[nsp-sec] Paging Yahoo! - Phishing account

Krista Hickey Krista.Hickey at cogeco.com
Mon Jun 2 11:43:40 EDT 2008 

I've attached a list of what's been touching us from 12491 in the
217.21.64/19 range from as far back as Oct 2007. There's a few from
217.21.79/24 but not the ones you guys are seeing in particular....not
yet anyway. 

I've sent reports to abuse at ipplanet.com regarding this type of abuse in
the past with no response then in March I received an email from their
NOC asking if we were blocking 81.199.224.200/29, I informed them we
indeed were and provided a small novel along with IPs and timestamps as
to why and received a nice response from the NOC tech about how they
suffer with webmail abuse as most of us do and they're trying to filter,
looking at ways to secure webmail, etc and then asked me to specifically
whitelist the /29. Given the amount of webmail abuse we'd seen from
their blocks I replied that we weren't comfortable with this and unsure
why so many of our Canadian customers were suddenly in Israel trying to
login to webmail and suggested they have their customer contact me
directly with details on the specific Cogeco customers having
problems...no further contact from anyone on this and never a single
customer complaint about webmail access from Israel (or anywhere) to
date.

In other news we got nailed with a particularly large and/or accurate
similar spear phish on May 29, LOTS of customers still asking "Is this
legitimate?" and impact to support this time around might actually get
some more business attention to the matter. This one originated from 

AS      | IP               | AS Name
29465   | 41.220.75.3      | VCG-AS VGC Communication Ltd.

Which we filtered from accessing our webmail back in Feb 2008, have a
larger file with timestamps showing touches from 41.220.64/20 as well if
anyone is interested but it's mostly 41.220.75.3 specifically so odds
are you'll find something interesting if you look for that.

Krista
7992 

>-----Original Message-----
>From: nsp-security-bounces at puck.nether.net 
>[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
>White, Gerard
>Sent: Monday, June 02, 2008 7:12 AM
>To: Daniel Adinolfi; nsp-security NSP
>Subject: Re: [nsp-sec] Paging Yahoo! - Phishing account
>
>----------- nsp-security Confidential --------
>
>
>Looks like an account on the Jundi-Shapur University's 
>web-mail server got abused to target your folks.  
>Unfortunately all you have to go by is a AS 12491 IPPlanet
>/32 that's probably an open
>proxy of sorts.
>
>AS      | IP               | AS Name
>12491   | 217.21.79.162    | IPPLANET-AS IPPlanet
>
>Hmmph, not the first IPPLANET source from this /24 I've seen 
>tickling our web mail front-ends here:
>
>217.21.79.165 - April 11th
>217.21.79.195 - May 9th
>
>GW
>855 - Bell Aliant
>
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Daniel Adinolfi
>> Sent: Monday, June 02, 2008 8:17 AM
>> To: nsp-security NSP
>> Subject: [nsp-sec] Paging Yahoo! - Phishing account
>> 
>> ----------- nsp-security Confidential --------
>> 
>> Folks,
>> 
>> We received a very targeted phishing attempt for Cornell University 
>> accounts this morning.  The reply-to address is
>> 
>> toolbasic at yahoo.com.
>> 
>> If there is someone from Yahoo! on the list, please have 
>this account 
>> taken down.  The email message is listed below.
>> 
>> Thanks!
>> 
>> -Dan
>> 
>> 
>> _________________
>> Daniel Adinolfi, CISSP
>> Senior Security Engineer, IT Security Office Cornell University - 
>> Office of Information Technologies
>> email: dra1 at cornell.edu   phone: 607-255-7657
>> 
>> _______________________
>> 
>> 
>> Return-Path: <helpdesk at cornell.edu>
>> Received: from postoffice9.mail.cornell.edu ([unix socket])
>> 	by postoffice9.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Mon,
>02
>> Jun 2008 05:21:22 -0400
>> Received: from hermes30.mail.cornell.edu (hermes30.mail.cornell.edu
>> [132.236.56.55])
>> 	by postoffice9.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id
>> m529LJ6b001802
>> 	for <dra1 at postoffice9.mail.cornell.edu>; Mon, 2 Jun 2008
>05:21:19
>> -0400 (EDT)
>> Received: (from daemon at localhost)
>> 	by hermes30.mail.cornell.edu (8.13.6/8.13.6) id m529L2vA001121;
>> 	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
>> Received: from localhost.localdomain (veronica.mail.cornell.edu
>> [132.236.56.51])
>> 	by hermes30.mail.cornell.edu (8.13.6/8.13.6) with ESMTP id 
>> m529L04E001041;
>> 	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
>> Received: from unknown-host
>> 	by veronica with queue (Sophos PureMessage Version 5.303) id 
>> 36055023-11;
>> 	Mon, 02 Jun 2008 09:17:24 GMT
>> Received: from veronica_tc [10.236.56.7]
>> 	by  with SMTP id ;
>> 	Mon, 02 Jun 2008 09:17:24 GMT
>> 	(envelope-from helpdesk at cornell.edu)
>> Received: from cic.jsu.ac.ir (unknown [78.39.195.19]) by 
>132.236.56.7; 
>> Mon,  2 Jun 2008 05:17:24 -0400
>> Received: from cic.jsu.ac.ir (acc.jsu.ac.ir [127.0.0.1])
>> 	by cic.jsu.ac.ir (8.12.11/8.12.11) with ESMTP id m529G362001990;
>> 	Mon, 2 Jun 2008 13:46:03 +0430
>> Received: (from apache at localhost)
>> 	by cic.jsu.ac.ir (8.12.11/8.12.11/Submit) id m529G3MF001921;
>> 	Mon, 2 Jun 2008 05:16:03 -0400
>> X-Authentication-Warning: cic.jsu.ac.ir: apache set sender to
>helpdesk at cornell.edu
>>   using -f
>> Received: from 217.21.79.162
>>         (SquirrelMail authenticated user moezifar)
>>         by cic.jsu.ac.ir with HTTP;
>>         Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
>> Message-ID: <1543.217.21.79.162.1212398158.squirrel at cic.jsu.ac.ir>
>> Date: Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
>> Subject: VERIFY YOUR WEBMAIL
>> X-PH: V4.1 at hermes30
>> From: "CIT Contact Center   (CORNELL UNIVERSITY)"
><helpdesk at cornell.edu>
>> Reply-To: toolbasic at yahoo.com
>> Bcc:
>> User-Agent: SquirrelMail/1.4.2-3
>> MIME-Version: 1.0
>> Content-Type: text/plain;charset=iso-8859-1
>> Content-Transfer-Encoding: 8bit
>> X-Priority: 3
>> Importance: Normal
>> X-Original-IP: 78.39.195.19
>> X-PMX-Version: 5.3.3.310218, Antispam-Engine: 2.5.2.313940, Antispam-
>> Data: 2008.6.2.20419
>> X-PMX-CORNELL-SPAM-CHECKED: poppy
>> 
>> CORNELL UNIVERSITY
>> CORNELL INFORMATION TECHNOLOGY
>> 
>> Dear Subscriber,
>> 
>> 
>> We are currently upgrading our database and email account center. We 
>> have some problems on our database and it will affect your webmail
>account.We
>> are deleting all unused cornell.edu webmail account to create more
>space
>> for new accounts.
>> To prevent your account from closing you will have to update it below
>so
>> that we will know that it's being used presently. In 24 
>hours, you may 
>> not be able to access your webmail
>> 
>> CONFIRM YOUR EMAIL IDENTITY BELOW
>> 
>> NetID: .............
>> Password : .............
>> 
>> Failure to do this will immediately render your email address 
>> deactivated from our database.
>> 
>> Error Code# CL1034EDU
>> 
>> Thank you for your patience!!
>> 
>> CORNELL INFORMATION TECHNOLOGY
>> IDENTITY MANAGEMENT
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>> 
>> Please do not Forward, CC, or BCC this E-mail outside of the
>nsp-security
>> community. Confidentiality is essential for effective Internet
>security counter-measures.
>> _______________________________________________
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the 
>nsp-security community. Confidentiality is essential for 
>effective Internet security counter-measures.
>_______________________________________________
> 
 
Do you really need to print this email? Help preserve our environment! Devez-vous vraiment imprimer ce courriel? Pensons a l'environnement!
__________________________________________________________
 
The information in this message, including in all attachments, is confidential or privileged. In the event you have received this message in error and are not the intended recipient, you are hereby advised that any use, copying or reproduction of this document is strictly forbidden. Please notify immediately the sender of this error and destroy this message, including its attachments, as the case may be.
 
L'information apparaissant dans ce message electronique et dans les documents qui y sont joints est de nature confidentielle ou privilegiee. Si ce message vous est parvenu par erreur et que vous n'en etes pas le destinataire vise, vous etes par les presentes avises que toute utilisation, copie ou distribution de ce message est strictement interdite. Vous etes donc prie d'en informer immediatement l'expediteur et de detruire ce message, ainsi que les documents qui y sont joints, le cas echeant.

__________________________________________________________

More information about the nsp-security mailing list