The following is a description of the July 9th, 2009 phishing attack and OIT's response.

On July 9th, 2009 around 6:15pm, phishers sent the following email to around 800 email addresses at ncsu.edu:

Subject: Mandatory Security Update: July 2009
From: IT Help Desk

North Carolina State University
Raleigh, NC 27695

URGENT SECURITY UPDATE - JULY 2009

Due to the recent increase in spam emails, we have upgraded to an advanced server for your premium security to prevent spam from getting to your inbox. As a result of this, it is important that you login to your email using the link below, to make sure that your account information is up-to-date.

Click Here to Protect Your Account

This email has been sent to all NCSU Webmail users and it is mandatory to follow.

Thank you for your cooperation.

IT Department
Copyright © 2009 North Carolina State University



The phishing email came from server12.nvhserver.com and the From: address was it_dept@ncsu.edu.  This phishing email is the first to include a link to an off-campus server where the usernames and passwords were collected.  Most phishing emails ask for an email reply-to a non-ncsu.edu email address.

The phishing site was hosted at http://ncsu.edu.ec-uk.org which was at IP address 75.127.89.94.  It appeared like this at first:



Phishing website

This is a pretty good copy of the real webmail.ncsu.edu login page from July 9th, 2009.  In response at 8:30pm, ComTech updated the DNS servers so that anyone on campus using them (or using them from VPN connection), who tried to visit the phishing site at ncsu.edu.ec-uk.org would be sent to the web server at net112vip.comtech.ncsu.edu instead of the phishing site.  This prevented anyone on campus from going to the phishing site, but we wondered what we could do to warn those who might read the email from home.

The phishing website was off campus on a server we didn't control, but we noticed the images were href'd to our webmail servers.  So OIT systems was able to change the graphics so the phishing site looked like this:



Office of Information Technology  |  SysNews  |  NC State Help Desk  |  OIT Services
NC State Webmail
Recent System Announcements:
Jul 09 13:11 - UPS Cutover for 123E Kilgore
Jul 09 11:03 - WDS-Main Performance Testing
Jul 09 08:26 - Network Outage for the Arboretum Complex
Jul 08 22:13 - GWPO13 issue
Jul 08 17:02 - WolfTech domain controller upgrade

Webmail Tutorial | SPAM Assistance | Mail Quota Management | Email Services | NC State Help Desk | WolfWise Web Access
SquirrelMail | By the SquirrelMail Project Team

New Antivirus software is available! Download the new Trend Micro Antivirus software today!



Additionally, the URL of the phishing site was reported as a forgery to Trend Micro, Symantec, Google, Yahoo, Microsoft, PhishTank and malwaredomains.com

This way, web browsers with web reputation features would give a warning to the user if the link in the email was opened.




Send questions or comments to security@help.ncsu.edu

Last updated 10 Jul 2009 by tsg