Non financial institutions at risk due to new phishing scam

Date: 11 February 2008 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8790 Over the past weeks we have seen an increasing number of Australian universities targeted in a phishing scam in order to obtain user credentials. The interesting point in this phishing scam is that there was no direct financial loss due to accounts being compromised, but the potential for such losses was there; ready to be exploited by someone with the right knowhow. The scary part about losing credentials is realising what can be done with them. In organisations that use single sign-on, this could give an attacker access to a very wide range of resources. A worst case scenario would be where these same credentials are used in authentication for access to financial systems. Imagine an organisation that has their HRM system online. An attacker could potentially use the same credentials to access the compromised user's payroll details, changing their bank accounts and having their fortnightly pay packet directed to the attacker's account. This would be harder to identify if these changes are not monitored, and most likely would only be picked up by an angry employee wanting to know why they didn't get paid. Alternatively your network could be used as the base of further attacks, which all would point back to you. Your network could suffer performance degradation as it is used to initiate other attacks, which would put a strain on resource availability and reduce the ability for your staff to operate normally. On the other hand the attacker could operate more low key and use your resources for months or years without your knowledge. If your network was used to spam other accounts, you may find your domain is identified as a spam source, which could result in all traffic to the destination domain being blocked, or in a worse case where organisations use external block lists, you could be blocked by a large number of sites. Your ISP could even block you if they detect that a large amount of spam is coming from you domain, which could possibly result in all email communication being denied. Such examples of denial of service can have serious impacts if your daily operation depends on the communications you send. This is a valuable lesson to organisations. You don't have to be a bank in order to be phished, you don't even have to be involved in any sort of financial process. It seems that almost any credential can be converted into cash, somehow. Here is a rundown on the incident (names removed to protect the innocent). On the 31st of January the first university was hit with the following email: ------------------------------------------------------------------------------- From: XXXXXX EMAIL TEAM To: Undisclosed recipients: ; Subject: VERIFY YOUR XXXXXX.EDU EMAIL ACCOUNT NOW !!! Reply-To: XXXXXX@hotmail.com VERIFY YOUR XXXXXX.EDU EMAIL ACCOUNT NOW !!! Dear XXXXXX.edu Email Account Owner, This message is from xxxxxx messaging center to all xxxxxx email account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused xxxxxx.edu email account to create more space for new accounts. To prevent your account from closing you will have to update it below so that we will know that it's a present used account. CONFIRM YOUR EMAIL IDENTITY BELOW Email Username : .......... EMAIL Password : ........... Date of Birth : ................... Country or Territory : ........... Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently. Thank you for using XXXXXX! Warning Code:VX2G99AAJ Thanks, XXXXXX Team XXXXXX.EDU.AU ------------------------------------------------------------------------------- The email was altered to appear to come from a legitimate university address, but the reply-to address is a free email account. Replying to this email would have sent the user credentials off to the external account providing its owner with access to the university mail system. This report unfortunately..... was just the beginning. Over the next week, more and more universities were hit. The sources were different, the reply-to addresses were different, even the emails themselves were altered to appear more legitimate. Here are the other formats that we ran into. ------------------------------------------------------------------------------- To: xxxxx@xxxxxx.edu.au Subject: Confirm Your E-mail Address From: "xxxxxx.edu.au" Reply-To: xxxxxx.helpdesk@yahoo.com.au Dear User, We wrote to you on 1st of february 2008 advising that you change the password on your account in order to prevent any unauthorised account access following the network intrusion we previously communicated. Whilst we have found the vulnerability that caused this issue, and have instigated a system wide security audit to improve and enhance our current security. To complete your harvard account, you must reply to this email immediately and enter your password here (*********) Failure to do this will immediately render your account deactivated from our database. We apologise for the inconvenience that this will cause you during this period, but trust you understand that our primary concern is for our customers and for the security of their data. our customers are totally secure. ------------------------------------------------------------------------------- From: "XXXXXX Team" UPGRADE YOUR XXXXXXACCOUNT NOW This message is from XXXXXX messaging center to all XXXXXXemail account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused XXXXXXemail account to create more space for new accounts. To prevent your account from closing you will have to update it below so that we will know that it's a present used account. CONFIRM YOUR EMAIL IDENTITY BELOW XXXXXX ID:........................ XXXXXX Password : ................ Date of Birth : ................. Thank you for using XXXXXX Thanks, XXXXXX Team XXXXXX..EDU ------------------------------------------------------------------------------- From: XXXXXX WEBMAIL SUPPORT Subject: Confirm Your E-mail Address Reply-to: XXXXXX@yahoo.com Dear XXXXXX.edu.au Subscriber, To complete your XXXXXX.edu.au webmail account, you must reply to this email immediately and enter your password here (*********) Failure to do this will immediately render your email address deactivated from our database. You can also confirm your email address by logging into your XXXXXX.edu.au webmail account at http://webmail.XXXXXX.edu.au Thank you for using XXXXXX.EDU.AU ! XXXXXX.EDU.AU SUPPORT TEAM ------------------------------------------------------------------------------- Those accounts that were compromised were used in a second attack on other individuals and organisations. So the butterfly effect kicks in an before you know it, almost every university in Australia was affected. Fortunately in this incident, it seemed that the only intention was to obtain these credentials in order to propagate more spam. It could have potentially been much worse. As scary as this is, there are some simple steps you can take to protect yourself and your organisation. The best prevention is education. Let staff know of the existence of these threats. Make it known that you will never ask for user credentials via email (and ensure your security policy and support procedures don’t contradict this), and if a phishing email ever does show up in their inbox, that they are to report it immediately. That way filters can be applied, domains can be blocked, and logs can be monitored to ensure that no one has mistakenly replied. Paul