Skip to content
Trends

University Spear Phishing

By David Cawley | 3 minute read

I’ve discussed the issue of Spear Phishing attacks on this blog before. Although I’ve never personally received a targeted phishing e-mail until this morning. As I’m a graduate of Dublin City University in Ireland, I have a lifetime e-mail account and the e-mail received is shown near the end of this post.

It claims to be from DCU Messaging Center and asks all students to verify their accounts, otherwise they will be deleted to create space for new accounts. I particularly love the use of the referenced Warning Code in the e-mail to make it seem legitimate. However, as Phil pointed out this actually helps find other related messages (1700+ of them) by searching for the very specific reference number.

A glance at the Received headers indicates the message originated from 41.205.163.40 and was received via Webmail (HTTP) rather than SMTP. The Phisher most likely used a compromised webmail account to send out the blast. As it was sent from a DCU webmail account to other DCU e-mail accounts it probably didn’t pass through the Anti-Spam solution. The connection IP address is located in Nigeria and is listed on the Spamhaus SBL.

I alerted the DCU Computer Services Department to the phish and they were already aware of the issue. I e-mailed contacts in the Anti-Spam industry for a contact in the live.com security team to report this to. Fortunately, I was then able to contact a manager and request that the dropbox be terminated. This was important so that further replies to the e-mail address dcu.accountmanagement@live.com would not be received and it would also prevent the phisher from accessing details of current e-mails if they hadn’t already retrieved them. An e-mail to the address now returns a 550 mailbox unavailable 🙂

I suggested that the University send out an e-mail alert to students so that anyone that responded could change their account passwords but afterwards noticed they do have an advisory. A student falling victim to the attack could have e-mails in their account that could be exploited for identity theft. For example, a credit card number could be available in the account. Hopefully the issue will be resolved quickly and no one will fall victim to this phishing attack.

Here’s the message I received:

Received: from [41.205.163.40] by xxxxxxxx.dcu.ie with HTTP; Tue, 22 Jul 2008 04:56:30 +0100
Date: Mon, 21 Jul 2008 20:56:30 -0700
From: “DCU News Center”


Subject: Flag this message Email From Dcu Messaging Center/Verify Your Account

Reply-To: dcu.accountmanagement@live.com

MIME-Version: 1.0

Content-Type: text/plain; charset=”ISO-8859-15″

Content-Transfer-Encoding: quoted-printable

Dear Mail.Dcu.ie Account Owner,

This message is from DCU messaging center to all Mail.Dcu.ie account owners.
We are currently upgrading our data base and e-mail account center. We are
deleting all unused Mail.Dcu.ie account to create more space for new accounts.

To prevent your account from closing you will have to update it below so
that we will know that it’s a present used account.

CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username : ………. …..
EMAIL Password : …………….

Kindly send the above details to our DCU messaging center via e-mail (dcu.accountmanagement@live.com)

Thank you for using DCU.IE!
Warning Code:VX2G99AAJ

Thanks,
DCU.IE Team
DCU.IE”
………………………………………………………………….
………………………………………………………………….
NOTE: This message is authorize by the Mail.Dcu.ie email account protector unit.
Notification message will be send back to you after verifying your account
before account could be reset. All right reserved.


Cut your support tickets and make customers happier