[nsp-sec] Google to the WCP for a spreadsheet take-down

Chris Morrow morrowc at ops-netman.net
Thu Jun 30 16:32:54 EDT 2011 

tco

On 06/30/11 13:50, Daniel Robert Adinolfi wrote:
> ----------- nsp-security Confidential --------
> 
> Googlefolks,
> 
> Please knock down this spreadsheet.  It is being used in a phishing campaign.
> 
> <https://spreadsheets.google.com/spreadsheet/viewform?formkey=3DdHBZMVFyb1dtdkJhdHV3aGUtRmRCNnc6MQ>
> 
> Thanks.
> 
> -Dan
> 
> __________________________
> 
> From: Molgaard, Amy L [mailto:Amy.L.Molgaard at wv.gov]
> Sent: Wednesday, June 29, 2011 8:11 AM
> To: info at webupgrade.org
> Subject: Dear Microsoft Outlook Customer,
> 
> 
> Dear Microsoft Outlook Customer,
> 
> Your access to Outlook Web Access has been suspended due to a mix-match of =
> access code between your Security details. To enable you continue accessing=
> your Outlook account, it will only take you few minutes to re-activate you=
> r account. Click on the guide-link below and follow the directions to insta=
> nt activation of your account and Security information
> 
> 
> CLICK HERE<https://spreadsheets.google.com/spreadsheet/viewform?formkey=3Dd=
> HBZMVFyb1dtdkJhdHV3aGUtRmRCNnc6MQ>
> 
> *Important*
> 
> NOTE: FAILURE CAN RESULT TO PERMANENT ACCOUNT SUSPENSION.
> 
> --_000_3DA15837C5EFEE4CB14A201A6C62A23A3467825D01MBXBexchangec_
> Content-Type: text/html; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
> osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
> xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
> //www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT=
> =3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros=
> oft Word 12 (filtered medium)"><style><!--
> /* Font Definitions */
> @font-face
> 	{font-family:"Cambria Math";
> 	panose-1:2 4 5 3 5 4 6 3 2 4;}
> @font-face
> 	{font-family:Calibri;
> 	panose-1:2 15 5 2 2 2 4 3 2 4;}
> @font-face
> 	{font-family:Tahoma;
> 	panose-1:2 11 6 4 3 5 4 4 2 4;}
> /* Style Definitions */
> p.MsoNormal, li.MsoNormal, div.MsoNormal
> 	{margin:0in;
> 	margin-bottom:.0001pt;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman","serif";}
> a:link, span.MsoHyperlink
> 	{mso-style-priority:99;
> 	color:blue;
> 	text-decoration:underline;}
> a:visited, span.MsoHyperlinkFollowed
> 	{mso-style-priority:99;
> 	color:purple;
> 	text-decoration:underline;}
> p
> 	{mso-style-priority:99;
> 	mso-margin-top-alt:auto;
> 	margin-right:0in;
> 	mso-margin-bottom-alt:auto;
> 	margin-left:0in;
> 	font-size:12.0pt;
> 	font-family:"Times New Roman","serif";}
> span.EmailStyle18
> 	{mso-style-type:personal;
> 	font-family:"Calibri","sans-serif";
> 	color:#1F497D;}
> span.EmailStyle19
> 	{mso-style-type:personal;
> 	font-family:"Calibri","sans-serif";
> 	color:#1F497D;}
> span.EmailStyle20
> 	{mso-style-type:personal-reply;
> 	font-family:"Calibri","sans-serif";
> 	color:#1F497D;}
> .MsoChpDefault
> 	{mso-style-type:export-only;
> 	font-size:10.0pt;}
> @page WordSection1
> 	{size:8.5in 11.0in;
> 	margin:1.0in 1.0in 1.0in 1.0in;}
> div.WordSection1
> 	{page:WordSection1;}
> --></style><!--[if gte mso 9]><xml>
> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
> </xml><![endif]--><!--[if gte mso 9]><xml>
> <o:shapelayout v:ext=3D"edit">
> <o:idmap v:ext=3D"edit" data=3D"1" />
> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli=
> nk=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span style=3D'f=
> ont-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbs=
> p;</o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;fon=
> t-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p>=
> <div><div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt=
> 0in 0in 0in'><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-=
> family:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-size:10.0=
> pt;font-family:"Tahoma","sans-serif"'> Tracy Gavich <br><b>Sent:</b> Thursd=
> ay, June 30, 2011 9:17 AM<br><b>To:</b> Cornell IT Security Office<br><b>Su=
> bject:</b> Possible compromise<o:p></o:p></span></p></div></div><p class=3D=
> MsoNormal><o:p> </o:p></p><p class=3DMsoNormal>Hello fine Security fol=
> ks, <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMso=
> Normal>I have not contacted you before in this type of situation but being =
> short staffed and booked this week I am. I apologize if I am not providing =
> the correct information. <o:p></o:p></p><p class=3DMsoNormal><o:p> </o=
> :p></p><p class=3DMsoNormal>We received the following message from Jill. I =
> let her know it was spam and not to click on it. She replied last night and=
> said she did click on it. I have sent her the link to reset her Kerberos p=
> assword. She is out of the office right now and it looks like will be atten=
> ding the CIT Town Meeting. I can get a tech there this afternoon around 2pm=
> if she can make that time. Please let me know what else I need to do on th=
> is side. <o:p></o:p></p><p class=3DMsoNormal><o:p> </o:p></p><p class=
> =3DMsoNormal>Thanks<br>Tracy <span style=3D'font-size:11.0pt;font-family:"C=
> alibri","sans-serif"'><o:p></o:p></span></p><p class=3DMsoNormal><span styl=
> e=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:=
> p> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0=
> pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></spa=
> n></p><div><div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding=
> :3.0pt 0in 0in 0in'><p class=3DMsoNormal><b><span style=3D'font-size:10.0pt=
> ;font-family:"Tahoma","sans-serif"'>From:</span></b><span style=3D'font-siz=
> e:10.0pt;font-family:"Tahoma","sans-serif"'> Jill Henery <br><b>Sent:</b> W=
> ednesday, June 29, 2011 8:39 AM<br><b>To:</b> CIT Internal Support<br><b>Su=
> bject:</b> FW: Dear Microsoft Outlook Customer,<o:p></o:p></span></p></div>=
> </div><p class=3DMsoNormal><o:p> </o:p></p><p class=3DMsoNormal><span =
> style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'=
>> I got the message below – is this spam?  I had a similar messag=
> e yesterday from a Michele Presnell [Michele.Presnell at yanceycountync.gov].<=
> o:p></o:p></span></p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;f=
> ont-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></=
> p><p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri=
> ","sans-serif";color:#1F497D'>Jill<o:p></o:p></span></p><p class=3DMsoNorma=
> l><span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:=
> #1F497D'><o:p> </o:p></span></p><div><div style=3D'border:none;border-=
> top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b>=
> <span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</s=
> pan></b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>=
> Molgaard, Amy L [mailto:Amy.L.Molgaard at wv.gov] <br><b>Sent:</b> Wednesday,=
> June 29, 2011 8:11 AM<br><b>To:</b> info at webupgrade.org<br><b>Subject:</b>=
> Dear Microsoft Outlook Customer,<o:p></o:p></span></p></div></div><p class=
> =3DMsoNormal><o:p> </o:p></p><div><div><p><span style=3D'font-size:10.=
> 0pt;font-family:"Arial","sans-serif";color:black'>Dear Microsoft Outlook Cu=
> stomer,<o:p></o:p></span></p><p><span style=3D'font-size:10.0pt;font-family=
> :"Arial","sans-serif";color:black'>Your access to Outlook Web Access has be=
> en suspended due to a mix-match of access code between your Security detail=
> s. To enable you continue accessing your Outlook account, it will only take=
> you few minutes to re-activate your account. Click on the guide-link below=
> and follow the directions to instant activation of your account and Securi=
> ty information<br> <o:p></o:p></span></p><p><span style=3D'font-size:1=
> 0.0pt;font-family:"Arial","sans-serif";color:black'><a href=3D"https://spre=
> adsheets.google.com/spreadsheet/viewform?formkey=3DdHBZMVFyb1dtdkJhdHV3aGUt=
> RmRCNnc6MQ">CLICK HERE</a><br> <br>*Important*<o:p></o:p></span></p><p=
>> <span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif";color:bla=
> ck'>NOTE: FAILURE CAN RESULT TO PERMANENT ACCOUNT SUSPENSION. <o:p></o:p></=
> span></p></div></div></div></body></html>=
> 
> --_000_3DA15837C5EFEE4CB14A201A6C62A23A3467825D01MBXBexchangec_--
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list