Great Examples of Phishing - At Cornell University

Cornell University Information Technologies Website has a great resource of documented Phishing examples. Please consider clicking on the link and seeing the kinds of exploits that are used to get people to click on or reply to bogus email events.

To view any of these examples in detail, please visit the Cornell University link at the beginning of this post.

These are some examples of phishing emails seen on campus. Do NOT assume a suspect email is safe, just because it is not listed here. There are many variants of each, and new ones are being sent out each day. When in doubt, consult with your IT support staff or the IT Service Desk.

    FW: Chase Bank - Online System Upgrade (9/7/2012)
    Pay your Fedex invoice online (9/6/2012)
    WEBMAIL ADMIN*Quota Limit Exceeded (9/5/2012)
    Your account has been temporarily limited. ID K5008204 (9/1/2012)
    New e-card for you. (8/31/2012)
    for {your_name} (8/29/2012)
    Intuit/Quickbooks (8/28/2012)
    ACCOUNT ADMINISTRATOR (8/25/2012)
    Your Apple ID password has been reset (8/22/2012)
    PHISHING ALERT (8/22/2012)
    RE: Case# 7924236 (8/21/2012)
    Rejected Federal Tax transfer (8/21/2012)
    Your receipt #162013403684048 (8/15/2012)
    Wire Transfer Confirmation (FED REFERENCE 26963QE679) (8/14/2012)
    Bank of America Alert: Your Online Statement Is Ready (8/14/2012)
    Your friend sent you an e-card. (8/13/2012)
    Photos (8/13/2012)
    Your Citi Credit Card Statement (8/13/2012)
    Bank of America Alert: Online Banking Account Suspended? (8/10/2012)
    Microsoft Security Update (8/10/2012)
    You package has been delivered (8/10/2012)
    Schwab Report (8/8/2012)
    LinkedIn Reminder (8/7/2012)
    Welcome to Paypal - Choose your way to pay (8/6/2012)
    ADP Security Management Update (8/2/2012)
    Fwd: Wire Transfer Confirmation (... (8/1/2012)
    Re-Validation of Webmail Account (7/31/2012)
    Message From Micorosoft Helpdesk: Do This Now (7/30/2012)
    password expiration warning (7/26/2012)
    ADP Security Management Update (7/25/2012)
    Order N64950 (7/25/2012)
    ADP Generated Message: First Notice - Digital Certificate Expiration (7/25/2012)
    Fwd: Your Photos (7/25/2012)
    American Express Alert - Personal Security Key Reset (7/23/2012)
    Properties for Sale. (7/23/2012)
    Your Ebay confirmation of your transaction through Paypal. (7/23/2012)
    Your Sprint bill is now available online (7/16/2012)
    Message From I.T Helpdesk Expert (7/16/2012)
    We have received your payroll processing request. (7/16/2012)
    New incoming Intuit payments. (7/16/2012)
    An Issue of Billing... (7/13/2012)
    You have new UPS invoices (7/11/2012)
    You have received a new payment through the Intuit network. (7/10/2012)
    ADP Generated Message: First Notice - Digital Certificate Expiration (7/9/2012)
    USPS postage labels order confirmation. (7/6/2012)
    Your Receipt and Itinerary (7/6/2012)

An excellent blog post "The Top 10 countries with the most malicious networks" over at CountryIPBlocks has re-analyzed this list of data with interesting statistics. This original list claims the US is the biggest offender of malicious networks. This list was sorted by order of the countries with the largest NUMBER OF SPAM EMAILS.

1. United States
2. China
3. Russia
4. United Kingdom
5. Germany
6. Japan
7. Brazil
8. Romania
9. Ukraine
10. Turkey

Unfortunately, these results are skewed by not explaining that there is a greater per capita incidence of Intnet connected individuals. The brilliant people at CountryIPBlocks.net discovered that the ratio of NUMBER OF INFECTED NETWORKS to THE AMOUNT OF SPAM is probably the more accurate consideration. That re-adjusted Top 10 list looks like this:

Here are the results based on percentage of infected networks:

1. Brazil 89%
2. Turkey 54%
3. Romania 39%
4. China 32%
5. Russia 11%
6. United Kingdom 11%
7. Japan 10%
8. Ukraine 9%
9. Germany 6%
10. United States 6%

Symantec SPAM Guessing

According to the Symantec security blog, there s a new tactic of harvesting / guessing email addresses from every domain name. They have programs that run through all possible first names against public domains (basically almost all domains), and check to see if they get a refusal or if they are accepted and delivered. More importantly Symantec is claiming Small Businesses are being specifically targeted for private information, since they are more careless about their information and security protection practices.
Here is what the blog says:

In fact, cybercriminal see SMBs as a prime target. Back in July, we talked about how some types of attacks more frequently target SMBs.  We keep finding examples of why SMBs can’t let down their guard when it comes to security.  Recently, we’ve seen targeted spam attacks become a problem for small businesses.
For example, spammers are increasingly using a traditional technique called a ‘dictionary attacks’ against SMBs.  This trick uses dictionaries of first names and last names combined with a target domain. Spammers generate millions of potentially valid email addresses for a single domain. Spammers might try the following name and/or word variations:

john@companyname.com
jsmith@companyname.com
johnsmith@companyname.com
sales@companyname.com
info@companyname.com

An attack like this can be a problem for a large enterprise – even those with anti-spam technology in place – because the servers are still forced to accept the email connection, even if they are going to reject it because the user doesn’t exist.  But imagine how this can impact an SMB with a server designed for 250 or fewer users.

The entire article can be viewed here.