[nsp-sec] Google to the WCP for a spreadsheet take-down

Daniel Robert Adinolfi dra1 at cornell.edu
Thu Jun 30 13:50:59 EDT 2011 

Googlefolks,

Please knock down this spreadsheet.  It is being used in a phishing campaign.

<https://spreadsheets.google.com/spreadsheet/viewform?formkey=3DdHBZMVFyb1dtdkJhdHV3aGUtRmRCNnc6MQ>

Thanks.

-Dan

__________________________

From: Molgaard, Amy L [mailto:Amy.L.Molgaard at wv.gov]
Sent: Wednesday, June 29, 2011 8:11 AM
To: info at webupgrade.org
Subject: Dear Microsoft Outlook Customer,


Dear Microsoft Outlook Customer,

Your access to Outlook Web Access has been suspended due to a mix-match of =
access code between your Security details. To enable you continue accessing=
your Outlook account, it will only take you few minutes to re-activate you=
r account. Click on the guide-link below and follow the directions to insta=
nt activation of your account and Security information


CLICK HERE<https://spreadsheets.google.com/spreadsheet/viewform?formkey=3Dd=
HBZMVFyb1dtdkJhdHV3aGUtRmRCNnc6MQ>

*Important*

NOTE: FAILURE CAN RESULT TO PERMANENT ACCOUNT SUSPENSION.

--_000_3DA15837C5EFEE4CB14A201A6C62A23A3467825D01MBXBexchangec_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
=3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
oft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
span.EmailStyle18
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbs=
p;</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;fon=
t-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>=
<div><div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt=
0in 0in 0in'><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-=
family:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-size:10.0=
pt;font-family:"Tahoma","sans-serif"'> Tracy Gavich <br><b>Sent:</b> Thursd=
ay, June 30, 2011 9:17 AM<br><b>To:</b> Cornell IT Security Office<br><b>Su=
bject:</b> Possible compromise<o:p></o:p></span></p></div></div><p class=3D=
MsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Hello fine Security fol=
ks, <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMso=
Normal>I have not contacted you before in this type of situation but being =
short staffed and booked this week I am. I apologize if I am not providing =
the correct information. <o:p></o:p></p><p class=3DMsoNormal><o:p> </o=
:p></p><p class=3DMsoNormal>We received the following message from Jill. I =
let her know it was spam and not to click on it. She replied last night and=
said she did click on it. I have sent her the link to reset her Kerberos p=
assword. She is out of the office right now and it looks like will be atten=
ding the CIT Town Meeting. I can get a tech there this afternoon around 2pm=
if she can make that time. Please let me know what else I need to do on th=
is side. <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=
=3DMsoNormal>Thanks<br>Tracy <span style=3D'font-size:11.0pt;font-family:"C=
alibri","sans-serif"'><o:p></o:p></span></p><p class=3DMsoNormal><span styl=
e=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:=
p> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0=
pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></spa=
n></p><div><div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding=
:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt=
;font-family:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-siz=
e:10.0pt;font-family:"Tahoma","sans-serif"'> Jill Henery <br><b>Sent:</b> W=
ednesday, June 29, 2011 8:39 AM<br><b>To:</b> CIT Internal Support<br><b>Su=
bject:</b> FW: Dear Microsoft Outlook Customer,<o:p></o:p></span></p></div>=
</div><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'=
> I got the message below – is this spam?  I had a similar messag=
e yesterday from a Michele Presnell [Michele.Presnell at yanceycountync.gov].<=
o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;f=
ont-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></=
p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri=
","sans-serif";color:#1F497D'>Jill<o:p></o:p></span></p><p class=3DMsoNorma=
l><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:=
#1F497D'><o:p> </o:p></span></p><div><div style=3D'border:none;border-=
top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b>=
<span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</s=
pan></b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>=
Molgaard, Amy L [mailto:Amy.L.Molgaard at wv.gov] <br><b>Sent:</b> Wednesday,=
June 29, 2011 8:11 AM<br><b>To:</b> info at webupgrade.org<br><b>Subject:</b>=
Dear Microsoft Outlook Customer,<o:p></o:p></span></p></div></div><p class=
=3DMsoNormal><o:p> </o:p></p><div><div><p><span style=3D'font-size:10.=
0pt;font-family:"Arial","sans-serif";color:black'>Dear Microsoft Outlook Cu=
stomer,<o:p></o:p></span></p><p><span style=3D'font-size:10.0pt;font-family=
:"Arial","sans-serif";color:black'>Your access to Outlook Web Access has be=
en suspended due to a mix-match of access code between your Security detail=
s. To enable you continue accessing your Outlook account, it will only take=
you few minutes to re-activate your account. Click on the guide-link below=
and follow the directions to instant activation of your account and Securi=
ty information<br> <o:p></o:p></span></p><p><span style=3D'font-size:1=
0.0pt;font-family:"Arial","sans-serif";color:black'><a href=3D"https://spre=
adsheets.google.com/spreadsheet/viewform?formkey=3DdHBZMVFyb1dtdkJhdHV3aGUt=
RmRCNnc6MQ">CLICK HERE</a><br> <br>*Important*<o:p></o:p></span></p><p=
> <span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";color:bla=
ck'>NOTE: FAILURE CAN RESULT TO PERMANENT ACCOUNT SUSPENSION. <o:p></o:p></=
span></p></div></div></div></body></html>=

--_000_3DA15837C5EFEE4CB14A201A6C62A23A3467825D01MBXBexchangec_--

More information about the nsp-security mailing list