Educause Security Discussion mailing list archives

Re: phishing attack using copied University website

From: Martin Manjak <mm376 () ALBANY EDU>
Date: Tue, 14 Jul 2009 12:08:03 -0400

We had a very similar incident in the spring where the phishers sent a
message with a link rather than a reply-to. The link went to an exact
replica of our webmail (SquirrelMail) log-in page. Like the NCSU
incident, they were pulling the images live from our server. The page
was hosted by brinskter.net in Phoenix, AZ. Our state Cyber Security
agency was successful in contacting the hosting company to have the site
taken down.

Jonathan Byrne wrote:

On 7/13/09 4:03 PM, "TIMOTHY S GURGANUS" <tsgurgan () NCSU EDU> wrote:

NCSU email users were the target of a phishing attack last Thursday
night.  This attack was different from others we have been receiving
and I hope it is not a harbinger of things to come.  I have read of this
happening to other schools, but I'm wondering how common this attack is
versus the usual phishing that uses only email.


Interesting. I own the anti-phishing ruleset at IronPort, this is the first
instance I've seen of a decent website copy being used in a credential
phishing attack. Heretofore, it's been mostly email response, and from time
to time a fairly generic webform. Sometimes the form is sent as an
attachment with JavaScript to hand the info off to a server.

In the world of financial phishing, the copied website approach is standard,
of course, and some of the fake sites are very, very good.

We have a lot of evidence that the credential phishing attacks are mostly
being driven by 419 scammers, and my working theory for why they usually ask
for an email response is because running scams from free webmail accounts is
what 419ers know. Most of them seem to have little knowledge of technology,
being mostly old-style con men (and women) operating in a new medium.

Financial phishing, on the other hand, is mostly carried out by Russians and
other eastern Europeans, and they bring a lot more technical skill to the
table. It may be the case that they are starting to cross over to credential
phishing.

Cheers,

Jonathan


--
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN

Current thread:

phishing attack using copied University website TIMOTHY S GURGANUS (Jul 13)
- <Possible follow-ups>
- Re: phishing attack using copied University website Andrew Daviel (Jul 13)
- Re: phishing attack using copied University website Jonathan Byrne (Jul 13)
- Re: phishing attack using copied University website Martin Manjak (Jul 14)