Educause Security Discussion mailing list archives
Re: Active Phishing Attack Against EDUs
From: Scott Finlon <sfinlon () REN-ISAC NET>
Date: Fri, 22 Jun 2018 15:37:43 -0400
Hi Bobby, CIF aka The Collective Intelligence Framework https://csirtgadgets.com/collective-intelligence-framework is a threat intelligence sharing platform that REN-ISAC created and maintains that takes in many different formats of threat data and is able to output the indicators in standard common formats for direct implementation into various tools like Snort, Bro, CSV, or JSON. Scott Finlon Principal Security Engineer REN-ISAC soc () ren-isac net On 6/22/18 9:43 AM, Bridges, Robert A. wrote:
Marty, can you give a quick overview of CIFs and your team uses it?
Thanks,
Bobby
--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research
Group, Oak Ridge National Laboratory
*From: *The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
on behalf of "Manjak, Martin" <mmanjak () ALBANY EDU>
*Reply-To: *The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Friday, June 22, 2018 at 9:10 AM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] Active Phishing Attack Against EDUs
There are lots a CIF notations for that address. Perhaps the most relevant is this one:
2018-01-18T13:46:04Z
2018-01-18T13:46:04Z
31.220.2.200
95
spam
Direct UBE sources, spam operations & spam services
None
http://www.spamhaus.org/query/bl?ip=31.220.2.200
Marty Manjak
CISO
University at Albany
*From:*The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*On Behalf Of *Dicovitsky, Paul
*Sent:* Friday, June 22, 2018 9:05 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Active Phishing Attack Against EDUs
Joe,
Thank you, kindly, for sharing this information. Middlebury College was targeted by a
similar attack on Tuesday the 19th, one day before your note.
We received approximately 500 phishing messages, with the subject line of "Board Policy
Professional Standards For All Middlebury College Employees", all including a PDF file
that consisted of a static image and a hyperlink to the phishing credential harvesting page.
Middlebury's email security systems successfully stripped the malicious attachment from
the incoming messages, blunting any potential impact.
The phishing kit was hosted at https://lamntdrelaetda.date/Middlebury/ [IP
address 31.220.2.200]. Directory browsing was not enabled on the server.
The attacker sent the phishing messages using a compromised albright.edu account. The
attacker submitted the phishing messages to the albirght.edu account using a VPN service,
ExpressVPN, with an X-Originating-IP address of 45.56.149.68.
Our team supplied the attacker with bogus set of credentials - a honeypot account - and
proceeded to monitor for login attempts. Of note, that attacker tested the honey account
with in 5 minutes of the bogus credentials being supplied, using the same ExpressVPN
address (45.56.149.68).
Relevant SMTP headers from the original message follow:
From:"XXXXXXX"
<XXXXX () albright edu<mailto:XXXXX () albright edu>>
Subject:Board Policy Professional Standards For All Middlebury College
Employees
Date:Tue, 19 Jun 2018 14:43:46 +0000
Accept-Language:en-US
Content-Language:en-US
X-MS-Has-Attach:yes
X-MS-TNEF-Correlator:
Authentication-Results-Original:spf=none (sender IP is )
smtp.mailfrom=XXXXXXX () albright edu<mailto:smtp.mailfrom=XXXXXXX () albright edu>;
x-originating-ip:[45.56.149.68]
received-spf:None (protection.outlook.com:
albright.edudoes not designate
permitted sender hosts)
/Kindly/,
Paul Dicovitsky
Systems & Security Manager | ITS | Middlebury College
802-443-5085
*Signing up for *Multi-Factor Authentication *is the single most effective step you can
take to protect your Middlebury account. Learn more at Middlebury's MFA
page<http://go.middlebury.edu/mfa> and s<http://go.middlebury.edu/getmfa>ign up for
MFA today<http://go.middlebury.edu/getmfa>.
------------------------------------------------------------------------------------------
*From:*The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of
Sargent, Joe E <Joe.Sargent () WS EDU<mailto:Joe.Sargent () WS EDU>>
*Sent:* Wednesday, June 20, 2018 4:35 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
*Subject:* [SECURITY] Active Phishing Attack Against EDUs
Earlier today most of our employees received a phishing email that appeared to be from our
president. After some research we found that were able view the site structure where the
link directed users. We were the only school in the list at that time. As the day has
progressed more and more schools have been built into the structure. Some schools were
there and then were modified to other schools. So, this is very active. They even have a
certificate on the site to make it more legitimate. The PDF in the email did not have any
active content but did contain the link to the website. Here are the schools we have seen
so far and have not been able to contact (this appears to still be active with schools
being added throughout the day)…
Central Methodist University
Columbia College in Missouri
Champlain College
Walla Walla Community College
Waldorf University
Middlebury College
Texas A&M University San Antonio
Many of these schools may have already had emails go to their users… Other maybe not.
Below is the information we have gathered that may help you protect your users…
Our initial email came from… (might be different for you) *From:* Robin Esparza
[mailto:resparza () lbschools net]
The link in the document directs you to one of these for your school… (however, we have
seen the links change and it is possible that this is not your school now – see notes below)
Your school will be represented by an abbreviation in the root of the web site
Mokaortmdesm.club/<yourschool>/index.php
Mokaortmdesm.club/<yourschoolhttps>/index.php
IP address of web site: 89.36.213.44
The method used to ID schools was to go to the link and input fake information and click
submit. This then sent us to a link at the target school that would make a user believe
the original email was real because it is policy etc. We have seen this link change for
some schools and later point to another school. So, if the link it not there now then
look at the folders at the root of the web site to be sure that your school has not been
moved to another folder.
If you go to the top level of the website you can actually see the directory structure.
To actually find out where each is pointing to you have to click the folder/file and then
click download on the web site. Enter fake information and then it will take you to a
linked page at the targeted school. It took us a while to figure this out. Again, this
is active and they appear to have made changes to files and links. We have seen their
processes change as they create more sites.
I hope this helps you. Apologies if it turns out to be nothing but at least you can block
your users from getting to the web site.
Thank you,
Joe
_____________________________________________________________
Joe Sargent cid:image001.png@01CD9D7C.A1CFD430 Assistant Vice President for Information
and Educational Technologies (IET) and CIO
Walters State cid:image001.png@01CD9D7C.A1CFD430 Jack E. Campbell College Center Suite 314
cid:image001.png@01CD9D7C.A1CFD430 500 South Davy Crockett Parkway
Morristown, TN 37813 cid:image001.png@01CD9D7C.A1CFD430 Voice (423) 585-6836
cid:image001.png@01CD9D7C.A1CFD430 Fax: (423) 585-2630
cid:image001.png@01CD9D7C.A1CFD430 E-mail: joe.sargent () ws edu<mailto:joey.sargent () ws edu>
This transmission, regardless of modality, may contain confidential information and may be
subject to protection under the law. If you are not the intended recipient, or an
authorized agent for the intended recipient, you are hereby notified that use, such as but
not limited to disclosure, copying, or distribution, is prohibited. Please destroy any and
all copies immediately and notify the sender of this erroneous receipt.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: Active Phishing Attack Against EDUs, (continued)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Schroeder, Christopher (Jun 20)
- Re: Active Phishing Attack Against EDUs Ken Connelly (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Steven Alexander (Jun 20)
- Re: Active Phishing Attack Against EDUs Manjak, Martin (Jun 21)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Manjak, Martin (Jun 22)
- Re: Active Phishing Attack Against EDUs Scott Finlon (Jun 22)
