Phishing through a SBS box

On January 22, 2008, in news, by

Interesting thing in my inbox tonight.  It’s a normal everyday Phishing scam… looks like this:



Since I keep an eye on the types of servers that folks are using for phishing attacks, I hover over the link to see what server it was really redirecting to.  Instead of some foreign web site, what caught my eye was that it was a http://mail.attorneyfirmname.com/clienthelp/signonscreen.htm.  Now for those of you that know your SBS boxes… clienthelp happens to be a screen inside a SBS network. 



Yeah..that one.  Signonscreen.htm however is a new one that doesn’t belong there.  Sandi… of the Spyware Sucks fame who blogs at http://www.msmvps.com/blogs/spywaresucks investigated the page and found that the page inside the server redirects to another server that contains the “spoof” or phish page, so they are bouncing a phish through one server to another.


So for those of you who take care of SBS boxes…. be aware that there’s a SBS box out there that both Sandi and I have pinged the contact person to attempt to make them aware of the fact that they have a problem with that server.  But the moral of this story is to watch your firewall traffic logs and close down the access on that server.  Port 80 is open, RWW isn’t properly configured, and my guess is that someone was surfing at a workstation that brought the bad thing in that impacted and infected the server.


But it’s interesting that they are bouncing through one server to another these days.

 

2 Responses to Phishing through a SBS box

  1. Dean says:

    So is what your saying is that they should be using two factor authentication ?

  2. sandi says:

    Hi Susan,

    The latest time I checked the URL in question the site was down, so they’ve taken heed of our warnings.

    That being said, I hope they have also heeded my advice to get expert assistance in to take a look at that box. I shudder to think what else the bad guys may have done to that server.