[nsp-sec] Gmail dropbox in phish

CERT-UT - Peter p.g.m.peters at utwente.nl
Wed Sep 28 04:11:40 EDT 2011 

Hi,

We got a number of phish mails with a reply address of
officehelpdesk.helpdesk at gmail.com.

And according to the headers the phish came through Google too. Or are
these headers spooofed?

They did use a link to our own, real webmail server so a number of
people expected it to be real. We taught them not to click on every link
but now that the link points to us they don't seem to be careful enough
not to reply either.

Headers:
> Received: from mx.utwente.nl ([130.89.2.12]) by mail.service.utwente.nl with
>  Microsoft SMTPSVC(6.0.3790.4675);	 Wed, 28 Sep 2011 04:55:55 +0200
> Received: from mail-wy0-f177.google.com (mail-wy0-f177.google.com
>  [74.125.82.177])          by mx.utwente.nl (8.12.10/SuSE Linux 0.7) with
>  ESMTP id p8S2tiM9023601          for <P.G.M.Peters at utwente.nl>; Wed, 28 Sep
>  2011 04:55:46 +0200
> Received: by mail-wy0-f177.google.com with SMTP id 11so7736816wyi.36
>         for <P.G.M.Peters at utwente.nl>; Tue, 27 Sep 2011 19:55:46 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=gmail.com; s=gamma;
>         h=mime-version:date:message-id:subject:from:to:content-type;
>         bh=MW2Ap7KsA4bjHOz+GDcjLv9gwSsHHQtjVa/p87LVNsc=;
>         b=Bs6EXj3ufg4Nv4Nsb/Mz/XJOiUcc92lWFDBIXMJO1vFectDwTfHobdBh9akljE2dQe
>          SQUoZ3MwcnXxBNo1svEdKdPkACM9Lw3JwX8/QrLhsxHrkWkytjmNTjz//d6w7UkMMUgi
>          EdojIWtsXDZt/bVKJA3Qb/HNcb4P8bsYzaEyc=
> Received: by 10.216.15.14 with SMTP id e14mr406341wee.21.1317178544361; Tue,
>  27 Sep 2011 19:55:44 -0700 (PDT)
> Received: by 10.216.73.16 with HTTP; Tue, 27 Sep 2011 19:55:44 -0700 (PDT)
> Date: Wed, 28 Sep 2011 03:55:44 +0100
> Message-ID: <CACx3bGOOje-2zJGuz5bVSiayYqt1c_MYHkPgTJJdOnVg+kEa4Q at mail.gmail.com>
> Subject: Mededeling van Universiteit Twente
> From: =?ISO-8859-1?Q?Universiteit_Twente_Customercare__Helpdesk_=A9_2011?=
> 	<officehelpdesk.helpdesk at gmail.com>
> To: undisclosed-recipients:;
> Content-Type: multipart/alternative; boundary="0016e64c0b683e190604adf787e0"
> Return-Path: officehelpdesk.helpdesk at gmail.com
> X-OriginalArrivalTime: 28 Sep 2011 02:55:55.0858 (UTC) FILETIME=[24855B20:01CC7D8A]
> MIME-Version: 1.0

-- 
Peter Peters
CERT-UT Officer off Duty
cert at utwente.nl               http://www.utwente.nl/itsecurity
office-hours: +31 53 489 2301

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 543 bytes
Desc: OpenPGP digital signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20110928/8ea8bfc9/attachment-0001.sig>

More information about the nsp-security mailing list