| |
 |
 |
 |
|
|
|
|
Date: 11 February 2008
Click here for printable version
Over the past weeks we have seen an increasing number of Australian universities targeted in a phishing scam in order to obtain user credentials. The interesting point in this phishing scam is that there was no direct financial loss due to accounts being compromised, but the potential for such losses was there; ready to be exploited by someone with the right knowhow.
The scary part about losing credentials is realising what can be done with them. In organisations that use single sign-on, this could give an attacker access to a very wide range of resources. A worst case scenario would be where these same credentials are used in authentication for access to financial systems. Imagine an organisation that has their HRM system online. An attacker could potentially use the same credentials to access the compromised user's payroll details, changing their bank accounts and having their fortnightly pay packet directed to the attacker's account. This would be harder to identify if these changes are not monitored, and most likely would only be picked up by an angry employee wanting to know why they didn't get paid.
Alternatively your network could be used as the base of further attacks, which all would point back to you. Your network could suffer performance degradation as it is used to initiate other attacks, which would put a strain on resource availability and reduce the ability for your staff to operate normally. On the other hand the attacker could operate more low key and use your resources for months or years without your knowledge. If your network was used to spam other accounts, you may find your domain is identified as a spam source, which could result in all traffic to the destination domain being blocked, or in a worse case where organisations use external block lists, you could be blocked by a large number of sites. Your ISP could even block you if they detect that a large amount of spam is coming from you domain, which could possibly result in all email communication being denied. Such examples of denial of service can have serious impacts if your daily operation depends on the communications you send.
This is a valuable lesson to organisations. You don't have to be a bank in order to be phished, you don't even have to be involved in any sort of financial process. It seems that almost any credential can be converted into cash, somehow.
Here is a rundown on the incident (names removed to protect the innocent).
On the 31st of January the first university was hit with the following email:
-------------------------------------------------------------------------------
From: XXXXXX EMAIL TEAM
To: Undisclosed recipients: ;
Subject: VERIFY YOUR XXXXXX.EDU EMAIL ACCOUNT NOW !!!
Reply-To: XXXXXX@hotmail.com
VERIFY YOUR XXXXXX.EDU EMAIL ACCOUNT NOW !!!
Dear XXXXXX.edu Email Account Owner,
This message is from xxxxxx messaging center to all xxxxxx email account
owners. We are currently upgrading our data base and e-mail account center. We
are deleting all unused xxxxxx.edu email account to create more space for new
accounts.
To prevent your account from closing you will have to update it below so
that we will know that it's a present used account.
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username : ..........
EMAIL Password : ...........
Date of Birth : ...................
Country or Territory : ...........
Warning!!! Account owner that refuses to update his or her account within
Seven days of receiving this warning will lose his or her account permanently.
Thank you for using XXXXXX!
Warning Code:VX2G99AAJ
Thanks,
XXXXXX Team
XXXXXX.EDU.AU
-------------------------------------------------------------------------------
The email was altered to appear to come from a legitimate university address, but the reply-to address is a free email account. Replying to this email would have sent the user credentials off to the external account providing its owner with access to the university mail system. This report unfortunately..... was just the beginning.
Over the next week, more and more universities were hit. The sources were different, the reply-to addresses were different, even the emails themselves were altered to appear more legitimate. Here are the other formats that we ran into.
-------------------------------------------------------------------------------
To: xxxxx@xxxxxx.edu.au
Subject: Confirm Your E-mail Address
From: "xxxxxx.edu.au"
Reply-To: xxxxxx.helpdesk@yahoo.com.au
Dear User,
We wrote to you on 1st of february 2008 advising that you change the
password on your account in order to prevent any unauthorised
account access following the network intrusion we previously
communicated.
Whilst we have found the vulnerability that caused this issue, and have
instigated a system wide security audit to improve and enhance our
current security.
To complete your harvard account, you must reply to this email
immediately and enter your password here (*********)
Failure to do this will immediately render your account
deactivated from our database.
We apologise for the inconvenience that this will cause you during this
period, but trust you understand that our primary concern is for our
customers and for the security of their data.
our customers are totally secure.
-------------------------------------------------------------------------------
From: "XXXXXX Team"
UPGRADE YOUR XXXXXXACCOUNT NOW
This message is from XXXXXX messaging center to all XXXXXXemail
account owners. We are currently upgrading our data base and e-mail
account
center. We are deleting all unused XXXXXXemail account to create more
space for new accounts. To prevent your account from closing you will
have
to update it
below so that we will know that it's a present used account.
CONFIRM YOUR EMAIL IDENTITY BELOW
XXXXXX ID:........................
XXXXXX Password : ................
Date of Birth : .................
Thank you for using XXXXXX
Thanks,
XXXXXX Team
XXXXXX..EDU
-------------------------------------------------------------------------------
From: XXXXXX WEBMAIL SUPPORT
Subject: Confirm Your E-mail Address
Reply-to: XXXXXX@yahoo.com
Dear XXXXXX.edu.au Subscriber,
To complete your XXXXXX.edu.au webmail account, you must reply to this email
immediately and enter your password here (*********)
Failure to do this will immediately render your email address
deactivated from our database.
You can also confirm your email address by logging into your
XXXXXX.edu.au webmail account at http://webmail.XXXXXX.edu.au
Thank you for using XXXXXX.EDU.AU !
XXXXXX.EDU.AU SUPPORT TEAM
-------------------------------------------------------------------------------
Those accounts that were compromised were used in a second attack on other individuals and organisations. So the butterfly effect kicks in an before you know it, almost every university in Australia was affected.
Fortunately in this incident, it seemed that the only intention was to obtain these credentials in order to propagate more spam. It could have potentially been much worse.
As scary as this is, there are some simple steps you can take to protect yourself and your organisation. The best prevention is education. Let staff know of the existence of these threats. Make it known that you will never ask for user credentials via email (and ensure your security policy and support procedures don’t contradict this), and if a phishing email ever does show up in their inbox, that they are to report it immediately. That way filters can be applied, domains can be blocked, and logs can be monitored to ensure that no one has mistakenly replied.
Paul
|
|
|
|
 |
|
 |
|
|