[nsp-sec] Google to the WCP - Phishing -[Reply-To: wesu20 at gmail.com]

Peter Moody pmoody at google.com
Wed Aug 4 13:00:57 EDT 2010 

ack.

On Wed, Aug 4, 2010 at 7:22 AM, Gabriel Iovino <giovino at ren-isac.net> wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> ksu.edu asked if I could pass the following email account along.
>
> Reply-To: wesu20 at gmail.com
>
> Apparently it has been used in Phishing attempts for two months and is
> responsible for over 20 compromised accounts at ksu.edu.
>
> Thanks
>
> Gabe
>
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
>
> Sample email below:
>
>> From: KSU Webmaster <webmaster at ksu.edu.tr>
>> Date: June 12, 2010 1:33:32 PM CDT
>> To: undisclosed-recipients:;
>> Subject: KSU Account Verification
>> Reply-To: wesu20 at gmail.com
>> return-path: webmaster at ksu.edu.tr
>> received: from 198.108.65.49 (LHLO ksu-mta06.merit.edu)
>> (198.108.65.49) by ksu-mailstore01.merit.edu with LMTP; Sat, 12 Jun
>> 2010 14:41:29 -0400 (EDT)
>> received: from localhost (localhost.localdomain [127.0.0.1]) by
>> ksu-mta06.merit.edu (Postfix) with ESMTP id 6FA6357D99; Sat, 12 Jun
>> 2010 14:45:12 -0400 (EDT)
>> received: from ksu-mta06.merit.edu ([127.0.0.1]) by localhost
>> (ksu-mta06.merit.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
>> id FMMuCL8jx212; Sat, 12 Jun 2010 14:45:12 -0400 (EDT)
>> received: from webserver.mca.gov.py (muni-edif.netvision.com.py
>> [200.1.200.230]) by ksu-mta06.merit.edu (Postfix) with ESMTPS id
>> 343CD57DAD; Sat, 12 Jun 2010 14:45:09 -0400 (EDT)
>> received: from localhost (webmail.netvision.com.py [200.1.200.27]) by
>> webserver.mca.gov.py (8.13.8/8.13.1) with ESMTP id o5CIW8G5009676;
>> Sat, 12 Jun 2010 14:32:09 -0400
>> received: from 201.217.49.57 ([201.217.49.57]) by
>> webmail.netvision.com.py (Horde Framework) with HTTP; Sat, 12 Jun 2010
>> 14:33:32 -0400
>> x-virus-scanned: amavisd-new at ksu-mta06.merit.edu
>> x-spam-flag: NO
>> x-spam-score: -0.722
>> x-spam-status: No, score=-0.722 tagged_above=-10 required=5
>> tests=[AWL=1.877, BAYES_00=-2.599] autolearn=ham
>> message-id: <20100612143332.16745x6c0ilj5rsw at webmail.netvision.com.py>
>> mime-version: 1.0
>> content-type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed"
>> content-disposition: inline
>> content-transfer-encoding: 7bit
>> user-agent: Internet Messaging Program (IMP) H3 (4.3.7)
>> x-spamtest-envelope-from: webmaster at ksu.edu.tr
>> x-spamtest-group-id: 00000000
>> x-spamtest-info: Profiles 14160 [Jun 12 2010]
>> x-spamtest-info: helo_type=10
>> x-spamtest-info: {TO: undisclosed}
>> x-spamtest-method: none
>> x-spamtest-rate: 35
>> x-spamtest-spf: softfail
>> x-spamtest-status: Not detected
>> x-spamtest-status-extended: not_detected
>> x-spamtest-version: SMTP-Filter Version 3.0.0 [0284], KAS30/Release
>> x-anti-virus: Kaspersky Anti-Virus for Sendmail with Milter API
>> 5.6.20, bases: 20100612 #4261753, check: 20100612 clean
>>
>> Dear KSU Webmail User,
>>
>> Due to excess abandoned KSU Webmail Account, KSU Webmaster has decided
>> to refresh the database and to delete inactive accounts to create
>> space for fresh users. To verify your KSU Webmail Account, you must
>> reply to this email immediately and provide the information below
>> correctly:
>>
>> Email:
>> Password:
>> Verify Password:
>>
>> Failure to do this will immediately render your KSU Webmail Account
>> deactivated from our system. KSU Webmail Database refreshing shall
>> commence once a response is not received within 48hrs.
>>
>> Thanks You!
>> KSU Webmaster
>> KSU International
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxZd6sACgkQwqygxIz+pTtlsgCcCPvMvGUJcHMGYvUi1flM8ZyA
> qNMAn1DIJ1Nh6KHok2HjmZBPwNjix8aP
> =6r3D
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list