Re: Recent Phishing Uptick

[Bob Bayn <bob.bayn () USU EDU>]

If the message targets your institution by name and provides a link that looks like your real login pages, then I think 
the risk is high that they are going after something like Direct Deposit changes for the victim employees.   If they 
get a victim they login FAST with the credentials they just got and they change the bank code so the next paycheck goes 
to them.  They also move the deposit out of their account to other places quickly.

See the report about our victimization this way, at:
 http://it.usu.edu/computer-security/computer-security-threats/articleID=23694


Bob Bayn         SER 301         (435)797-2396       IT Security Team
Office of Information Technology,                   Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Peter Setlak 
[psetlak () COLGATE EDU]
Sent: Wednesday, February 19, 2014 4:15 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Recent Phishing Uptick

Over the past few weeks we saw a dramatic increase in the level and sophistication of phishing against our domain. The 
phishers not only used compromised accounts from other Universities but from our own as well. They also copied some 
images from our main website as well as screen-scraped our accounts-reset page.

There seem to have been two different campaigns going; one more sophisticated than the other.

They only sent emails at night or early morning, none were sent to my inbox (security admin).

We use Google Apps and of course, they were of no real help.

I was able to track down the logins from an IP range owned by Spotflux VPN services 
(spotflux.com<http://spotflux.com>). The IP range was 162.210.196.160-175.

We also saw logins from a Nigerian IP range (41.203.69.x).

After contacting their support, one of their techs was able to correlate some information and found 142 different 
machines in the Nigerian IP range was using their VPN service. He null-routed them and it has been a few hours but we 
have not seen any logins since.

Has anyone else seen this uptick in phishing?
Has anyone else seen these IP ranges knocking at their doors?
Has anyone else seen this scenario before?
Does anyone have suggestions for working with Google to get better reporting and options?

I would really like to see the ability to do two things through Google:

1. Deny certain IP ranges from successfully authenticating into our domain. Obviously, Google has to allow all users 
from anywhere use their services; if I could set our App domain to automatically log someone out if they logged-in from 
a certain IP range, that would be very helpful. We have no students in Nigeria (currently).

2. Pull an email from users' inboxes before they respond. In this case, perhaps the first 15 users in my domain might 
see and click on the email - hopefully at least one sends it to ITS. Then, we could pull that email from the remaining 
users' inboxes before they ever get a chance to open it.

Perhaps there is something Google offers or a Google-integrated third-party offers that would allow me to do this?

--
Thank you,

Peter J. Setlak
Network Security Analyst, GSEC, GLEG, GCPM
Colgate University
---
psetlak () colgate edu<mailto:psetlak () colgate edu>
(315) 228-7151
Case-Geyer 450
skype: petersetlak

Think Green! Please consider the environment before printing this email.

Engage with Colgate University:
News blog<http://blogs.colgate.edu/>, Twitter<https://twitter.com/#%21/colgateuniv>, 
Facebook<https://www.facebook.com/colgateuniversity>, Google+<https://plus.google.com/u/0/b/113333907606560373469/>, 
Delicious<http://www.delicious.com/colgatenewsmakers>, YouTube<http://www.youtube.com/cuatchannel13>, 
Flickr<http://www.flickr.com/photos/colgateuniversity/>, Pinterest<http://pinterest.com/colgateuniv/>, 
LinkedIn<http://www.linkedin.com/company/colgate-university/>