It look like the Fall 2008 phishing season has re-opened. In the last few days, I have seen more variations of the same phishing attack than I have whole summer. The scam usually revolves around scaring users to give up their username, email address and/or password. The reasons are usually varied: ranging from expired email addresses to incorrect claim that the account was involved in illegal activities or in spam abuse.
A common message typically looks something like this:
Due to spam complaints of email users in our webmail system, our
investigation shows that your email address is compromised and is used to send
out spam message in our webmail system. As a result, our network
engineer will be conducting a maintenance in our webmail system, your Username
will be disabled if you do not send us the required information within 24hrs.
Your Full Names:
We value your business and thanks for using our Webmail Service.
no IT department will ever ask for passwords. Any email that you
receive that asks for one (or any other personal or confidential
information) should be promptly deleted and/or reported to your local
abuse team. Another dead give-away is the contact email address at
Interestingly enough, where phishing messages typically
flooded an entire domain, the last ones seem to be much more targeted--
only 50-100 of the top-level managers received it. The attack is not
customized and targeted enough to qualify as spear phishing, but it is
not your regular run-of-the-mill phishing run either.
typical response to such an attack is blocking messages at the border
(inbound and outbound), retraction of delivered but unopened messages
and log analysis to figure out if anyone responded to the phishing
When someone did respond, the first order of
business is to disable that user's password until he or she has time to
reset it (only in a controlled and authenticated fashion), and to
review additional log files for any irregular behavior of that user.
you may notice, log review is an essential tool in a response to a
phishing attack. Make sure you have logs, but also that you can trust
them, know where they are, and what they mean.
Of course continued awareness training is important, as it may reduce the response efforts to containment and eradication.