[Micronet] Does Someone in Security Want To Know About Phishing Attempts?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Does Someone in Security Want To Know About Phishing Attempts?

John McChesney-Young
Yesterday and today our main departmental account received "from"
berkeley.edu addresses phishing spam. I use the quotes because
although the full headers looked legitimate, I'm ignorant enough they
could have been spoofed and I just didn't catch it.

Does [hidden email] or someone else like to have copies of
these things? I don't think simple receipt of them - especially when
it's not a spear phish - counts as a reportable incident (per
https://security.berkeley.edu/contact?destination=node/35), but it
seems they could be used in aggregate to refine spam filters or track
patterns or even just compile statistics.

I was also wondering whether messages that are apparently from
berkeley.edu addresses may indicate compromised accounts and be
reportable on that basis. I don't want to make more (and unnecessary)
work for security, but I want to do the right thing.

John

--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Does Someone in Security Want To Know About Phishing Attempts?

Mike Howard
I typed "phishing" into the search box on the security dot berkeley dot edu website and found this text in a news article from 2012-01-12:

"If you receive an email that you suspect may be phishing, do not respond to the sender. You can forward the email with full headers to consult @ berkeley.edu for investigation."

Maybe they can add that text to the "Contact Us" and "Phishing FAQ" pages too.

(It's tedious to avoid links in emails.)

On Wed, Oct 23, 2013 at 9:45 AM, John McChesney-Young <[hidden email]> wrote:
Yesterday and today our main departmental account received "from"
berkeley.edu addresses phishing spam. I use the quotes because
although the full headers looked legitimate, I'm ignorant enough they
could have been spoofed and I just didn't catch it.

Does [hidden email] or someone else like to have copies of
these things? I don't think simple receipt of them - especially when
it's not a spear phish - counts as a reportable incident (per
https://security.berkeley.edu/contact?destination=node/35), but it
seems they could be used in aggregate to refine spam filters or track
patterns or even just compile statistics.

I was also wondering whether messages that are apparently from
berkeley.edu addresses may indicate compromised accounts and be
reportable on that basis. I don't want to make more (and unnecessary)
work for security, but I want to do the right thing.

John

--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

--
Mike Howard
Network Engineer
UC Berkeley SAIT

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Does Someone in Security Want To Know About Phishing Attempts?

Jon Broshious-2
I'm not going to tell you what we do with those emails. But I want to pass along how to report phishing and spearphishing email.
forward the email to [hidden email], with the headers. The headers are also called source code.
Time is of the essence. If you notice the phishing email the next day? Or the day after that? It's already too late. Don't bother. Somebody, or dozens of somebodies, have beat you to it. But if you just got the message in the last few minutes, copy the source information and forward on the message as quickly as possible. Even forwarding the message instantly, and following up with the source is really appreciated. You will get an auto reply. And you simply reply back with the source data that shows the actual email address and server the email came from.

Jon Broshious

On 10/23/2013 10:11 AM, Mike Howard wrote:
I typed "phishing" into the search box on the security dot berkeley dot edu website and found this text in a news article from 2012-01-12:

"If you receive an email that you suspect may be phishing, do not respond to the sender. You can forward the email with full headers to consult @ berkeley.edu for investigation."

Maybe they can add that text to the "Contact Us" and "Phishing FAQ" pages too.

(It's tedious to avoid links in emails.)

On Wed, Oct 23, 2013 at 9:45 AM, John McChesney-Young <[hidden email]> wrote:
Yesterday and today our main departmental account received "from"
berkeley.edu addresses phishing spam. I use the quotes because
although the full headers looked legitimate, I'm ignorant enough they
could have been spoofed and I just didn't catch it.

Does [hidden email] or someone else like to have copies of
these things? I don't think simple receipt of them - especially when
it's not a spear phish - counts as a reportable incident (per
https://security.berkeley.edu/contact?destination=node/35), but it
seems they could be used in aggregate to refine spam filters or track
patterns or even just compile statistics.

I was also wondering whether messages that are apparently from
berkeley.edu addresses may indicate compromised accounts and be
reportable on that basis. I don't want to make more (and unnecessary)
work for security, but I want to do the right thing.

John

--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

--
Mike Howard
Network Engineer
UC Berkeley SAIT


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

-- 
Jon Broshious
Information Services and Technology
Campus Technology Services
University of California, Berkeley
[hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Does Someone in Security Want To Know About Phishing Attempts?

John McChesney-Young
In reply to this post by Mike Howard
On Wed, Oct 23, 2013 at 10:20 AM, Aron Roberts <[hidden email]>
wrote in part:
> The bConnected team has requested copies of phishing spam be sent
> directly to them...
>
...this page suggests sending copies of phishing spam to
> [hidden email].  ...

Interestingly, my message with the original of two phishing emails to
that address bounced:

Delivery to the following recipient failed permanently:

     [hidden email]

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the
server for the recipient domain berkeley.edu by mx.berkeley.edu.
[169.229.218.141].

The error that the other server returned was:
550 Message contains malware (ClamAV:HTML.Phishing.APERlink-30000.UNOFFICIAL)

***

Maybe the hideous HTML source really is hiding a very small piece of
malware inside.

John


--
John McChesney-Young, Administrative Assistant
History of Art Department, 416 Doe MC6020
U. C. Berkeley, Berkeley CA 94720-6020
[hidden email] // voice 1-510-642-5511 // fax 1-510-643-2185

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Does Someone in Security Want To Know About Phishing Attempts?

Bernie Rossi
Hi Everyone,

Please send any phishes to [hidden email].  This account has been
specially set up to receive them.

Receiving the below error message indicates that the phish has already
been blocked in our system.  You will not receive this message if you
send to [hidden email].

Thanks,

Bernie

On 10/23/13 11:53 AM, John McChesney-Young wrote:

> On Wed, Oct 23, 2013 at 10:20 AM, Aron Roberts <[hidden email]>
> wrote in part:
>> The bConnected team has requested copies of phishing spam be sent
>> directly to them...
>>
> ...this page suggests sending copies of phishing spam to
>> [hidden email].  ...
> Interestingly, my message with the original of two phishing emails to
> that address bounced:
>
> Delivery to the following recipient failed permanently:
>
>       [hidden email]
>
> Technical details of permanent failure:
> Google tried to deliver your message, but it was rejected by the
> server for the recipient domain berkeley.edu by mx.berkeley.edu.
> [169.229.218.141].
>
> The error that the other server returned was:
> 550 Message contains malware (ClamAV:HTML.Phishing.APERlink-30000.UNOFFICIAL)
>
> ***
>
> Maybe the hideous HTML source really is hiding a very small piece of
> malware inside.
>
> John
>
>


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.