Last Updated: 2008-06-17 17:09:50 UTC
by Kyle Haugsness (Version: 1)
We received a report today from an EDU that received hundreds of undeliverable notices from other EDU domains. Their "helpdesk" email box had been used as the spoofed from address in a simple "ask for the user's password to avoid account closure" attempt to gather email account passwords from unsuspecting college students. But instead of going to a website, user is just supposed to send the account details to an email address at the bottom of the page. Turns out that a couple of them replied with their account details to the EDU, instead of the attacker. It is somewhat of a catch-22 for the attacker - use a more official "from" address and user is more likely to reply; but the same user is likely not to follow the directions at the bottom of the message stating send your reply to firstname.lastname@example.org.
The story reminds me of "stupid criminal" stories. But on the Internet, there is less chance of getting caught and more likelihood that someone will fall for the attack.