-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2008.0036                  AUSCERT Advisory

    Targeted phishing attacks directed towards Australian universities
                              8 February 2008
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Impact:               Inappropriate Access
Access:               Remote/Unauthenticated


OVERVIEW:

        Over the past week, we have had several reports of targeted 
        phishing email attacks directed towards Australian Universities. 
        Similar attacks have been reported elsewhere [1].


IMPACT: 

        The desired result from these emails is to obtain usernames and 
        passwords for university email accounts. Reports suggest that these 
        accounts are then being used to send out further phishing spam. 
        However AusCERT is currently unaware of the ultimate intended abuse 
        of these credentials.


MITIGATION:

        Users who receive such email are advised not to respond, but 
        instead report this email to the appropriate institution or AusCERT.

        Administrators at Universities or other affected institutions may 
        wish to educate staff and students (particularly those new to the 
        institution) about phishing attacks.

        Email administrators may wish to closely examine the access to the 
        university email systems and outgoing email for unauthorised use. 
        Institutions using single sign-on solutions may wish to also 
        monitor the systems which allow access to more sensitive resources 
        using the same credentials.


DETAILS:

        The following are two examples of emails reported in recent 
        incidents:

        -------------------------------------------------------------------

 From: XXXXXX EMAIL TEAM <XXXXXX1@XXXXXX.edu>
 To: Undisclosed recipients: ;
 Subject: VERIFY YOUR XXXXXX.EDU EMAIL ACCOUNT NOW !!!
 Reply-To: XXXXXX@hotmail.com

    VERIFY YOUR XXXXXX.EDU EMAIL ACCOUNT NOW !!!

 Dear XXXXXX.edu Email Account Owner,
     This message is from xxxxxx messaging center to all xxxxxx email account
 owners. We are currently upgrading our data base and e-mail account center. We
 are deleting all unused xxxxxx.edu email account to create more space for new
 accounts.

   To prevent your account from closing you will have to update it below so
 that we will know that it's a present used account.

    CONFIRM YOUR EMAIL IDENTITY BELOW

 Email Username :  ..........
 EMAIL Password : ...........
 Date of Birth : ...................
 Country or Territory : ...........

 Warning!!!   Account owner that refuses to update his or her account within
 Seven days of receiving this warning will lose his or her account permanently.

 Thank you for using XXXXXX!
 Warning Code:VX2G99AAJthem



 Thanks,
 XXXXXX Team
 XXXXXX.EDU.AU

        -------------------------------------------------------------------

 To: xxxxx@xxxxxx.edu.au
 Subject: Confirm Your E-mail Address 
 From: "xxxxxx.edu.au" <support@xxxxxx.edu.au>
 Reply-To: xxxxxx.helpdesk@yahoo.com.au


 Dear User,
 
 We wrote to you on 1st of february 2008 advising that you change the
 password on your account in order to prevent any unauthorised
 account access following the network intrusion we previously
 communicated. 
 
 Whilst we have found the vulnerability that caused this issue, and have
 instigated a system wide security audit to improve and enhance our
 current security.
 
 To complete your harvard account, you must reply to this email
 immediately and enter your password here (*********)
 
 Failure to do this will immediately render your account
 deactivated from our database.
 
 We apologise for the inconvenience that this will cause you during this
 period, but trust you understand that our primary concern is for our
 customers and for the security of their data.
 our customers are totally secure.

        -------------------------------------------------------------------


REFERENCES:

        [1] SANS Handler's Diary - Universities in the US being targeted in 
            a Spear Phising attack.
            http://isc.sans.org/diary.html?storyid=3917


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR6vz/ih9+71yA2DNAQI3ogQAj8DK0cCUspyovC2rHMp79XEIj/3mGMV5
RUMU3sZH9zDo6YtS8I8waqjUucxSuMecZLLUA09uV+MX65yMKKezE8AAW5dZ+2ee
LK8og/XRZCOtT5ufumq8IRvjuXyz1xUcQ33ILzrzsMGrVeS2xJRVaip9hWtbhcgO
vyfosm29F0I=
=Xyhn
-----END PGP SIGNATURE-----