[nsp-sec] Gmail dropbox in phish

Peter Moody pmoody at google.com
Wed Sep 28 11:37:59 EDT 2011 

ack.

On Wed, Sep 28, 2011 at 1:11 AM, CERT-UT - Peter <p.g.m.peters at utwente.nl>wrote:

> ----------- nsp-security Confidential --------
>
>
> Hi,
>
> We got a number of phish mails with a reply address of
> officehelpdesk.helpdesk at gmail.com.
>
> And according to the headers the phish came through Google too. Or are
> these headers spooofed?
>
> They did use a link to our own, real webmail server so a number of
> people expected it to be real. We taught them not to click on every link
> but now that the link points to us they don't seem to be careful enough
> not to reply either.
>
> Headers:
> > Received: from mx.utwente.nl ([130.89.2.12]) by mail.service.utwente.nlwith
> >  Microsoft SMTPSVC(6.0.3790.4675);   Wed, 28 Sep 2011 04:55:55 +0200
> > Received: from mail-wy0-f177.google.com (mail-wy0-f177.google.com
> >  [74.125.82.177])          by mx.utwente.nl (8.12.10/SuSE Linux 0.7)
> with
> >  ESMTP id p8S2tiM9023601          for <P.G.M.Peters at utwente.nl>; Wed, 28
> Sep
> >  2011 04:55:46 +0200
> > Received: by mail-wy0-f177.google.com with SMTP id 11so7736816wyi.36
> >         for <P.G.M.Peters at utwente.nl>; Tue, 27 Sep 2011 19:55:46 -0700
> (PDT)
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> >         d=gmail.com; s=gamma;
> >         h=mime-version:date:message-id:subject:from:to:content-type;
> >         bh=MW2Ap7KsA4bjHOz+GDcjLv9gwSsHHQtjVa/p87LVNsc=;
> >
> b=Bs6EXj3ufg4Nv4Nsb/Mz/XJOiUcc92lWFDBIXMJO1vFectDwTfHobdBh9akljE2dQe
> >
>  SQUoZ3MwcnXxBNo1svEdKdPkACM9Lw3JwX8/QrLhsxHrkWkytjmNTjz//d6w7UkMMUgi
> >          EdojIWtsXDZt/bVKJA3Qb/HNcb4P8bsYzaEyc=
> > Received: by 10.216.15.14 with SMTP id e14mr406341wee.21.1317178544361;
> Tue,
> >  27 Sep 2011 19:55:44 -0700 (PDT)
> > Received: by 10.216.73.16 with HTTP; Tue, 27 Sep 2011 19:55:44 -0700
> (PDT)
> > Date: Wed, 28 Sep 2011 03:55:44 +0100
> > Message-ID: <
> CACx3bGOOje-2zJGuz5bVSiayYqt1c_MYHkPgTJJdOnVg+kEa4Q at mail.gmail.com>
> > Subject: Mededeling van Universiteit Twente
> > From:
> =?ISO-8859-1?Q?Universiteit_Twente_Customercare__Helpdesk_=A9_2011?=
> >       <officehelpdesk.helpdesk at gmail.com>
> > To: undisclosed-recipients:;
> > Content-Type: multipart/alternative;
> boundary="0016e64c0b683e190604adf787e0"
> > Return-Path: officehelpdesk.helpdesk at gmail.com
> > X-OriginalArrivalTime: 28 Sep 2011 02:55:55.0858 (UTC)
> FILETIME=[24855B20:01CC7D8A]
> > MIME-Version: 1.0
>
> --
> Peter Peters
> CERT-UT Officer off Duty
> cert at utwente.nl               http://www.utwente.nl/itsecurity
> office-hours: +31 53 489 2301
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list