Educause Security Discussion
mailing list archives
Re: Small cheap custom phishing
From: Pete Hickey <pete () SHADOWS UOTTAWA CA>
Date: Tue, 12 Nov 2013 18:52:32 -0500
Ok... you have three that were caught... Out of how many sent?
Think of this... if there were only 3 caught aout of 100, that<s 97%
of people not fooled.... In any other kind of thing, 97% success
would be considered FANTASTIC! Look at a normal curve. You'll
always have some on the fringe.
In general, most people are smarter than we 'security people'
give them credit for.
On Tue, Nov 12, 2013 at 05:43:29PM -0500, Steve Bohrer wrote:
This stuff is likely old hat to many of you, but Simon's Rock is so tiny that this is our first exposure to a really
custom phish email. It had our domain as the forged "From:" field, our proper institution name and address to make it
look legitimate, and the text part of the bogus log-in anchor was also our domain. (The fake form was on
phpforms.net, and they were very responsive about dropping it.) The phishers caught at least three of our users, so
far all alumni accounts, and after trying general spamming with the first two, moved on to launching the same sort of
attack from us targeting Rider.edu . (Sorry about that.)
With a little thought, we realized that this level of customization would be easy to automate, and, if you are a
spammer with a big address database, easy to target. The info in the custom phish is built from widely available
online data; they would not even need to visit our web site, but could pull all it from domain registrations. Then,
simply find all the @simons-rock.edu addresses in your spam database, and send the phish on its way. Given the amount
of spam that hits our filters, I'd say spammers in general have pretty good coverage of our entire user base.
FWIW, here's the sample text they sent our users:
Subject: ## all Mail-hub systems#
Date: Mon, 11 Nov 2013 18:38:19 -0600
From: Bard College at Simon's Rock <noreply () simons-rock edu>
Reply-To: noreply () simons-rock edu
To: noreply () simons-rock edu
This Email is from Bard College at Simon's Rock, we will be making some vital E-mail account maintenance to ensure
high quality in Internet connectivity in the 2013 fight against spam and improve security, all Mail-hub systems
will undergo regularly scheduled maintenance.
To confirm and to keep your account active during and after this process Kindly Click the Universal Web Link and
fill the following information: http:/simons-rock.edu/hubsystems
Bard College at Simon's Rock?
84 Alford Rd, Great Barrington, MA 01230?
The version of this phish to Rider was identical, except with their domain, name and address.
The phish link behind the text above was http://simonsrockedu.phpforms.net/f/firstform , and again, the exact same
format for Rider. Clever how automatic it can be.
Obviously, we need to do more to automatically shut down high-volume senders, and it would also have been nice to
have a system that could have stopped this phish as it came in, though not sure how easy that is. The original has a
large amount of formatting code cluttering up the html, presumably intended to obfuscate the actual message.
Network Admin, ITS
Bard College at Simon's Rock
Pete Hickey "The best diplomat I know
The University of Ottawa is a fully activated phaser bank."
Ottawa, Ontario -- Scottie