[nsp-sec] ATTN Google: google docs site used in phish

RuthAnne Bevier ruthanne at caltech.edu
Sun Apr 10 11:46:02 EDT 2011 

Site is https://spreadsheets.google.com/viewform?formkey=dGZSNVREQlhzTk1IQ3RkZmtSWUdYMkE6MQ

Sample with full headers below:


Return-path: <jlisthau at yu.edu>
X-Original-To: ecg at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1]) by
  fire-doxen-postvirus (Postfix) with ESMTP id 3AF8A328069 for
  <ecg at caltech.edu>; Sun, 10 Apr 2011 02:28:19 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: -1.804
X-Spam-Status: No, score=-1.804 tagged_above=-10000 required=5 
tests=[RCVD_IN_DNSWL_LOW=-1, SNF4SA=-0.802, SPF_HELO_PASS=-0.001, 
SPF_PASS=-0.001] autolearn=unavailable
Received: from mx2.mc.yu.edu (mx2.mc.yu.edu [129.98.201.102]) by
  fire-doxen-external (Postfix) with ESMTP id E74D6328053 for 
<ecg at caltech.edu>;
  Sun, 10 Apr 2011 02:28:17 -0700 (PDT)
Received: from phobos.mc.yu.edu (phobos.mc.yu.edu [129.98.201.101]) by
  mx2.mc.yu.edu (Postfix) with ESMTP id 990DB9C88AC for 
<ecg at caltech.edu>; Sun,
  10 Apr 2011 05:10:40 -0400 (EDT)
X-AuditID: 8162c965-a189dbb000001459-66-4da16f3645ad
Received: from fe5.prod.mis.yu.edu (deliver.mc.yu.edu [129.98.201.63]) by
  phobos.mc.yu.edu (Symantec Mail Security) with ESMTP id 32D67328003 for
  <ecg at caltech.edu>; Sun, 10 Apr 2011 04:49:58 -0400 (EDT)
Received: from fe7.prod.mis.yu.edu (fe7.prod.mis.yu.edu [10.11.12.57]) 
(using
  TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client 
certificate
  requested) by fe5.prod.mis.yu.edu (Postfix) with ESMTPSA id 07A2B67644 for
  <ecg at caltech.edu>; Sun, 10 Apr 2011 05:10:40 -0400 (EDT)
Received: from yums.yu.edu (fe5.prod.mis.yu.edu [10.11.12.55]) by
  fe7.prod.mis.yu.edu (Postfix) with ESMTP id DE7685F70B; Sun, 10 Apr 2011
  05:09:50 -0400 (EDT)
Received: from 74.115.6.21 (SquirrelMail authenticated user jlisthau) by
  yums.yu.edu with HTTP; Sun, 10 Apr 2011 05:09:51 -0400
Message-ID: <7dc20eaeb0671fbf354abc69b5f03cc0.squirrel at yums.yu.edu>
Date: Sun, 10 Apr 2011 02:09:51 -0700
Subject: Webmail Technical Crew
From: "IT Helpdesk" <jlisthau at yu.edu>
User-Agent: SquirrelMail/1.4.19-1.fc9
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Brightmail-Tracker: AAAAAA==

Your email Has Exceeded The Set Quota/Limit Which Is 20GB.

Your Are Currently Running On 23GB Due To Hidden Files And Folder On

Your Mailbox and There Will Be An Upgrade In Our Data Base And E-mail

Center We Are Deleting All Unused Mail Accounts.You Are Required To Verify

Your Mail Account By Confirming Your Mail Identity.You are to click on
thishttps://spreadsheets.google.com/viewform?formkey=dGZSNVREQlhzTk1IQ3RkZmtSWUdYMkE6MQ
to update account now This Will

Prevent Your Mail Account From Been Closed During This Exercise

Please Validate Your Mailbox And Increase Your Quota.

Webmail Technical Crew




-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list