Educause Security Discussion mailing list archives
Recent (since July 2013) Phishing vs. University accounts
From: Gary Warner <gar () CIS UAB EDU>
Date: Sat, 27 Jul 2013 10:03:13 -0500
I've had a few conversations lately regarding phishing sites against US-based universities that have been attacked using a very similar technique. This week we learned of a new set of phishing sites that make it even more evident that these sites may all be conclusively linked. If you are aware of a recent "university-as-victim" phishing attack, would you please reach out to me off-list? We are trying to determine how many of these cases are DEFINITELY the same bad guy and how many are merely similar. These seemed, at face value, to be similar . . . each has a similarly structured email. In fact, I found these by doing a google search phrase match of this phrase: "This is an automated message to notify you that we detected a login attempt" Each of these is a University web page warning it's users about a phish: University of Minnesota - http://blog.lib.umn.edu/it-comm/phishing/2013/07/phishing-example-9-the-umn-helpdesk.html Clemson - http://www.clemson.edu/ccit/help_support/safe_computing/cyber_threat_alerts.html University of Chicago - https://itservices.uchicago.edu/page/latest-email-scams Washburn - http://blog.washburn.edu/technology/2013/07/14/multiple-reports-of-czech-republic-phishing-messages/ Kansas State U - https://blogs.k-state.edu/scams/2013/07/09/phishing-scam-7913-termination-of-your-webmail-account/ This week, a new attack against University of Minnesota was seen on a server that was simultaneously also hosting phish for University of Southern California: blog.eurostargym.com/wp-admin/meta/usc/ Arizona State University: blog.eurostargym.com/wp-admin/meta/asu/ University of Minnesota: blog.eurostargym.com/wp-admin/meta/umn/ We have not yet conclusively linked any of the above (other than the last three, obviously). If anyone has samples of the emails sent to employees or students, for these or any other recent University-targeted phish, please send them directly to me off-list. In the interest of not having them caught in spam filters, please forward them to my unfiltered personal email, with a subject line of "University Phishing" ==> gar () askgar com Thank you for any assistance in this matter. I'll go ahead and say that one technique for identifying "commonality" is a review of the "referring URLs" from the weblogs where the university logo is being pulled. There is interest from law enforcement that we can discuss off-list if anyone is in a position to be able to help provide emails-with-headers, evidence of "abuse" of the stolen credentials, or those referring URLs with IP addresses. (Hint: the FIRST PERSON to visit your university graphic from a referring URL on a phishing site is ALMOST CERTAINLY the phisher, especially when it happens over and over again on many phishing sites from the same IP address.) Again, some of this is quickly going to head to the "on-going investigation" level of privacy. Please go off-list if you are sharing significant attack details, but I will be happy to summarize back to the list what I can. ---------------------------------------------------------- Gary Warner Director of Research in Computer Forensics The University of Alabama at Birmingham Center for Information Assurance and Joint Forensics Research 205.422.2113 gar () cis uab edu -----------------------------------------------------------
Current thread:
- Recent (since July 2013) Phishing vs. University accounts Gary Warner (Jul 27)