortunately all you have to go by is a AS 12491 IPPlanet
/32 that's probably an open
proxy of sorts.

AS      | IP               | AS Name
12491   | 217.21.79.162    | IPPLANET-AS IPPlanet

Hmmph, not the first IPPLANET source from this /24 I've seen tickling
our web mail front-ends here:

217.21.79.165 - April 11th
217.21.79.195 - May 9th

GW
855 - Bell Aliant


> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Daniel Adinolfi
> Sent: Monday, June 02, 2008 8:17 AM
> To: nsp-security NSP
> Subject: [nsp-sec] Paging Yahoo! - Phishing account
> 
> ----------- nsp-security Confidential --------
> 
> Folks,
> 
> We received a very targeted phishing attempt for Cornell University
> accounts this morning.  The reply-to address is
> 
> toolbasic at yahoo.com.
> 
> If there is someone from Yahoo! on the list, please have this account
> taken down.  The email message is listed below.
> 
> Thanks!
> 
> -Dan
> 
> 
> _________________
> Daniel Adinolfi, CISSP
> Senior Security Engineer, IT Security Office
> Cornell University - Office of Information Technologies
> email: dra1 at cornell.edu   phone: 607-255-7657
> 
> _______________________
> 
> 
> Return-Path: <helpdesk at cornell.edu>
> Received: from postoffice9.mail.cornell.edu ([unix socket])
> 	by postoffice9.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Mon,
02
> Jun 2008 05:21:22 -0400
> Received: from hermes30.mail.cornell.edu (hermes30.mail.cornell.edu
> [132.236.56.55])
> 	by postoffice9.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id
> m529LJ6b001802
> 	for <dra1 at postoffice9.mail.cornell.edu>; Mon, 2 Jun 2008
05:21:19
> -0400 (EDT)
> Received: (from daemon at localhost)
> 	by hermes30.mail.cornell.edu (8.13.6/8.13.6) id m529L2vA001121;
> 	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
> Received: from localhost.localdomain (veronica.mail.cornell.edu
> [132.236.56.51])
> 	by hermes30.mail.cornell.edu (8.13.6/8.13.6) with ESMTP id
> m529L04E001041;
> 	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
> Received: from unknown-host
> 	by veronica with queue (Sophos PureMessage Version 5.303) id
> 36055023-11;
> 	Mon, 02 Jun 2008 09:17:24 GMT
> Received: from veronica_tc [10.236.56.7]
> 	by  with SMTP id ;
> 	Mon, 02 Jun 2008 09:17:24 GMT
> 	(envelope-from helpdesk at cornell.edu)
> Received: from cic.jsu.ac.ir (unknown [78.39.195.19]) by 132.236.56.7;
> Mon,  2 Jun 2008 05:17:24 -0400
> Received: from cic.jsu.ac.ir (acc.jsu.ac.ir [127.0.0.1])
> 	by cic.jsu.ac.ir (8.12.11/8.12.11) with ESMTP id m529G362001990;
> 	Mon, 2 Jun 2008 13:46:03 +0430
> Received: (from apache at localhost)
> 	by cic.jsu.ac.ir (8.12.11/8.12.11/Submit) id m529G3MF001921;
> 	Mon, 2 Jun 2008 05:16:03 -0400
> X-Authentication-Warning: cic.jsu.ac.ir: apache set sender to
helpdesk at cornell.edu
>   using -f
> Received: from 217.21.79.162
>         (SquirrelMail authenticated user moezifar)
>         by cic.jsu.ac.ir with HTTP;
>         Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
> Message-ID: <1543.217.21.79.162.1212398158.squirrel at cic.jsu.ac.ir>
> Date: Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
> Subject: VERIFY YOUR WEBMAIL
> X-PH: V4.1 at hermes30
> From: "CIT Contact Center   (CORNELL UNIVERSITY)"
<helpdesk at cornell.edu>
> Reply-To: toolbasic at yahoo.com
> Bcc:
> User-Agent: SquirrelMail/1.4.2-3
> MIME-Version: 1.0
> Content-Type: text/plain;charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
> X-Priority: 3
> Importance: Normal
> X-Original-IP: 78.39.195.19
> X-PMX-Version: 5.3.3.310218, Antispam-Engine: 2.5.2.313940, Antispam-
> Data: 2008.6.2.20419
> X-PMX-CORNELL-SPAM-CHECKED: poppy
> 
> CORNELL UNIVERSITY
> CORNELL INFORMATION TECHNOLOGY
> 
> Dear Subscriber,
> 
> 
> We are currently upgrading our database and email account center. We
> have
> some problems on our database and it will affect your webmail
account.We
> are deleting all unused cornell.edu webmail account to create more
space
> for new accounts.
> To prevent your account from closing you will have to update it below
so
> that we will know that it's being used presently. In 24 hours, you may
> not
> be able to access your webmail
> 
> CONFIRM YOUR EMAIL IDENTITY BELOW
> 
> NetID: .............
> Password : .............
> 
> Failure to do this will immediately render your email address
> deactivated
> from our database.
> 
> Error Code# CL1034EDU
> 
> Thank you for your patience!!
> 
> CORNELL INFORMATION TECHNOLOGY
> IDENTITY MANAGEMENT
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list