[nsp-sec] Paging Yahoo! - Phishing account

Dave Mitchell davem at yahoo-inc.com
Mon Jun 2 13:28:24 EDT 2008 

As I sent out last week, the main email to send this to is
phishing-priority at cc.yahoo-inc.com. They should be able to help you out
quickly. Let me know if you have any issues.

-dave

On Mon, Jun 02, 2008 at 06:46:35AM -0400, Daniel Adinolfi wrote:
> ----------- nsp-security Confidential --------
>
> Folks,
>
> We received a very targeted phishing attempt for Cornell University 
> accounts this morning.  The reply-to address is
>
> toolbasic at yahoo.com.
>
> If there is someone from Yahoo! on the list, please have this account taken 
> down.  The email message is listed below.
>
> Thanks!
>
> -Dan
>
>
> _________________
> Daniel Adinolfi, CISSP
> Senior Security Engineer, IT Security Office
> Cornell University - Office of Information Technologies
> email: dra1 at cornell.edu   phone: 607-255-7657
>
> _______________________
>
>
> Return-Path: <helpdesk at cornell.edu>
> Received: from postoffice9.mail.cornell.edu ([unix socket])
> 	by postoffice9.mail.cornell.edu (Cyrus v2.1.11) with LMTP; Mon, 02 Jun 
> 2008 05:21:22 -0400
> Received: from hermes30.mail.cornell.edu (hermes30.mail.cornell.edu 
> [132.236.56.55])
> 	by postoffice9.mail.cornell.edu (8.12.10/8.12.6) with ESMTP id 
> m529LJ6b001802
> 	for <dra1 at postoffice9.mail.cornell.edu>; Mon, 2 Jun 2008 05:21:19 -0400 
> (EDT)
> Received: (from daemon at localhost)
> 	by hermes30.mail.cornell.edu (8.13.6/8.13.6) id m529L2vA001121;
> 	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
> Received: from localhost.localdomain (veronica.mail.cornell.edu 
> [132.236.56.51])
> 	by hermes30.mail.cornell.edu (8.13.6/8.13.6) with ESMTP id m529L04E001041;
> 	Mon, 2 Jun 2008 05:21:02 -0400 (EDT)
> Received: from unknown-host
> 	by veronica with queue (Sophos PureMessage Version 5.303) id 36055023-11;
> 	Mon, 02 Jun 2008 09:17:24 GMT
> Received: from veronica_tc [10.236.56.7]
> 	by  with SMTP id ;
> 	Mon, 02 Jun 2008 09:17:24 GMT
> 	(envelope-from helpdesk at cornell.edu)
> Received: from cic.jsu.ac.ir (unknown [78.39.195.19]) by 132.236.56.7; Mon, 
>  2 Jun 2008 05:17:24 -0400
> Received: from cic.jsu.ac.ir (acc.jsu.ac.ir [127.0.0.1])
> 	by cic.jsu.ac.ir (8.12.11/8.12.11) with ESMTP id m529G362001990;
> 	Mon, 2 Jun 2008 13:46:03 +0430
> Received: (from apache at localhost)
> 	by cic.jsu.ac.ir (8.12.11/8.12.11/Submit) id m529G3MF001921;
> 	Mon, 2 Jun 2008 05:16:03 -0400
> X-Authentication-Warning: cic.jsu.ac.ir: apache set sender to 
> helpdesk at cornell.edu using -f
> Received: from 217.21.79.162
>        (SquirrelMail authenticated user moezifar)
>        by cic.jsu.ac.ir with HTTP;
>        Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
> Message-ID: <1543.217.21.79.162.1212398158.squirrel at cic.jsu.ac.ir>
> Date: Mon, 2 Jun 2008 05:15:58 -0400 (EDT)
> Subject: VERIFY YOUR WEBMAIL
> X-PH: V4.1 at hermes30
> From: "CIT Contact Center   (CORNELL UNIVERSITY)" <helpdesk at cornell.edu>
> Reply-To: toolbasic at yahoo.com
> Bcc:
> User-Agent: SquirrelMail/1.4.2-3
> MIME-Version: 1.0
> Content-Type: text/plain;charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
> X-Priority: 3
> Importance: Normal
> X-Original-IP: 78.39.195.19
> X-PMX-Version: 5.3.3.310218, Antispam-Engine: 2.5.2.313940, Antispam-Data: 
> 2008.6.2.20419
> X-PMX-CORNELL-SPAM-CHECKED: poppy
>
> CORNELL UNIVERSITY
> CORNELL INFORMATION TECHNOLOGY
>
> Dear Subscriber,
>
>
> We are currently upgrading our database and email account center. We have
> some problems on our database and it will affect your webmail account.We
> are deleting all unused cornell.edu webmail account to create more space
> for new accounts.
> To prevent your account from closing you will have to update it below so
> that we will know that it's being used presently. In 24 hours, you may not
> be able to access your webmail
>
> CONFIRM YOUR EMAIL IDENTITY BELOW
>
> NetID: .............
> Password : .............
>
> Failure to do this will immediately render your email address deactivated
> from our database.
>
> Error Code# CL1034EDU
>
> Thank you for your patience!!
>
> CORNELL INFORMATION TECHNOLOGY
> IDENTITY MANAGEMENT
>
>
>
>
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080602/b1ad1867/attachment-0001.sig>

More information about the nsp-security mailing list