Today I received an IMPORTANT email from billing at walmart dot com. It looked pretty sharp, but since I knew I had no issues with Walmart, didn’t heed the warning to update my account information or I’d be unable to order.
With a little (I mean teeeensy-weeeensy) review of the email I found where a victim would be sent to, turns out to be a High School track team. I forwarded the initial email to the administration at the High School.
This shit was so unbelievably stupid - once you got to the track team’s website there were names, email addresses, all laid out for me. I didn’t roast the kids, though, figgered I’d keep 'em in the dark until an Admin approaches them. Don’t want to tip them off, yanno.
What would you do? Newspapers? Local TV? Wait for a response that was requested from the school’s Admin?
Can you elaborate as to the context of what you found?
My first reaction upon reading your post was that the track team’s website had been compromised and used by a remote unauthorized user to host the phishing page and/or the collection point for phished data.
This was my first thought as well. I think it’s more likely a clever hacker is just using them for storage space. Anyone bright enough to initiate a phishing scam is bright enough to put it on someone else’s servers.
Okay, to be honest, THAT’S what I want to believe. I hope it’s true. The link was presented as “walmart com/cservice/survey?customersurvey=546”. It takes you to a very legit looking “WalMart” website where you’re supposed to enter your information.
Upon rollover I see: http: // www. rhstrack.com/news2/.walmart/.
(lack of dots and spaces provided by me, as a courtesy)
I, too, find it unlikely the team knows anything about it. The sites are generally hacked, and it’s unlikely a HS track team would be able to make good on any phishing.
Schools are notoriously bad for not keeping their systems patched. The “.walmart” part of the path screams phishing kit to me.
Contacting the administrators was a good idea. They just need to know they have a problem, regardless of who you believed was responsible when you contacted them. But…schools are also notorious for not reading their administrator mail, so I’d also fire off a report to folks who do read their mail, like the abuse desk of the network who owns the IP being used to host the site: abuse@layeredtech.com.
And if you’re dying to complete the round-robin of “netizen of the week”, you’ll probably find that some other compromised system was used to send the email that linked to the site, and you can fire off yet another report to whatever network owns the originating IP of the mail, which you can find in the extended headers.
