Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Phishing with a small twist - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing with a small twist

A reader sent this through to us (thanks) and it has an interesting little twist. 

The message is one we are already used to

Dear email account owner,

This message is from somewhere email administration center to all email
account owners. We are currently upgrading the email securities of our
database and email account center. We are also conducting a routine check
by deleting all unused accounts to create more space for new accounts.

To prevent your email account from being closed, you will have to update
it below by providing us with the below mentioned so that we can ascertain
that your account is prensently in use.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username:....................
Email Password:....................
Date of Birth:.....................
Country or Territory:..............

Warning!!! Account owner that refuses to update his or her account within
Seven days of receiving this warning will lose his or her account
permanently.

Regards,

Admin Team

Thank you for using somewhere email account

We know this message.  Nothing different so far.  The twist is in the sender and reply address.  Instead of the usual  abc@somefreemail.site   such as hotmail, live.com, gmail, yahoo, etc.  this reply address had its own domain.  So they set up a domain to make it seem more legit.  The domain was registered yesterday.  The phising messages are already going out.  No doubt replies are already going back.  You may wish to consider making email to the domain email-helpdesk.com disappear.  Just be aware there may be other domains as well.

Update

Joanne mentioned that she has seen this a bit over the last few months.  Like most of us she just discarded the message, after all spam is spam no matter what the reply address is. 

Mark H - Shearwater

I'll be teaching  Security 401: SANS Security Essentials Bootcamp Style in Melbourne (May 11-16), Canberra (June 29 - July 4)

Mark

391 Posts
ISC Handler
dns for this domain is hosted via yahoo. why dont they just kill it on their end and be done?
any yahoo admins out there capable of doing this? :)
Anonymous
No, the reply address is *very* important.

These stolen credentials are being used to hijack mail accounts, which the spammers use to send spam. This causes legitimate email providers to get abused and blacklisted.

Tracking the reply addresses is crucial for email administrators to be able to prevent their users from disclosing their credentials to spammers.

The addresses are being tracked here:
http://code.google.com/p/anti-phishing-email-reply/
Anonymous

Sign Up for Free or Log In to start participating in the conversation!