In a fit of deja vu, I woke up to hear that Carleton University in Ottawa experienced a phishing attack of “tens of thousands of email messages” sent to email accounts related to the university.

http://www.cbc.ca/technology/story/2008/07/23/ot-carleton-080723.html?ref=rss
It’s not clear from the press release how the attackers got the email addresses, but in a June article on this site I outlined how this can happen due to inadequate controls on access to the directory server’s list of email addresses.

That article can be found at:

http://securityviews.com/blog/2008/06/20/the-first-steps-in-reducing-the-embarrassing-frequency-of-college-system-breaches/

The phishing site was a forged version of Carleton University’s web site, and was apparently quite a good replica. Ralph Michaelis, the university’s CIO, issued a notice to the university population that the institution never asks for the kind of information requested in these phishing messages when corresponding by email.