Educause Security Discussion
mailing list archives
Small cheap custom phishing
From: Steve Bohrer <skbohrer () SIMONS-ROCK EDU>
Date: Tue, 12 Nov 2013 17:43:29 -0500
This stuff is likely old hat to many of you, but Simon's Rock is so tiny that this is our first exposure to a really
custom phish email. It had our domain as the forged "From:" field, our proper institution name and address to make it
look legitimate, and the text part of the bogus log-in anchor was also our domain. (The fake form was on phpforms.net,
and they were very responsive about dropping it.) The phishers caught at least three of our users, so far all alumni
accounts, and after trying general spamming with the first two, moved on to launching the same sort of attack from us
targeting Rider.edu . (Sorry about that.)
With a little thought, we realized that this level of customization would be easy to automate, and, if you are a
spammer with a big address database, easy to target. The info in the custom phish is built from widely available online
data; they would not even need to visit our web site, but could pull all it from domain registrations. Then, simply
find all the @simons-rock.edu addresses in your spam database, and send the phish on its way. Given the amount of spam
that hits our filters, I'd say spammers in general have pretty good coverage of our entire user base.
FWIW, here's the sample text they sent our users:
Subject: ## all Mail-hub systems#
Date: Mon, 11 Nov 2013 18:38:19 -0600
From: Bard College at Simon's Rock <noreply () simons-rock edu>
Reply-To: noreply () simons-rock edu
To: noreply () simons-rock edu
This Email is from Bard College at Simon's Rock, we will be making some vital E-mail account maintenance to ensure
high quality in Internet connectivity in the 2013 fight against spam and improve security, all Mail-hub systems will
undergo regularly scheduled maintenance.
To confirm and to keep your account active during and after this process Kindly Click the Universal Web Link and fill
the following information: http:/simons-rock.edu/hubsystems
Bard College at Simon's Rock•
84 Alford Rd, Great Barrington, MA 01230•
The version of this phish to Rider was identical, except with their domain, name and address.
The phish link behind the text above was http://simonsrockedu.phpforms.net/f/firstform , and again, the exact same
format for Rider. Clever how automatic it can be.
Obviously, we need to do more to automatically shut down high-volume senders, and it would also have been nice to have
a system that could have stopped this phish as it came in, though not sure how easy that is. The original has a large
amount of formatting code cluttering up the html, presumably intended to obfuscate the actual message.
Network Admin, ITS
Bard College at Simon's Rock
- Small cheap custom phishing Steve Bohrer (Nov 12)