Security | OSU CBC Info

Email Phishing Reminder – Always Ask Before Sending Passwords/Infomation

April 21, 2008

Specifc Recent Threat: http://8help.osu.edu/status/933.html

General Information: “PHISHING” SCAM ALERT FROM OIT

These Scams involve asking you to send your Password & more. DO NOT REPLY!
Recently, a number of e-mails began circulating from a source claiming
to be from the Ohio State webmail team or admin managers. The e-mails
ask people to submit their osu.edu e-mail account information and
password, sometimes along with personal information like a birth date.
Some other qualities of these attacks may include a non-OSU reply-to
address, poor grammar and incomplete or improper OSU branding. These
messages are not from OIT and, furthermore, OIT will never ask you for
your password. These e-mails are phishing attempts and not legitimate
requests. You should never reply to these e-mails and never give your
password to anyone. OIT expects these attacks to continue because
senders expect financial gain by accessing your account to send mass
mail or having your personal information. If you ever have a question
about the legitimacy of an e-mail, please call 688-HELP (8-HELP) for
verification. More information on phishing is available on the Buckeye
Secure phishing page.

MySpace, Facebook problems with IE 6,7

February 25, 2008

by wear.1@osu.edu at 10:26am

Apparently, there are some real security problems with Facebook and MySpace plug-ins for IE 6,7 (ActiveX).

From Slashdot:

According to the Washington Post’s Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also ‘probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.’ The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry.

Users of these social networking sites should aim to secure their personal machines against possible exploitation.

Phishing – Requests for Username/Password

February 23, 2008

by wear.1@osu.edu at 10:54am

A reminder to all users- never respond to requests for account information of any kind. When in doubt, contact support and ask for clarification. The following Phishing attack came in on Feb. 23rd, 2008:

Notification from osu.edu this site is under serious construction

We are upgrade the site to the 2008 edition of uso.edu webmail technology,

All customer are therefore advice to provide us with the following informaton

Personal Domain Information

ACCOUNT USER NAME,
ACCOUNT PASSWORD,

click reply to send information

This is not a legitimate request and the best response is to ignore these kinds of emails.