Educause Security Discussion
mailing list archives
Recent (since July 2013) Phishing vs. University accounts
From: Gary Warner <gar () CIS UAB EDU>
Date: Sat, 27 Jul 2013 10:03:13 -0500
I've had a few conversations lately regarding phishing sites against US-based universities that have been attacked
using a very similar technique. This week we learned of a new set of phishing sites that make it even more evident
that these sites may all be conclusively linked.
If you are aware of a recent "university-as-victim" phishing attack, would you please reach out to me off-list? We are
trying to determine how many of these cases are DEFINITELY the same bad guy and how many are merely similar.
These seemed, at face value, to be similar . . . each has a similarly structured email. In fact, I found these by
doing a google search phrase match of this phrase:
"This is an automated message to notify you that we detected a login attempt"
Each of these is a University web page warning it's users about a phish:
University of Minnesota - http://blog.lib.umn.edu/it-comm/phishing/2013/07/phishing-example-9-the-umn-helpdesk.html
Clemson - http://www.clemson.edu/ccit/help_support/safe_computing/cyber_threat_alerts.html
University of Chicago - https://itservices.uchicago.edu/page/latest-email-scams
Washburn - http://blog.washburn.edu/technology/2013/07/14/multiple-reports-of-czech-republic-phishing-messages/
Kansas State U - https://blogs.k-state.edu/scams/2013/07/09/phishing-scam-7913-termination-of-your-webmail-account/
This week, a new attack against University of Minnesota was seen on a server that was simultaneously also hosting phish
University of Southern California:
Arizona State University:
University of Minnesota:
We have not yet conclusively linked any of the above (other than the last three, obviously).
If anyone has samples of the emails sent to employees or students, for these or any other recent University-targeted
phish, please send them directly to me off-list. In the interest of not having them caught in spam filters, please
forward them to my unfiltered personal email, with a subject line of "University Phishing" ==> gar () askgar com
Thank you for any assistance in this matter.
I'll go ahead and say that one technique for identifying "commonality" is a review of the "referring URLs" from the
weblogs where the university logo is being pulled. There is interest from law enforcement that we can discuss off-list
if anyone is in a position to be able to help provide emails-with-headers, evidence of "abuse" of the stolen
credentials, or those referring URLs with IP addresses. (Hint: the FIRST PERSON to visit your university graphic from
a referring URL on a phishing site is ALMOST CERTAINLY the phisher, especially when it happens over and over again on
many phishing sites from the same IP address.)
Again, some of this is quickly going to head to the "on-going investigation" level of privacy. Please go off-list if
you are sharing significant attack details, but I will be happy to summarize back to the list what I can.
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
gar () cis uab edu
- Recent (since July 2013) Phishing vs. University accounts Gary Warner (Jul 27)