[nsp-sec] Yahoo phising account
Smith, Donald
Donald.Smith at qwest.com
Thu May 22 17:46:07 EDT 2008
Joel were the compromised accounts being exploited from 196.207.3.10?
We have seen that ip abusing the drake webmail service to send spam that
matches Serge's spam.
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: Joel Rosenblatt [mailto:joel at columbia.edu]
> Sent: Thursday, May 22, 2008 3:13 PM
> To: Serge Droz
> Cc: Smith, Donald; nsp-security NSP
> Subject: Re: [nsp-sec] Yahoo phising account
>
> Hi Serge,
>
> Take a look at the headers on that email coming from
> drake.edu .. it most probably originated from a compromised
> account there using a web based mail system.
> You can pass the ID along to them, incase they have not
> figured it out by now.
>
> We have been seeing a lot of this .. we got hit with 3 of
> these attacks last week, 1200 emails got though and 70
> geniuses ... errr, I mean customers, actually
> replied :-)
>
> We turned off their accounts if they replied from using our
> outgoing SMTP, but had a few that replied using some other
> email system.
>
> It was a long week :-)
>
> Joel Rosenblatt
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
> --On Thursday, May 22, 2008 7:35 PM +0200 Serge Droz
> <serge.droz at switch.ch> wrote:
>
> > ----------- nsp-security Confidential --------
> >
> > Hi Donald,
> >
> > yes, the mail looked exactly like this, and is, in fact, targeting a
> > university here. It seems to originate from drake.edu
> >
> > Cheers
> > Serge
> >
> > Smith, Donald wrote:
> >> Serge did your phishing look something like this:
> >>> Dear User
> >>>
> >>> This mail is to notify all users that the site will be undergoing
> >>> upgrade in a couple of days from now.
> >>>
> >>> Hence, as a user of our site, you are required to send us
> your email
> >>> account details to enable us acknowledge account activeness
> >>>
> >>> Furthermore, be informed that we will be deleting all mail account
> >>> that is not active so as to create more space for new users.
> >>>
> >>> Therefore you are advice to send us your mail account details As
> >>> requested below
> >>>
> >>> *User name:.........
> >>> *Password:..............
> >>> *Date of birth:................
> >>> *Security question:.............
> >>> *Security answer:......................
> >>>
> >>> All users are advise to complete this update.
> >>> Regards
> >>>
> >>> Mark Anderson
> >>> Tech/Maintenance officer
> >>
> >> We saw this related to universities starting about the
> beginning of the
> >> year but it has moved to "targeting" ISPs now.
> >> Notice they are not even personalizing the content just
> the from line is
> >> "personalized".
> >>
> >>
> >>
> >> Security through obscurity WORKS against some worms and
> ssh attacks:)
> >> Donald.Smith at qwest.com giac
> >>
> >>> -----Original Message-----
> >>> From: nsp-security-bounces at puck.nether.net
> >>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf
> Of Serge Droz
> >>> Sent: Thursday, May 22, 2008 10:02 AM
> >>> To: nsp-security NSP
> >>> Subject: [nsp-sec] Yahoo phising account
> >>>
> >
> >>> ----------- nsp-security Confidential --------
> >>>
> >>> Hello Yahoo,
> >>>
> >>> we have a phishing attack here, requiring people to
> submit stuff to
> >>>
> >>> Reply-To: account.desk at y7mail.com
> >>>
> >>> Could someone from yahoo please suspend this account.
> >>> We would be interested in the 'usernames' which have been
> compromised.
> >>>
> >>> Thanks for any help
> >>>
> >>> Serge
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> SWITCH
> >>> Serving Swiss Universities
> >>> --------------------------
> >>> Serge Droz, SWITCH-CERT
> >>> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> >>> phone +41 44 268 15 63, fax +41 44 268 15 78
> >>> serge.droz at switch.ch, http://www.switch.ch
> >>>
> >>>
> >>> _______________________________________________
> >>> nsp-security mailing list
> >>> nsp-security at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/nsp-security
> >>>
> >>> Please do not Forward, CC, or BCC this E-mail outside of the
> >>> nsp-security
> >>> community. Confidentiality is essential for effective
> >>> Internet security counter-measures.
> >>> _______________________________________________
> >>>
> >>>
> >>
> >>
> >> This communication is the property of Qwest and may
> contain confidential or
> >> privileged information. Unauthorized use of this
> communication is strictly
> >> prohibited and may be unlawful. If you have received this
> communication
> >> in error, please immediately notify the sender by reply
> e-mail and destroy
> >> all copies of the communication and any attachments.
> >
> >
> > --
> > SWITCH
> > Serving Swiss Universities
> > --------------------------
> > Serge Droz, SWITCH-CERT
> > Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> > phone +41 44 268 15 63, fax +41 44 268 15 78
> > serge.droz at switch.ch, http://www.switch.ch
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> > community. Confidentiality is essential for effective
> Internet security counter-measures.
> > _______________________________________________
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
More information about the nsp-security
mailing list