[nsp-sec] ATTN: Google - phish using Google docs

Peter Moody pmoody at google.com
Fri Oct 28 00:18:55 EDT 2011 

Hitting the "report abuse" link at the bottom is the quickest way to get
these shuttered.

Cheers,
peter

On Thu, Oct 27, 2011 at 9:14 PM, Jon K. Miyake <miyake at uoregon.edu> wrote:

> ----------- nsp-security Confidential --------
>
> Issues was sent to abuse at google.com and reported via the Docs abuse link
> yesterday.  Link is still live as of this evening.
>
>
> https://docs.google.com/spreadsheet/viewform?formkey=dGhGTVpkSlV2YlRsdGpCaExWcFpBUlE6MQ
>
> Thanks,
> -miyake
>
> ----------------------------------------------------------------------
> Return-Path: <helpdesk at uoregon.edu>
> Received: from pps.reinject (localhost [127.0.0.1])
>        by smtp.uoregon.edu (8.14.5/8.14.5) with ESMTP id p9Q13UN2000438
>        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
>        Tue, 25 Oct 2011 18:03:30 -0700
> Received: from oh-mserv1 (localhost [127.0.0.1])
>        by pps.reinject (8.14.1/8.14.1) with SMTP id p9Q13UA6000432;
>        Tue, 25 Oct 2011 18:03:30 -0700
> Received: from flawless.hostnac.com (flawless.hostnac.com [67.23.244.186])
>        by smtp.uoregon.edu with ESMTP id p9Q13P25000410
>        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
>        Tue, 25 Oct 2011 18:03:29 -0700
> Received: from localhost.localdomain ([127.0.0.1]:33443 helo=localhost)
>        by flawless.hostnac.com with esmtpsa (TLSv1:AES256-SHA:256)
>        (Exim 4.69)
>        (envelope-from <helpdesk at uoregon.edu>)
>        id 1RIrtk-00080l-QU; Tue, 25 Oct 2011 21:03:16 -0400
> Received: from 74.115.6.49 ([74.115.6.49]) by kaspi.edu.az (Horde
> Framework) with HTTP; Tue, 25 Oct 2011 21:03:16 -0400
> Message-ID: <20111025210316.757938pq3i3p0e38 at kaspi.edu.az>
> Date: Tue, 25 Oct 2011 21:03:16 -0400
> From: Helpdesk Office <helpdesk at uoregon.edu>
> To: undisclosed-recipients:;
> Subject: UPDATE YOUR WEBMAIL NOW
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="=_4o1edux9vw2c"
> Content-Transfer-Encoding: 7bit
> User-Agent: Internet Messaging Program (IMP) H3 (4.3.9)
> X-AntiAbuse: This header was added to track abuse, please include it
> with any abuse report
> X-AntiAbuse: Primary Hostname - flawless.hostnac.com
> X-AntiAbuse: Original Domain - uoregon.edu
> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
> X-AntiAbuse: Sender Address Domain - uoregon.edu
> X-Proofpoint-Virus-Version: vendor=fsecure
> engine=2.50.10432:5.4.6813,1.0.211,0.0.0000
> definitions=2011-10-25_07:2011-10-25,2011-10-25,1970-01-01 signatures=0
> X-Proofpoint-Spam-Reason: safe
>
> This message is in MIME format.
>
> --=_4o1edux9vw2c
> Content-Type: text/plain;
> charset=ISO-8859-1
> Content-Description: Plaintext Version of Message
> Content-Disposition: inline
> Content-Transfer-Encoding: 7bit
>
>
>
> Dear Webmail User,
>
> With Due respect, The Webmail Technical Crew is Presently Under going
> Account's Update which will help the Webmail service to be very much Active
> and better and your Account that has Exceeded it's Quota's. You are hereby
> Requested to Update your Account Now in order not to loose your webmail
> Account, To Update your Account now do make sure youClick Here[1]
> UPDATE YOUR WEBMAIL NOW
> Failure to Update your webmail account Now will resolve to Loosing your
> Webmail Account.
> Thanks,
> WEBMAIL TECHNICAL CREW
>
> Links:
> ------
> [1]
>
> https://docs.google.com/spreadsheet/viewform?formkey=dGhGTVpkSlV2YlRsdGpCaExWcFpBUlE6MQ
>
> --=_4o1edux9vw2c
> Content-Type: text/html;
> charset=ISO-8859-1
> Content-Description: HTML Version of Message
> Content-Disposition: inline
> Content-Transfer-Encoding: 7bit
>
> <p
> class="imp-signature"><!--begin_signature--><!--end_signature--></p>Dear
> Webmail User,<br />
>  <div> <br />
> With Due respect, The Webmail Technical Crew is Presently Under going<br />
> Account's Update which will help the Webmail service to be very much
> Active<br />
> and better and your Account that has Exceeded it's Quota's. You are
> hereby<br />
> Requested to Update your Account Now in order not to loose your
> webmail<br />
> Account, To Update your Account now do make sure you</div><a
> href="
> https://docs.google.com/spreadsheet/viewform?formkey=dGhGTVpkSlV2YlRsdGpCaExWcFpBUlE6MQ
> "
> target="_blank" rel="nofollow">Click Here</a><br />UPDATE YOUR WEBMAIL
> NOW<br />
> Failure to Update your webmail account Now will resolve to Loosing
> your<br />
> Webmail Account.<br />
> Thanks,<br />
> WEBMAIL TECHNICAL CREW
> --=_4o1edux9vw2c--
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list