Fake-alert: VERIFY YOUR MERIT.EDU WEBMAIL ACCOUNT
I dont trust it: yahoo address, not nanog. Passwords asked ??? Kind regrards Peter -------- Original Message -------- Return-Path: <accountupgrating@merit.edu> X-Flags: 1000 Delivered-To: GMX delivery to peter@peter-dambier.de Received: (qmail invoked by alias); 24 May 2008 09:21:30 -0000 Received: from post2.tau.ac.il (EHLO post.tau.ac.il) [132.66.3.221] by mx0.gmx.net (mx059) with SMTP; 24 May 2008 11:21:30 +0200 Received: from localhost (unknown [127.0.0.1]) by post.tau.ac.il (Postfix) with ESMTP id 6E25874294; Sat, 24 May 2008 09:21:28 +0000 (UTC) Received: from post.tau.ac.il ([127.0.0.1]) by localhost (post2.tau.ac.il [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRIT3G8U5W+e; Sat, 24 May 2008 12:21:28 +0300 (IDT) Received: from localhost (webmail.tau.ac.il [132.66.16.180]) by post.tau.ac.il (Postfix) with ESMTP id BB5E0741CE; Sat, 24 May 2008 12:21:27 +0300 (IDT) Received: from 62.32.32.77 ([62.32.32.77]) by webmail.tau.ac.il (Horde MIME library) with HTTP; Sat, 24 May 2008 12:21:27 +0300 Message-ID: <20080524122127.5ns0jelzhss4gc40@webmail.tau.ac.il> Date: Sat, 24 May 2008 12:21:27 +0300 From: webmaster1@merit.edu <accountupgrating@merit.edu> Reply-to: upgradingaccount08@yahoo.com To: undisclosed-recipients:; Subject: VERIFY YOUR MERIT.EDU WEBMAIL ACCOUNT This email is to inform all our {www.merit.edu} users that we will be upgrading our site in a couple of days from now. So you as a user of our site, you are required send us your Email account details so as to enable us know if you are still making use of your email box. Further be informed that we will be deleting all email account that is not functioning so as to create more space for new user. So you are to send us your email account details which are as follows: *User name in full :......................... *Email in full :......................... *Password:....................................... *Date of birth: ............................... *Security question :......................... *Security answer:……..................... Any email user that refuses to send his/her details within the next two (2) days of receipt this mail, his/her mail account will be deleted from the site. Webmaster Team -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
On Sat, 2008-05-24 at 17:02 +0200, Peter Dambier wrote:
I dont trust it:
Quite right too, it's a spear-phishing attack. This is currently an almost daily occurrence for .edu domains. The compromised accounts are frequently abused via webmail systems, being used to send out more scams. The scammers responsible are also targeting UK higher ed institutions, with a limited degree of success. I can't really speak for my US counterparts with regards the success of the attacks, but one would surmise that it's more or less the same. To paraphrase badly: All users are gullible, but some are more gullible than others. -g
On Sat, 24 May 2008 17:14:33 +0100 Graeme Fowler <graeme@graemef.net> wrote:
On Sat, 2008-05-24 at 17:02 +0200, Peter Dambier wrote:
I dont trust it:
Quite right too, it's a spear-phishing attack. This is currently an almost daily occurrence for .edu domains.
The compromised accounts are frequently abused via webmail systems, being used to send out more scams.
The scammers responsible are also targeting UK higher ed institutions, with a limited degree of success. I can't really speak for my US counterparts with regards the success of the attacks, but one would surmise that it's more or less the same. To paraphrase badly:
All users are gullible, but some are more gullible than others.
-g
As a US EDU, I can attest to the fact that a handful of our webmail accounts have been compromised and subsequently used to send out these types of phishing attacks. We never figured out how the accounts were compromised. I suspect users with hand-held devices are being snooped when they use IMAP. Our webmail is SSL, but not IMAP. Most of the spammers' messages appear as though someone is manually using their cut & paste to generate the spam, not anything automated (based on the rate messages go out. Seems rather tedious. matthew black e-mail postmaster network services california state university, long beach
We never figured out how the accounts were compromised. I suspect
another .edu here .. how we've seen it happen is we get blasted by one of those "verify your email account" messages. despite our countless efforts at user education about responding to this stuff, a dozen or so people always do (we try to configure outbound filters to catch it, but don't always do so in time). These accounts are then used by automated scripts to hammer on our webmail (and ours is https, forced).
Most of the spammers' messages appear as though someone is manually using their cut & paste to generate the spam, not anything automated (based on the rate messages go out.
When we've had it happen, the messages are being relayed at a rate of ~10,000/hr. Note that the messages sent *after* the compromise are NOT more of the "verify your account" type .. they're run-of-the-mill pill and watch adverts. The original "verify your account" stuff comes in from various botnet PCs. Cheers, Michael Holstein Cleveland State University
participants (5)
-
Ari Constancio
-
Graeme Fowler
-
Matthew Black
-
Michael Holstein
-
Peter Dambier