Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Small cheap custom phishing
From: Pete Hickey <pete () SHADOWS UOTTAWA CA>
Date: Tue, 12 Nov 2013 18:52:32 -0500

Ok... you have three that were caught... Out of how many sent?
100?... 200?...
Think of this... if there were only 3 caught aout of 100, that<s 97% 
of people not fooled....  In any other kind of thing, 97% success
would be considered FANTASTIC!  Look at a normal curve.  You'll
always have some on the fringe.

In general, most people are smarter than we 'security people'
give them credit for.

On Tue, Nov 12, 2013 at 05:43:29PM -0500, Steve Bohrer wrote:
This stuff is likely old hat to many of you, but Simon's Rock is so tiny that this is our first exposure to a really 
custom phish email. It had our domain as the forged "From:" field, our proper institution name and address to make it 
look legitimate, and the text part of the bogus log-in anchor was also our domain. (The fake form was on 
phpforms.net, and they were very responsive about dropping it.) The phishers caught at least three of our users, so 
far all alumni accounts, and after trying general spamming with the first two, moved on to launching the same sort of 
attack from us targeting Rider.edu . (Sorry about that.)

With a little thought, we realized that this level of customization would be easy to automate, and, if you are a 
spammer with a big address database, easy to target. The info in the custom phish is built from widely available 
online data; they would not even need to visit our web site, but could pull all it from domain registrations. Then, 
simply find all the @simons-rock.edu addresses in your spam database, and send the phish on its way. Given the amount 
of spam that hits our filters, I'd say spammers in general have pretty good coverage of our entire user base.

FWIW, here's the sample text they sent our users:

Subject:    ## all Mail-hub systems#
Date:       Mon, 11 Nov 2013 18:38:19 -0600
From:       Bard College at Simon's Rock <noreply () simons-rock edu>
Reply-To:   noreply () simons-rock edu
To: noreply () simons-rock edu

This Email is from Bard College at Simon's Rock,  we will be making some vital E-mail account maintenance to ensure 
high quality in Internet connectivity in the 2013 fight against spam and improve security, all Mail-hub systems 
will undergo regularly scheduled maintenance.

To confirm and to keep your account active during and after this process Kindly Click the Universal Web Link and 
fill the following information: http:/simons-rock.edu/hubsystems

Bard College at Simon's Rock? 
84 Alford Rd, Great Barrington, MA 01230?

The version of this phish to Rider was identical, except with their domain, name and address.

The phish link behind the text above was http://simonsrockedu.phpforms.net/f/firstform , and again, the exact same 
format for Rider. Clever how automatic it can be.

Obviously, we need to do more to automatically shut down high-volume senders, and it would also have been nice to 
have a system that could have stopped this phish as it came in, though not sure how easy that is. The original has a 
large amount of formatting code cluttering up the html, presumably intended to obfuscate the actual message.

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock

Pete Hickey                         "The best diplomat I know
The University of Ottawa             is a fully activated phaser bank."
Ottawa, Ontario                            -- Scottie

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]