Archive

Archive for February 20th, 2010

Yet another CalMail phishing attempt

February 20th, 2010 No comments

Still fairly obvious, but it looks like phishers are getting better. Below is the email with full-headers (headers revealing my secret email server setup redacted):

Return-path: xxxx...@berkeley.edu
Envelope-to: xxx...@xxxxxx.xxx
Delivery-date: Sat, 20 Feb 2010 21:19:26 -0800
Received: from xxxxxxxx.berkeley.edu ([128.32.xxx.xxx])
        by xxxxx.xxxxxxxxxxxx.xxx with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
        (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1Nj4E2-0003HR-Mg
        for xxx...@xxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from xxxxxxx by xxxxxxxx.Berkeley.EDU with local (Exim 4.69)
        (envelope-from <xxxx...@berkeley.edu>)
        id 1Nj4E2-0004s1-Bl
        for xxx...@xxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from cm03fe.ist.berkeley.edu ([169.229.218.144])
        by xxxxxxxxx.Berkeley.EDU with esmtp (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E2-0004rv-9i
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:26 -0800
Received: from cm09be.ist.berkeley.edu ([169.229.218.182])
        by cm03fe.ist.berkeley.edu with esmtps (TLSv1:AES256-SHA:256)
        (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E1-0005NQ-Cn
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:25 -0800
Received: from cyrus by cm09be.ist.berkeley.edu with local (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4E1-0002WX-Ra
        for xxx...@xxxxxxxxxxxx.xxx; Sat, 20 Feb 2010 21:19:25 -0800
Received: from cm01fe.ist.berkeley.edu (cm01fe.IST.Berkeley.EDU [169.229.218.142])
        by cm09ms.ist.berkeley.edu (Cyrus v2.3.13-CalMail-v2.3) with LMTPA;
        Sat, 20 Feb 2010 21:19:25 -0800
X-Sieve: CMU Sieve 2.3
Received: from persius.rz.uni-potsdam.de ([141.89.68.1])
        by cm01fe.ist.berkeley.edu with esmtp (Exim 4.69)
        (envelope-from <webm...@berkeley.edu>)
        id 1Nj4Dy-0007hK-52; Sat, 20 Feb 2010 21:19:24 -0800
Received: from arnim.rz.uni-potsdam.de (arnim.rz.uni-potsdam.de [141.89.68.11])
        by persius.rz.uni-potsdam.de (8.12.11/8.12.11) with ESMTP id o1L50smS001879;
        Sun, 21 Feb 2010 06:00:54 +0100 (CET)
Received: from uni-potsdam.de (localhost.localdomain [127.0.0.1])
        by arnim.rz.uni-potsdam.de (8.13.8/8.13.8) with ESMTP id o1L50qp1025812;
        Sun, 21 Feb 2010 06:00:52 +0100
Received: from 41.138.182.176 ([41.138.182.176]) by webmail.uni-potsdam.de
        (Horde MIME library) with HTTP; Sun, 21 Feb 2010 06:00:52 +0100
Message-ID: <2010...@webmail.uni-potsdam.de>
Date: Sun, 21 Feb 2010 06:00:52 +0100
From: "Berkeley.edu Web-Administration" <webm...@berkeley.edu>
Reply-to: supp...@live.com
To: undisclosed-recipients: ;
Subject: Alert: Update your CalMail  account
MIME-Version: 1.0
Content-Type: text/plain;
        charset=ISO-8859-1;
        DelSp="Yes";
        format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.6)
X-Virus-Scanned: clamav-milter 0.95.3 at arnim.rz.uni-potsdam.de
X-Virus-Status: Clean
X-j-chkmail-Score: MSGID : 4B80BE06.000 on persius : j-chkmail score : X : 5/50 0
X-Miltered: at persius with ID 4B80BE06.000 by Joe's j-chkmail (http://j-chkmail.ensmp.fr)!
X-Ucb-Scan-Signature: 606d01dea56a423fb13a5c3f55ff5ffa3eae29a5
X-Ucb-Spam: Gauge=IIIIIII, Probability=7%, Report=''
X-Ucb-Notice: This message has been processed by a spam tagging system.
        See http://mailinfo.berkeley.edu/ for more information.

--

Dear CalMail User,

Your email account needs to be upgraded with our new F-Secure® HTK4S
anti-virus/anti-spam 2010 version.
Fill the columns below and click reply to send back or your account will be
suspended temporary from our services.

CalNet ID:
Passphrase:
Phone Number:

Berkeley.edu Web-Administration
Greg Silva

https://calmail.berkeley.edu/

----©2010, University Of California.

Note the fairly convincing From: address. A lot of the suspicious routing information will be hidden by most email clients, however, the Reply-to: header (which would route the email to supp...@live.com and which the phishing relies on) should be set to visible by most email clients, which means, yet again, people who pay attention to details shouldn’t be taken in by this rather amateurish phishing attempt.

Not to mention one should never send passphrases over email—even if you know the recipient; email is transmitted in clear text between servers and is inherently insecure.

Categories: security Tags: , ,

With Picasa plugin by Wott