[nsp-sec] Yahoo phising account

Joel Rosenblatt joel at columbia.edu
Thu May 22 17:12:37 EDT 2008 

Hi Serge,

Take a look at the headers on that email coming from drake.edu .. it most probably originated from a compromised account there using a web based mail system. 
You can pass the ID along to them, incase they have not figured it out by now.

We have been seeing a lot of this .. we got hit with 3 of these attacks last week, 1200 emails got though and 70 geniuses ... errr, I mean customers, actually 
replied :-)

We turned off their accounts if they replied from using our outgoing SMTP, but had a few that replied using some other email system.

It was a long week :-)

Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Thursday, May 22, 2008 7:35 PM +0200 Serge Droz <serge.droz at switch.ch> wrote:

> ----------- nsp-security Confidential --------
>
> Hi Donald,
>
> yes, the mail looked exactly like this, and is, in fact, targeting a
> university here. It seems to  originate from drake.edu
>
> Cheers
> Serge
>
> Smith, Donald wrote:
>> Serge did your phishing look something like this:
>>> Dear User
>>>
>>> This mail is to notify all users that the site will be undergoing
>>> upgrade in a couple of days from now.
>>>
>>> Hence, as a user of our site, you are required to send us your email
>>> account details to enable us acknowledge account activeness
>>>
>>> Furthermore, be informed that we will be deleting all mail account
>>> that is not active so as to create more space for new users.
>>>
>>> Therefore you are advice to send us your mail account details As
>>> requested below
>>>
>>> *User name:.........
>>> *Password:..............
>>> *Date of birth:................
>>> *Security question:.............
>>> *Security answer:......................
>>>
>>> All users are advise to complete this update.
>>> Regards
>>>
>>> Mark Anderson
>>> Tech/Maintenance officer
>>
>> We saw this related to universities starting about the beginning of the
>> year but it has moved to "targeting" ISPs now.
>> Notice they are not even personalizing the content just the from line is
>> "personalized".
>>
>>
>>
>> Security through obscurity WORKS against some worms and ssh attacks:)
>> Donald.Smith at qwest.com giac
>>
>>> -----Original Message-----
>>> From: nsp-security-bounces at puck.nether.net
>>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Serge Droz
>>> Sent: Thursday, May 22, 2008 10:02 AM
>>> To: nsp-security NSP
>>> Subject: [nsp-sec] Yahoo phising account
>>>
>
>>> ----------- nsp-security Confidential --------
>>>
>>> Hello Yahoo,
>>>
>>> we have a phishing attack here, requiring people to submit stuff to
>>>
>>> Reply-To:  account.desk at y7mail.com
>>>
>>> Could someone from yahoo please suspend this account.
>>> We would be interested in the 'usernames' which have been compromised.
>>>
>>> Thanks for any help
>>>
>>> Serge
>>>
>>>
>>>
>>>
>>> --
>>> SWITCH
>>> Serving Swiss Universities
>>> --------------------------
>>> Serge Droz, SWITCH-CERT
>>> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
>>> phone +41 44 268 15 63, fax +41 44 268 15 78
>>> serge.droz at switch.ch, http://www.switch.ch
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the
>>> nsp-security
>>> community. Confidentiality is essential for effective
>>> Internet security counter-measures.
>>> _______________________________________________
>>>
>>>
>>
>>
>> This communication is the property of Qwest and may contain confidential or
>> privileged information. Unauthorized use of this communication is strictly
>> prohibited and may be unlawful.  If you have received this communication
>> in error, please immediately notify the sender by reply e-mail and destroy
>> all copies of the communication and any attachments.
>
>
> --
> SWITCH
> Serving Swiss Universities
> --------------------------
> Serge Droz, SWITCH-CERT
> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> phone +41 44 268 15 63, fax +41 44 268 15 78
> serge.droz at switch.ch, http://www.switch.ch
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list