Don't send login credentials via email

Filed Under: SophosLabs, Spam

In the last couple of hours, we've seen spam messages, obviously sent by hackers (as opposed to your run-of-the-mill spammer), claiming to be from the .edu domain administration department, asking the recipients for their login id and passwords.

For your amusement and education, I've taken the teachers pen to the email and circled just a few of the things that immediately stood out to me, as a spam analyst, that lend weight to the argument that the email is a fake.

edu-scam-small.jpg

Most of the red pen highlights either a lack of attention to detail, a poor grasp of English, or perhaps an unusual aversion to spell checkers (of course, being l33t h4xx0rz they probably used vim to author the email... sad that they haven't figured out much beyond :wq). However, some of the red needs explaining.

The most obvious indicator that this is less than legit is that it asks people to respond to a @live.com email address. Live.com is owned by Microsoft and provides free email addresses to the general public. If this were really some sort of official communication, it would undoubtedly have come from an address at your university.

Next, .edu is a Top Level Domain. They provide a DNS record that tells your computer which IP address to ask for information about systems at your-uni.edu. The system administrators @ your-uni.edu look after email aliases for your-uni. It is they who have the capability to create and destroy login accounts at your-uni.edu, not the TLD admins at the .edu registrar.

Consider also, that the message employs threats in order to cajole you into divulging your credentials. The admins @ your-uni.edu have tools and utilities allowing them to easily locate and dump user account information. They probably also have redundant systems, backups at remote locations and generally follow other well known best practices including roll back procedures for major upgrades. Should they actually needed to audit users, they'd be very unlikely to do so in the manner suggested by this email.

Now think to yourself: If the email got into the wrong hands, what is the worst that could happen?

For the folks that have fallen for this scam, it's quite probable that their account at the University will be used to send out yet more spam. Their best course of action is to inform the admins at their uni and follow their advice. The admins should know what to do about it.

But consider this: what if the hackers aims are more insidious than just making a buck out of spam? What if, right before printing the final copy of your thesis, you find that your files have become encrypted and someone leaves you a message demanding a LOT of money for decryption? It certainly wouldn't be the first case of cyber extortion and I doubt it would be the last.

*Sigh* This rates amongst the poorest quality scam's I've ever seen (you have no idea how many that is!). You can see from the image, I give it an F minus.

You might like