Security >> Vulnerabilities (2008) >> 2008/04/03

On Saturday, 29 March 2008 several users received spear phishing attacks inviting them to reveal their passwords as follows (names of the offending sites have been changed):

From: "WEBMAIL SUPPORT" <tullyseamus@XYZ-Net.net>
Reply-To: <web-support@UVW-Com.com>
To: [undisclosed]
Subject: Dear uwaterloo.ca Webmail Subscriber
Date: Sat, 29 Mar 2008 12:58:59 +0000

Dear uwaterloo.ca Webmail Subscriber,

To complete your uwaterloo.ca Webmail account, you must reply to this email immediately and enter your password here (*********)

Failure to do this will immediately render your email address deactivated from our database.

You can also confirm your email address by logging into your uwaterloo.ca Webmail account at https://uwaterloo.ca

Thank you for using uwaterloo.ca!

THE uwaterloo.ca TEAM
uwaterloo.ca WEBMAIL SUPPORT
Confirm Your E-mail Address
support@uwaterloo.ca

------------------------------------------------------------
Find the home of your dreams with XYZ-Net net property
Sign up for email alerts now http://www.XYZ-Net.net/propertyalerts

It should be clear that this is a hoax and not mail from the "Webmail Support" group at the University of Waterloo:

• Support staff will never ask for your password.
• Important changes to systems are announced well in advance -- support staff would never "immediately" yank access.
• Mailings sent outside of regular work hours are very suspicous -- why would they do this on a Saturday?
• Note the timezone -- the message was sent from the GMT timezone (England and the British Isles).
• Support staff at the University of Waterloo do not use mail services at other sites -- if it did not come from our site you should be suspicious.
• If you reply to a message verify where the reply is going. Why would support staff at our site have you reply to an off-site location?
• Note that the return address and the reply-to address don't match. And neither are local addresses.
• Note the trailer advertising property -- a trailer added by a webmail interface at some other site. Definitely not what one would expect on official correspondence from support staff.
• A quick search of the UWaterloo web site fails to find a "WEBMAIL Support" group.

Finally, if you have any questions/concerns or need help please let us know.

Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070

Contact Us | Give Us Feedback | Privacy Statement