Educause Security Discussion mailing list archives

Re: Recent Phishing Uptick

From: Brandon Hume <brandon.hume () DAL CA>
Date: Thu, 20 Feb 2014 10:03:15 -0400

On 02/19/14 10:55 PM, Gary Warner wrote:

Your "Modify the spam before delivering" trick is awesome!  Which mailsystem are you using, and can you share a bit 
more about your technique?

For those organizations using MS Office 365, it's possible to do thesame in Exchange Online, using a "Mail Flow" rule and a prependeddisclaimer. I've just implemented the same myself.

Dalhousie has seen phenomenal spike in phishing activity from Septemberthough November and again in January. The spike after Christmas meantclose to twenty accounts being shut down per week (I am not proud of ouruserbase). The culprits seemed to be the standard Nigerian gang who'sbeen working us over for close to a decade now, although I've seen moreparticipants from Malaysia and Israel. These guys seem to *know* how wework... I've even started to suspect that they've noticed the cycle inour responsiveness: they lay low when I'm on-call and they'll go at ithard when someone who's less email-oriented is carrying the pager.Swapping our schedules around trips them up.

Spam content is your typical fake lottery stuff, charities, and so on.There was a lot of leveraging going on... phishing spam sent from otherinstitutions getting our users, and then our users being used to phishother colleges and universities, in one big glorious chain of "ugh".Before Christmas, there was a lot of hostile fire aimed atblackboard.com, both in outbound phishing spam and in fake Bb sites setup in our student webspace. But that seems to have tapered off... Idon't know if Bb has changed anything on their side to make themselvesless vulnerable.

The main "new" thing we've noticed is that these guys are using theirstolen credentials with an institution's offered VPN services in orderto access stolen credentials on somebody's else's SMTP relay. Our VPNwas being used to spew to other universities, and our smtp relay wasbeing exploited from VPNs located at other .edus, for example.

A bit of trivia: I'm certain at one of these guys is named "AbdulRasheed". If you log your email destinations, you might find themtesting your outbound filters. They don't try to hide very hard... oneaddress was "hack_abdul.rasheed", another was "voyage_smtp_test", andtheir goals are pretty well explained by email addresses like"more_fundz" or "swiftcash". :P

Current thread:

Re: Recent Phishing Uptick, (continued)
- - Re: Recent Phishing Uptick Peter Setlak (Feb 19)
    - Re: Recent Phishing Uptick Bob Bayn (Feb 19)
    - Re: Recent Phishing Uptick Peter Setlak (Feb 19)
    - Re: Recent Phishing Uptick Gary Warner (Feb 19)
- Re: Recent Phishing Uptick David Curry (Feb 19)
  - Re: Recent Phishing Uptick Shettler, David (Feb 19)
    - Re: Recent Phishing Uptick Bob Bayn (Feb 19)
  - Re: Recent Phishing Uptick Bob Bayn (Feb 19)
    - Re: Recent Phishing Uptick Gary Warner (Feb 19)
    - Re: Recent Phishing Uptick Bob Bayn (Feb 19)
    - Re: Recent Phishing Uptick Brandon Hume (Feb 20)
    - Re: Recent Phishing Uptick Roger A Safian (Feb 20)
    - Re: Recent Phishing Uptick Paul Chauvet (Feb 20)
    - Re: Recent Phishing Uptick Derek Diget (Feb 20)
  - Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
    - Re: Recent Phishing Uptick David Curry (Feb 20)
    - Re: Recent Phishing Uptick Frank Barton (Feb 20)
    - Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)
    - Re: Recent Phishing Uptick David Curry (Feb 20)
    - Re: Recent Phishing Uptick Ejike, Emechete C. (Feb 20)
    - Re: Recent Phishing Uptick Joel L. Rosenblatt (Feb 20)

(Thread continues...)