Educause Security Discussion mailing list archives
a more elaborate spear phishing email than we have seen for a while
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Sat, 9 May 2009 09:16:45 +1200
They have gone to the trouble of getting our correct postal address... The reply-to is also interesting: help-desk () alumni com I have done a whois on this and it has been registered for a long time. www.alumni.com has a parking banner, nothing else. Russell Begin forwarded message:
From: "University () auckland ac nz" <University () auckland ac nz> Date: 9 May 2009 12:21:44 AM To: "-@.l" <-@.l> Subject: University of Auckland System Administration. Reply-To: "help-desk () alumni com" <help-desk () alumni com> Received: from UXCHANGE2.UoA.auckland.ac.nz (130.216.190.119) by uxchange7-fe1.UoA.auckland.ac.nz (130.216.190.107) with Microsoft SMTP Server id 8.1.291.1; Sat, 9 May 2009 00:22:42 +1200 Received: from harpo.itss.auckland.ac.nz ([130.216.190.13]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Sat, 9 May 2009 00:22:42 +1200 Received: from localhost (localhost.localdomain [127.0.0.1]) by harpo.itss.auckland.ac.nz (Postfix) with ESMTP id 3378A34E3A; Sat, 9 May 2009 00:22:42 +1200 (NZST) Received: from harpo.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpc.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gU8PZzArPKG7; Sat, 9 May 2009 00:22:41 +1200 (NZST) Received: from invictus.bright.net (invictus.bright.net [209.143.0.12]) by harpo.itss.auckland.ac.nz (Postfix) with ESMTP id CAB6834324; Sat, 9 May 2009 00:21:45 +1200 (NZST) Received: from [192.168.1.30] by invictus.bright.net with SMTP id <20090508122144.SECF10361.invictus@[192.168.1.30]>; Fri, 8 May 2009 08:21:44 -0400 Thread-Topic: University of Auckland System Administration. Thread-Index: AcnP16/C9RDALalFTROhKcXXVkLBuA== Message-Id: <20090508122144.SECF10361.invictus@[192.168.1.30]> Accept-Language: en-AU, en-US, en-NZ Content-Language: en-US X-Ms-Exchange-Organization-Authas: Anonymous X-Ms-Exchange-Organization-Authsource: uxchange7- fe1.UoA.auckland.ac.nz X-Originalarrivaltime: 08 May 2009 12:22:42.0164 (UTC) FILETIME=[AF3C1B40:01C9CFD7] X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz X-Spam-Status: No, score=-1.429 tagged_above=-200 required=5.5 tests=[BAYES_00=-2.599, TO_MALFORMED=1.17] X-Spam-Flag: NO X-Spam-Score: -1.429 X-Originating-Ip: [67.72.98.47] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 The University of Auckland Private Bag 92019 Victoria Street West Auckland 1142 Dear Auckland account user, Thank you for subscribing to auckland.ac.nz Internet. As part of our continuous effort in providing a higher level of service, we are pleased to inform you that we have upgrade your e-mail account and you will have to reactivate your account. To complete your account activation with us, you must reply to this email Immediately and enter your account details as requested below. First Name: Last Name: User Name/ID: Password: Retype Password: Phone number You are required to do this before the next 48 hours of receipt of this email or your account will be de-activated from our database. NOTE: You will be sent an account activation code to the Email ID you provide in the next seven (7) Working days for security reasons. It is also pertinent, you understand that our primary concern is for our customers, and for the security of their files and data. Your account can also be verified using the link below: https://mail.fmhs.auckland.ac.nz/exchweb/bin/auth/owalogon.asp?url=https://mail.fmhs.auckland.ac.nz/exchange/&reason=0 Thank you for using auckland.ac.nz.
Attachment:
smime.p7s
Description:
Current thread:
- a more elaborate spear phishing email than we have seen for a while Russell Fulton (May 08)