[nsp-sec] ATTN Google, spreadsheets.google.com used in Phish

Peter Moody pmoody at google.com
Tue Mar 1 14:19:29 EST 2011 

ack.

On Tue, Mar 1, 2011 at 11:12 AM, RuthAnne Bevier <ruthanne at caltech.edu>wrote:

> ----------- nsp-security Confidential --------
>
>
> https://spreadsheets.google.com/viewform?formkey=dDdlNk5JQXBDdmt0dl9qZ2ctclBqQkE6MQ
> is hosting a phish form currently, FYI.
>
> Sample message with full headers below:
>
> >
> From esasser at wallace.edu  Tue Mar  1 09:47:03 2011
> Return-Path: <esasser at wallace.edu>
> X-Original-To: help at treqs.caltech.edu
> Delivered-To: help at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu
> (outgoing-mail.its.caltech.edu
> [131.215.239.19])
>        by jonola.caltech.edu (Postfix) with ESMTP id 7946616EFF
>        for <help at treqs.caltech.edu>; Tue,  1 Mar 2011 09:47:03
> -0800 (PST)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id CE29C3280E8
>        for <help at treqs.caltech.edu>; Tue,  1 Mar 2011 09:46:59
> -0800 (PST)
> X-Mailbox-Line: From esasser at wallace.edu  Tue Mar  1 09: 46:59 2011
> X-Original-To: help at caltech.edu
> Delivered-To: help at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id 744983280F4
>        for <help at caltech.edu>; Tue,  1 Mar 2011 09:46:59 -0800
> (PST)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: 2.404
> X-Spam-Level: **
> X-Spam-Status: No, score=2.404 tagged_above=-10000 required=5
>        tests=[HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.819,
> SNF4SA=-1.222,
>        SUBJ_ALL_CAPS=1.806] autolearn=disabled
> Received: from hermes.wallace.edu (hermes.wallace.edu
> [207.157.58.13])
>        by fire-doxen-external (Postfix) with ESMTP id 5A1DA32811F
>        for <help at caltech.edu>; Tue,  1 Mar 2011 09:46:47 -0800
> (PST)
> X-MimeOLE: Produced By Microsoft Exchange V6.5
> Content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>        boundary="----_=_NextPart_001_01CBD838.A44EC11F"
> Subject: TECHNICAL SUPPORT TEAM
> Date: Tue, 1 Mar 2011 11:46:49 -0600
> Message-ID:
> <B7632F2E2FE9BE469C7A87B16B966A25017E15BC at hermes.main.int>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: TECHNICAL SUPPORT TEAM
> Thread-Index: AcvYOKEc7+0tUJ20R5KLxjKgfLWGsQ==
> From: "Eva Sasser" <esasser at wallace.edu>
> To: <info at web.org>
> X-TBCK-ID: cee4d70374ec968f4b91cec962c9bc85
> X-TBCK-Status: First;AllClear;0
>
> THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM This message is sent
> automatically by the computer. If you are receiving this message it
> means that your email address has been queued for deactivation; this
> was as a  result of a continuous error script (code:505)receiving
> from this email address. C
> <
> https://spreadsheets.google.com/viewform?formkey=dDdlNk5JQXBDdmt0dl9qZ2ctclBqQkE6MQ
> >
> LICK HERE
> <
> https://spreadsheets.google.com/viewform?formkey=dDdlNk5JQXBDdmt0dl9qZ2ctclBqQkE6MQ
> >
> and fillout the required field to resolve this problem
>
> Note: Failure to reset your email by ignoring this message or
> inputing wrong information will result to instant deactivation of
> this email
> address
>
>
> >
>
> --
> RuthAnne Bevier
> Information Security
> California Institute of Technology
> 626-395-2671
> ruthanne at caltech.edu
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list