Phishing attacks on US Universities

We’ve had a few reports of Universities/Colleges being hit with some very targeted emails trying to get the userid and password of students. The email is usually along these lines.



Dear xxxxx Email Account Owner,

This message is from xxxxx messaging center to all xxxxx email account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused xxxxx email account to create more space for new accounts.

To prevent your account from closing you will have to update it below so that we will know that it’s a present used account.


Email Username : ………. …..

EMAIL Password : …………….

Date of Birth : ……………..

Country or Territory : ……….

Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.

Thank you for using xxxxxx!

Warning Code:VX2G99AAJ


Xxxxx Team


The sender will be often be [email protected] used to send message or university address
The reply address will be external to the organization. In the sample we have it is [email protected] (where xxxxx is the domain name used by the institution, without the .edu).

The message often passes through some SPAM filters due to the relatively low volume of messages.

If you have some samples we’d be interested in a copy.

Look for messages to multiple recipients and increased volume of internal email to one specific external address.

Update: Looking at the samples sent in, the text basically only varies where the xxxxx are in the sample shown. The reply addresses used so far were in and domains. The ones submitted to us have been taken care of.

Source: SANS