Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Potential Phish for Regular Webmail Accounts - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Potential Phish for Regular Webmail Accounts

I was looking through my spam folder today and saw an interesting phish.  The phishing email is looking for email account information.  Nothing new about that, except this one seemed to have a broad target range.  Normally, these types of phishes are sent to .edu addresses not those outside of academia.  From the email headers, this one was sent to the Handlers email which is a .org.  A non-technical user, like many of my relatives, would probably respond to this.  I could see this being successful against regular webmail users of Gmail, Hotmail, etc.  especially if the verbiage was changed slightly.  It could also be targeting those who may be enrolled in online universities.  I was wondering if anyone else has seen this type of phish toward their non .edu webmail accounts.  I have included the email below:

From: University Webmaster <university.m@usa.com>
Date: Fri, Oct 19, 2012 at 9:34 PM
Subject: Webmail Account Owner
To:

Dear Webmail Account Owner,

This message is  from the University Webmail Messaging Center to all email account owners.

We are currently carrying out scheduled maintenance,upgrade of our web mail service and we are changing our mail host server,as a result your original password will be reset.

We are sorry for any inconvenience caused.

To complete your webmail email account upgrade, you must reply to this email immediately and provide the information requested below.

*********************************************************************************
CONFIRM YOUR EMAIL IDENTITY NOW
E-mail Address:
User Name/ID:
Password:
Re-type Password:

************************************************************************************
Failure to do this will immediately render your email address deactivated from the University Webmail.
************************************************************************************

This E-mail is confidential and privileged. If you are not the intended Recipient please accept our apologies; Please do not Disclose, Copy or Distribute Information in this E-mail or take any action in Reliance on its contents: to do so is strictly prohibited and may be Unlawful.

Please inform us that this Message has gone astray before deleting it.

Thank you for your Co-operation.

Copyright ©2011 University Webmaster. All Rights Reserved

Lorna

165 Posts
ISC Handler
It was mentioned in the article that non-technical users might be caught by this. Would the standard advice of DO NOT put your password in an e-mail not negate the effectiveness of this phish. Even my grandparents know that real companies DO NOT ask for passwords to be sent by email.
PW

63 Posts
They can do a lot of damage with that information.

What does the full header look like?

PW
20 Posts
Pwobbe, you put a lot more faith in humans than I do. If rogues, support scams, and this type of basic account phish didn't work some percentage of the time, I doubt they would be so popular for scammers. As the illustrious Mr. Barnum said, there's a sucker born every minute.
hacks4pancakes

48 Posts
I've seen quite a few of these, or some that refer to a bogus website that masquerades as the real web-email login page, etc. And it clearly works - every August - December I see an increase in the amount of spam/phish coming from various universities as their new students fall for the phish-du-jour and their email accounts get compromised.

Not to mention the ginormous amounts of spam I routinely see from compromised yahoo/gmail accounts. (sigh)
Brent

118 Posts
I agree that I put a lot of trust in humans, but is education not the key to solving this problem. Train your uses to spot 1 phish and hopefully that will be able to spot a lifetime of phish.

Sorry I know that was cheesy but you get the point.
PW

63 Posts
If education were the solution, then explain why kids drop out of high school.
Moriah

133 Posts
> I was wondering if anyone else has seen this type of phish toward their non .edu webmail accounts.

Yes, to both my 'name@university-name.ca' "alma-mater" ID and to my 'name@shaw.ca' personal account -- note that 'shaw.ca' is the largest ISP west of Saskatchewan, which makes it a large target, due to the greater number (though not necessarily greater percentage) of non-security-aware IDs.

Anonymous

Sign Up for Free or Log In to start participating in the conversation!