[nsp-sec] Hotmail account used for phishing dropbox

Mon Aug 30 14:23:01 EDT 2010

Microsoft or MSN folks, a Hotmail account (cumerservice at hotmail.com) 
is being used as a drop box for a phish against caltech.edu users.  
A sample with full headers is below.

>From francesspina at sbcglobal.net  Mon Aug 30 10:21:58 2010
Return-Path: <francesspina at sbcglobal.net>
X-Original-To: network at treqs.caltech.edu
Delivered-To: network at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu
(outgoing-mail.its.caltech.edu
[131.215.239.19])
	by jonola.caltech.edu (Postfix) with ESMTP id EF67416EFC
	for <network at treqs.caltech.edu>; Mon, 30 Aug 2010 10:21:57
-0700 (PDT)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 88CAB3280E1
	for <network at treqs.caltech.edu>; Mon, 30 Aug 2010 10:21:57
-0700 (PDT)
X-Mailbox-Line: From francesspina at sbcglobal.net  Mon Aug 30 10:
21:57 2010
X-Original-To: network at caltech.edu
Delivered-To: network at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 3AA1C2E512D7
	for <network at caltech.edu>; Mon, 30 Aug 2010 10:21:57 -0700
(PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: -0.692
X-Spam-Level: 
X-Spam-Status: No, score=-0.692 tagged_above=-10000 required=5
	tests=[DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001,
	DK_POLICY_TESTING=0.001, DK_SIGNED=0.001,
DK_VERIFIED=-0.001,
	HTML_MESSAGE=0.001, SNF4SA=-0.694] autolearn=unavailable
Received: from web80408.mail.mud.yahoo.com
(web80408.mail.mud.yahoo.com
[209.191.72.44])
	by fire-doxen-external (Postfix) with SMTP id 1B4F52E512D1
	for <network at caltech.edu>; Mon, 30 Aug 2010 10:21:54 -0700
(PDT)
Received: (qmail 81800 invoked by uid 60001); 30 Aug 2010 17:21:54
-0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sbcglobal.net;
s=s1024; t=1283188914;
bh=uj7zmhFBbDBe3PFSIlUGj78pQ+9d/tCoQAHpu5LWGc8=;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=ZjSDJVv9EcbnAumAhdEsAat+ZErEduNsrgwtNKBlI1xA8y+J6D6lVfC0FUNjVquRgCmbGM/7vvIR5fGnkUQLa7hYOFK7SG9boDzwhBM0l2v7oG/YgQYMNa5WvN0MouGmq1Zou7Nkn5NXDTl+t3HtM/9PiyGXfAUYgPRavQEUkF0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=sbcglobal.net;

h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;

b=6IcpctAkoi5SWGcwtp0mTaSaKhVLrmPheC9lnVIjOCukDB2ISaFxHU0RVBXk1IifU+bzPj1KfyDctM2BIgVtJ0aA0sGTzWywlY3fHpsPccx0/4vN8z973xBX6KEC1G/WUWhSNcGvJi0lUYZ2dJdFvzQE2B/z+BVkB+wyzstKaP0=;
Message-ID: <42625.80017.qm at web80408.mail.mud.yahoo.com>
X-YMail-OSG: xxLlhNUVM1moKvNblW3O99FzXyyQLYJyT6q2skQDq9ynUf4
 7R3CvGpHgKsdKgKL0KL0tWOxLPLKkXKE3bBzRL71rns0sZ.WHQsQrhMfxwP3
 MMR66tW8i8d8zmH6p2mu4we5CLrbLGS2MFYm6PljnWzDup78rZVP7LxJ2WLw
 yBw7MdA1AiqVFp2R4LffLRBJkP6nrZlAPpGu4y3eD_FVP_EsAtuRAacnXN_v
 PhMPoKKbdbRGtH6UVYP2OlLseDunFokoIUe4lDEIfiU8UgoQA271Jys2r9GI
 FbojMrh9vFwIjjlCLOqGDjoK9FB3LRutaxgEKeOM9iKZEqSbUOBY7rvvWl9_
 oDiqpmISsx1_wNqCs2_vNglWLzmDIrxyU.dQRJwuPLQ_jjLuVZZx800Y-
Received: from [209.107.217.72] by web80408.mail.mud.yahoo.com via
HTTP;
Mon, 30 Aug 2010 10:21:53 PDT
X-Mailer: YahooMailClassic/11.3.2 YahooMailWebService/0.8.105.279950
Date: Mon, 30 Aug 2010 10:21:53 -0700 (PDT)
From: E-mail Messaging Centre <francesspina at sbcglobal.net>
Reply-To: cumerservice at hotmail.com
Subject: Dear email user
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="0-1482055203-1283188913=:80017"
X-TBCK-ID: f0da3dbf5dece7a1a33622d29a10b4bc
X-TBCK-Status: First;AllClear;0

--0-1482055203-1283188913=:80017
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Dear email user
=A0
This message is from our caltech.edu Online maintenance unit to all
our
ema=
il users. We are currently upgrading our data base and We are
deleting
seve=
ral email accounts following the recent events of hackers in our
database.
=
This is intended to make extra security checks on your mailbox in
order to
=
protect your information from theft and to create more space for new
accoun=
ts,we are not suppose to request for your password but due to the
recent
ha=
ckers list we just had you will have to confirm your account.
To prevent your account from been terminated you are advised to
update
your=
 account. fill the form to update your account.
=A0
User Name:........
Password:.............
Date Of reg:...............
=A0
Warning!!! Failure to update your account on receipt of this warning
will
r=
esult to termination of your account.
thanks! 
--0-1482055203-1283188913=:80017
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" ><tr><td
valign=3D"=
top" style=3D"font: inherit;"><DIV>Dear email user</DIV>
<DIV> </DIV>
<DIV>This message is from our caltech.edu Online maintenance unit to
all
ou=
r email users. We are currently upgrading our data base and We are
deleting=
 several email accounts following the recent events of hackers in
our
datab=
ase. This is intended to make extra security checks on your mailbox
in
orde=
r to protect your information from theft and to create more space
for new
a=
ccounts,we are not suppose to request for your password but due to
the
rece=
nt hackers list we just had you will have to confirm your
account.<BR>To
pr=
event your account from been terminated you are advised to update
your
acco=
unt. fill the form to update your account.</DIV>
<DIV> </DIV>
<DIV>User Name:........<BR>Password:.............<BR>Date Of
reg:..........=
.....</DIV>
<DIV> </DIV>
<DIV>Warning!!! Failure to update your account on receipt of this
warning
w=
ill result to termination of your account.<BR>thanks!
</DIV></td></tr></tab=
le>
--0-1482055203-1283188913=:80017--
---------------------------------------------------------------------------

-- 
RuthAnne Bevier
Information Security
California Institute of Technology   
626-395-2671
ruthanne at caltech.edu