[nsp-sec] Potentially compromised email credentials

[Gabriel Iovino]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

The REN-ISAC has obtained a list <see attached> of email addresses,
usernames, and passwords from a machine hosting a Phishing HTML form.

> [URL]hxxp://www.losnaranjos23.com/phpformgenerator/use/oncedial/form1.html
> [Status] Offline

The form was observed to be online as recent as 09/16/2009.

We have had one conformation from a .edu that the credentials were valid
and the account was used to send spam.

If the email address is a valid email address and the password meets
your password policy it might be a good idea to have the user reset
their password.

The ASN resolution is best effort as an MX is not always owned by the
same organization.

Please take whatever actions you deem appropriate and please let me know
if you have any questions or comments.

Regards.

Gabe

p.s. Cymru, I apologize in advance for using (whois -h whois.cymru.com)
in a script.

- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqz7zYACgkQwqygxIz+pTu2wQCgvjNDnU3EKX7J9sTaaDiC28Ca
QQsAoNZXXTBgbonUiB+WRbplthLIKcjO
=AqkI
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: nsp_sec_final.txt
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20090918/86068391/attachment-0001.txt>