University Spear Phishing

I've discussed the issue of Spear Phishing attacks on this blog before. Although I've never personally received a targeted phishing e-mail until this morning. As I'm a graduate of Dublin City University in Ireland, I have a lifetime e-mail account and the e-mail received is shown near the end of this post.

It claims to be from DCU Messaging Center and asks all students to verify their accounts, otherwise they will be deleted to create space for new accounts. I particularly love the use of the referenced Warning Code in the e-mail to make it seem legitimate. However, as Phil pointed out this actually helps find other related messages (1700+ of them) by searching for the very specific reference number.

A glance at the Received headers indicates the message originated from 41.205.163.40 and was received via Webmail (HTTP) rather than SMTP. The Phisher most likely used a compromised webmail account to send out the blast. As it was sent from a DCU webmail account to other DCU e-mail accounts it probably didn't pass through the Anti-Spam solution. The connection IP address is located in Nigeria and is listed on the Spamhaus SBL.

I alerted the DCU Computer Services Department to the phish and they were already aware of the issue. I e-mailed contacts in the Anti-Spam industry for a contact in the live.com security team to report this to. Fortunately, I was then able to contact a manager and request that the dropbox be terminated. This was important so that further replies to the e-mail address dcu.accountmanagement@live.com would not be received and it would also prevent the phisher from accessing details of current e-mails if they hadn't already retrieved them. An e-mail to the address now returns a 550 mailbox unavailable :)

I suggested that the University send out an e-mail alert to students so that anyone that responded could change their account passwords but afterwards noticed they do have an advisory. A student falling victim to the attack could have e-mails in their account that could be exploited for identity theft. For example, a credit card number could be available in the account. Hopefully the issue will be resolved quickly and no one will fall victim to this phishing attack.

Here's the message I received:

Received: from [41.205.163.40] by xxxxxxxx.dcu.ie with HTTP; Tue, 22 Jul 2008 04:56:30 +0100
Date: Mon, 21 Jul 2008 20:56:30 -0700
From: "DCU News Center"
Subject: Flag this message Email From Dcu Messaging Center/Verify Your Account
Reply-To: dcu.accountmanagement@live.com
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: quoted-printable

Dear Mail.Dcu.ie Account Owner,

This message is from DCU messaging center to all Mail.Dcu.ie account owners.
We are currently upgrading our data base and e-mail account center. We are
deleting all unused Mail.Dcu.ie account to create more space for new accounts.

To prevent your account from closing you will have to update it below so
that we will know that it's a present used account.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username : .......... .....
EMAIL Password : ................

Kindly send the above details to our DCU messaging center via e-mail (dcu.accountmanagement@live.com)

Thank you for using DCU.IE!
Warning Code:VX2G99AAJ

Thanks,
DCU.IE Team
DCU.IE"
............................................................................
............................................................................
NOTE: This message is authorize by the Mail.Dcu.ie email account protector unit.
Notification message will be send back to you after verifying your account
before account could be reset. All right reserved.

Could LinkedIn Users be the next victims of Spear Phishing?

Most savvy internet users are aware that the term "Phishing" is used to describe an online attempt to steal personal or financial data. However, this type of fraud is sometimes even targeted to specific individuals which is known as "Spear Phishing". Rather than casting a dragnet by sending millions of messages to unknown users, time and energy are invested into spearing small groups of individuals.

If a Phisher discovered the full name, geographic region, e-mail address and job title of an individual it could make for the perfect phishing attack. Fortunately, most social networking sites that contain this type of information require approval before a stranger is able to view it. Although, this isn't the case if people decide to work around the safe guards put in place to protect them.

LinkedIn is a very popular professional networking website which has such safe guards in place. Despite this, many people opt to openly publicize their e-mail addresses and other confidential information in the hopes to increase their number of connections. A quick Google Search reveals in the region of 10,000 people with an e-mail address in their title alone. This information could be harvested by spammers so that they would receive more spam. Worse still, it could be used as part of a phishing attack to steal an identity.