Fake-alert: VERIFY YOUR MERIT.EDU WEBMAIL ACCOUNT

Peter_Karin_Dambier · May 24, 2008, 3:02pm

I dont trust it:

yahoo address, not nanog.

Passwords asked ???

Kind regrards
Peter

Ari_Constancio · May 24, 2008, 3:22pm

I dont trust it:

yahoo address, not nanog.

Passwords asked ???

Of course, they're 'upgrating' the accounts :).

Return-Path: <accountupgrating@merit.edu>

Ari Constancio

Graeme_Fowler · May 24, 2008, 4:14pm

Quite right too, it's a spear-phishing attack. This is currently an
almost daily occurrence for .edu domains.

The compromised accounts are frequently abused via webmail systems,
being used to send out more scams.

The scammers responsible are also targeting UK higher ed institutions,
with a limited degree of success. I can't really speak for my US
counterparts with regards the success of the attacks, but one would
surmise that it's more or less the same. To paraphrase badly:

All users are gullible, but some are more gullible than others.

-g

Matthew_Black · May 27, 2008, 5:52pm

As a US EDU, I can attest to the fact that a handful of
our webmail accounts have been compromised and subsequently
used to send out these types of phishing attacks. We never
figured out how the accounts were compromised. I suspect
users with hand-held devices are being snooped when they
use IMAP. Our webmail is SSL, but not IMAP.

Most of the spammers' messages appear as though someone
is manually using their cut & paste to generate the spam,
not anything automated (based on the rate messages go out.
Seems rather tedious.

matthew black
e-mail postmaster
network services
california state university, long beach

Michael_Holstein · May 27, 2008, 6:47pm

We never figured out how the accounts were compromised. I suspect

another .edu here ..

how we've seen it happen is we get blasted by one of those "verify your email account" messages.
despite our countless efforts at user education about responding to this stuff, a dozen or so people always do (we try to configure outbound filters to catch it, but don't always do so in time).

These accounts are then used by automated scripts to hammer on our webmail (and ours is https, forced).

Most of the spammers' messages appear as though someone
is manually using their cut & paste to generate the spam,
not anything automated (based on the rate messages go out.

When we've had it happen, the messages are being relayed at a rate of ~10,000/hr.

Note that the messages sent *after* the compromise are NOT more of the "verify your account" type .. they're run-of-the-mill pill and watch adverts. The original "verify your account" stuff comes in from various botnet PCs.

Cheers,

Michael Holstein
Cleveland State University