Skip to Page Content
section image picture

Office of Information Security

Fresh Phish

As part of our phishing awareness campaign, Fresh Phish features recent phishing attempts directed at the UGA campus.  These emails have been reported by UGA faculty, staff and students who are alert to the dangers of scams and phishing attacks.

Messages are listed by subject line and date reported. A brief critique of each message is included to help you spot the red flags - the features found in most phishing emails - and the common patterns that can alert you to the potential dangers in your inbox.

Every once in a while you will notice that the name of the sender has been changed in an example. Why? It was a real person. And there's no reason to be mean or point fingers. Just imagine your name in place of "User Name" and you will understand why we chose to make the switch.

For some not-so-Fresh Phish, visit the Fresh Phish Archive where we have older examples of phishing email so you can see how phishing attacks get re-used.


Univeristy of Gerogia Announcement

Reported July 5, 2017

Well, Phish Spotters - it's the day after a holiday. We have all been away from campus for a day, or maybe more. It's back to work and a widespread phishing attack.

We have discussed how the online bad guys try to play us in the past. By now we should all expect to see at least one, if not more, phishing messages in our inboxes after a holiday. the phishers are trying to sneak one past us while we are distracted, in a hurry or just plain not paying as much attentions as we should.

The red flags on this one are flying high!

  • "Univeristy of Gerogia"
  • Recipient not named
  • Strange capitalization and punctuation
  • Link not clearly visible
  • Not sent by a specific person
  • No contact information

Some of these messages have "UGA Admin Portal" as the sender while others list an actual person. In either case, it is highly likely that someone on campus has compromised login credentials.

From: User Name <username1[@]uga.edu>
Sent: Wednesday, July 05, 2017 10:47 AM
To: User Name 2 <username2[@]uga.edu>
Subject: Univeristy of Gerogia Announcement.


You have 2 Important messages from your Faculty, view log sheet below;

REVIEW_HERE: (Link removed.)


Regards

Univeristy of Georgia Admin Portal.

Don't forget that you should only provide a username and login on secure sites. Look at the address bar in your browser (URL info may show up in the lower part of your browser window):

  • Does the URL start with 'https'?
  • Is there a lock icon to show the login page/site is secure?
  • Is there an information icon you can click on to view site security info?

If the answer to any of these questions is "no", please be hesitant to provide your credentials. The site is unlikely to be secure and your credentials are likely to be at risk.

If you think your credentials are compromised, you need to change your password immediately.

Google

Reported June 28, 2017

The bad guys are at it again - this time with a Google Sweepstakes win!

This is a relatively well-crafted phishing attempt using recognized logos. So what gives it away? The following points provide clues to the email's bogusness:

  • The sender's address seems off. (A corporate email would have a corporate address - like 'google@gmail.com' - not an obscure sequence of letters and numbers.)
  • Has an attachment. (It is, arguably, supposed to be a surprise win)
  • You (the recipient) are not addressed by name.
  • Language is stilted and just plain odd. (Many Google users will know Google does not 'talk' like this.)
  • It was supposedly sent from Google UK. (Why not the US branch of Google?)
  • There is no contact information (There really should be some, since it is supposed to be a corporate email. Even Publisher's Clearing House provides contact info.)

Does Google even have a sweepstakes? Nope! But they do have a page on how to Avoid and report Google scams.

We included an image of the message with these points highlighted. You can click the image to open it in a new window.

[Google logo]

[Gmail envelope logo] Hello,

Google Inc. wishes to inform you that your e-mail account has been selected and therefore has made you one of our winners in the GOOGLE E-MAIL ONLINE SWEEPSTAKES PROMO.

This comes as a result of your active use of our online and ancillary services.

Check attached PDF FILE for your Official NotificationLetter and Claims Instructions.

Congratulations!!!

Google Sweepstakes Team

Google UK.

Google sweepstakes email

What can you do to investigate scams like this one without endangering your devices? Google it! (Kinda ironic, huh?) Turns out this scam has been cropping up for a couple of years. Phishers gonna phish.

Security Notice on UGAMail Account

Reported June 20, 2017

The phishers have turned thing up another notch! We have gotten reports of the following email that claims to come from the EITS Help Desk. It does not.

The phishers have done Thier homework and know UGA pretty well.The message is well crafted. The red flags may be difficult to spot; but they do exist.

  • The recipient is not addressed by name
  • The complete link is not provided -EITS will not direct you to "click here"
  • The language is odd in a few places: "Kindly click here"; "log on to" a page that "will log you in"; "assist us resolve the spam issue";  "your continuing attention to help desk security notice"
  • There is not official Help Desk contact information in the signature

The page was blocked on campus and the hosting vendor (where the website is) was notified. The hosting site has removed the page.

From: EITS Help Desk <helpdesk[@]uga.edu>
Sent: Tuesday, June 20, 2017 7:58 AM
To: User Name <username[@]uga.edu
Subject: MyID Account Deactivation.

Security Alert

We detected WannaCrypt ransomware spam activities in your UGAMail account. Kindly click here (link to fake CAS authentication site removed) to log on to (this will log you in via the UGA Central Authentication Service portal) to assist us resolve the spam issues on your UGAMail email account.

Taking the proper measures to protect the confidentiality of all UGA accounts, is our collective responsibility as good stewards.

Thank you for your continuing attention to help desk security notice.

EITS Help Desk

Anyone who may have clicked the link before the page was shut down landed on a site that looked 100% legit -  except for the URL (the web address).

The fake page's URL was "cas2ugaedu.atwebpages.com/...". What's wrong with that?

A legit web address for a UGA service should look more like this: "service.uga.edu/".

A UGA website should never end in ".com" or have a .com before the first / (slash.)

===

MyID Account Deactivation.

Reported on June 15, 2017

Many of us received this phishing message Thursday morning.  The phishers stepped up the messaging from Wednesday's attempts even though both phishing messages link to the same URL.  

This message has copied wording from the CAS login page to make it look legit but UGA faculty and staff were not easily fooled and reported it immediately.

Like the phishing attempt Wednesday, EITS has blocked the link in this email from campus just to be safe.

From: User Name
Sent: Thursday, June 15, 2017 7:58 AM
To: Same User Name
Subject: MyID Account Deactivation.

UGA's Single Sign-on for Web Services

CAS provides a common login experience for users accessing UGA web services with their MyID credentials through a one-time login. to avoid deactivation of account see below.

                                         ACTIVATE YOUR ACCOUNT

Copyright © 2005 - 2017 CAS, Inc. All rights reserved.
Powered by University Of Georgia Central Authentication Service 3.5.1

 

New Message For You.

Reported on June 14, 2017

It seems like everyone got a version of this phishing message midday Wednesday.

This one seems like a pretty obvious phishing attempt but EITS blocked the link from campus just in case someone was tempted to click it.

From: User Name
Sent: Wednesday, June 14, 2017 1:54 PM
To: Same User Name
Subject: New Message For You.

You have 2 Important message from your Admin Center.

Sign In

Thank You

Mail Management.

 

Bank of America Alert: Your notice of suspension has been attached

Reported on May 30, 2017

Wow, Phish Spotters! Y'all are on this one. Yesterday we were wondering why the phish front was so quiet and today the boat came in. Several of you caught and reported this phish in quick succession.

The phish is kinda funky - and it's not just the phishy smell - because it combines a classic attempt to make the recipient panic with an obviously bogus message.

There are two honking huge red flags:

  1. No body text
  2. An attachment

Opening the attachment would probably open malicious software to infect your machine. Or direct you to a website where you would be asked to provide account information. (Phishing 101: You should avoid opening attachments unless you are expecting them and are certain they are legitimate.)

Now, banks can, and sometimes do, suspend accounts. They can do so without notice - but they rarely do that unless something very hinky is going on (multiple overdrafts, bounced checks, a suspicious activity report, etc.) If a bank was going to notify you of an account problem, they would typically do so via regular mail. An official notice would include logos, professionally written content, official signatures and contact information.

From: Bank of America <no-reply[@]amailboxatahostingsite.com>
Sent: Tuesday, May 30, 2017 9:28 PM
To: User Name <username[@]uga.edu>
Subject: Bank of America Alert: Your notice of suspension has been attached

There was an attachment, but absolutely nothing in the body of this email.

It's important to remember that your bank will not contact you by text message, Facebook message or email asking you to disclose your personal information. If a sender claiming to be your bank asks for personal information, do not reply. You can always look up your bank's customer service number and call for more information if you need to. 

This is your email administrator

Reported May 18, 2017

Today on Fresh Phish we hear from phishers who have set up a faked site in lovely, tropical Indonesia.

There are 10 things in this email that make us here at Fresh Phish sit up and say, "Nope! Totes a Phish. Absolute chum bucket." (See what we did there?)

Can you spot the 10 red flags that set us off?

From: User Name
Sent: Thursday, May 18, 2017 9:23 AM
To: Same User Name
Subject: This is your email administrator

 ATTENTION!
=========================  

Dear User,

This is your webmail administrator. Please,be informed that the email server has just been upgraded and your email needs to be reset immediately.
This process is to keep The University of Georgia system server updated and protected as always.

CLICK BELOW TO RESET YOUR EMAIL NOW:  

Sign In [Link to a bogus site in Indonesia has been removed.]


Regards,  

University of Georgia.

  1. The sender name - This came from a named person and not from an official EITS communication channel.
  2. EITS won't use all caps to shout at you; it's unprofessional.
  3. The generic "Dear User" greeting.
  4. Informs us that the email comes from our "webmail administrator" -that should be handled in the sign-off.
  5. An action needs to be taken immediately. Talk about a short deadline!
  6. We are called on to take that action.
  7. It is implied that if we don't take action "The University of Georgia system server" won't be protected. Which, in turn, implies that if something goes wrong it's our fault!
  8. The link is not provided as a cut and paste link. EITS will not hide links behind text.
  9. EITS will not ask you to validate your UGA MyID and password in an email. And they will not link you to a page with a form to validate your credentials.
  10. The sign off is not from EITS and it contains no contact information.

Bonus points if you noticed the sender is also named as a recipient for the message. That's a pretty strange thing for a business email to do - which contributes to our not falling for the phish.

How did you do? If you got half or better you're on your way to being an expert phish spotter!

Don't feel bad if you got fewer. Practicing here is safe. And you'll be an expert in no time.

Library Account

Reported May 11, 2017

This phish is the best of the best - a real catch - but it still stinks! What makes it so good?

  • The spelling and grammar are perfect.
  • The language is very business-like.
  • The library email address looks legit (But we discovered that it's faked. The email actual account is in Turkey.)
  • The CAS login URL looks legit. (It's faked too. It goes to a site registered in the Central African Republic that is designed to steal your UGA credentials.)
  • The personal email address of the Library Representative looks legit (but it's another bogus email address.)

This phish is a perfect example of how international phishing is, and how easy it it for the bad guys to fake email addresses and websites and present themselves as someone they are not.

So is there a Red Flag? Yes. It has two. The message threatens to take away a service and you have to act to stop it.

From: Library Services <library[@]lib.uga.edu>
Sent: Thursday, May 11, 2017 10:09 AM
To: User Name
Subject: Library Account

 

Dear Library User,
     
Your access to your library account is expiring soon due to inactivity. To continue to have access to the library services, you must reactivate your account.
     
For this purpose, click the web address below or copy and paste it into your web browser. A successful login will activate your account and you will be redirected to your library profile.

http*://cas.uga.edu/cas/login [The link to a very good but bogus CAS login page in Turkey has been removed.]

If you are not able to login, please contact Library Representative at library.rep[@]uga.edu for immediate assistance.
   
Sincerely,    

Library Representative
University of Georgia Libraries
University of Georgia
Athens, Georgia 30602-1641
Tel: 706.542.3251

These bogus addresses and the fake CAS site have been block on UGA campus. 

A special shout out to JCS who was first to report this library phish and to TP, who brought it to our attention.

Name@uga.edu is no longer active!

Reported May 9, 2017

Tl;dr - This email verification scam uses an altered official message to try to trick you into clicking a validation link. Don't fall for it.

One of the most common phishing scams we see here on campus tries to trick you into verifying  your email address. These scams threaten to take away your email account. If you don't click to validate, the message claims, you will not be able to use your email to send and receive messages.

This particular example is unusual:

  • The banner shape and borders indicate that parts of an original, official, email message have been chopped up to make this phish. (Minced phish! Eeeeeuw.)
  • The phish actually included the correct name in "Dear Name" (before we changed it to protect someone's identity.)
  • The email address used in the body of the message was real and correct (we changed that too.)
  • The 'Validate' link points to a government site in the Philippines which is either spoofed (faked) or hacked.
  • Official seeming language has been included in the footer to reinforce the impact of the phish

Fortunately, there are also red flags in this email: grammatical errors; a call to action; a short deadline; and a threatened loss of service.

From: TeamOffice365 Microsoft <noreply-security[@]kast.com>
Sent: Monday 5/8/ 2017 5:30 PM
To: Name <name@uga.edu>
Subject: name[@]uga.edu is no longer active!

Email verification phish

Remember all y'all - EITS is not going to email you and tell you to validate your UGAMail account. And if they did, they certainly would not claim to be the Azure Active Directory Team.

Widespread Phishing Panic

Reported May 3, 2017

Well, it could have been a panic, but our phish spotters won the day!

A well crafted Google Doc-based phishing attack was received by approximately 1 in 5 mail boxes here on campus. We very proud to say that fewer than 1% of recipients clicked on the link in the message. (That's waaaaaaay below the average response of around 11%.)

Google responded to the attack, shutting down the pages related to the phish quickly and efficiently, but not before the message made its way into several mail providers' systems.

The attack is not 100% undetectable, but the only thing to set off our phishing sonar is the 'To' field. We got blind copied in a huge list, an indicator that there may be a problem.

Fake Google Doc notice

But Fresh Phish, you ask, would you really open a randomly appearing doc? Most people would ignore that, right?

Not if the claimed sharer was one of our actual contacts. Not all recipients got a share notice from someone they knew. Many did. If the person sharing the doc had a name we recognized, we would have been much more likely to click that link.

Think of the ramifications for students - last minute project sharing with that person in class whose last name they can't remember increases the likelihood of a click through. And arriving during finals and commencement time has the potential to make that click far less likely to be remembered down the road.

The phishers know us. They know how to manipulate us. It's up to us to not let the phishers lure us into becoming victims of their scams.

Think before you click, yo. Phishers gonna phish.

Phish + MAC Malware + Tax Season = Big Danger

Tl;dr - Y'all are spoiled. Read the entry. Okay, okay - Several online security and anti-virus sites are reporting a phish email distributing nasty Mac malware called "DOK".

Heads up, Phish Spotters!

There are reports circulating on the Internet of a new piece of malicious software (malware) called "DOK" that affects Mac OS users. You can Google "DOK malware" if you need technical info.

The malware is being distributed as part of a phishing attack. If you fall for the phish, you will download malware that can gain admin privileges on your machine and give phishers access to all your communications - even the the SSL encrypted ones.

A lot of people still think that using a MacOS protects you from malware. But McAfee Labs says attacks on Apples were up by more than 700% in 2016. Trends like that don't go away. So, we are likely to see more Mac malware in the future.  

Mac users are not protected from phishing either. Whether or not someone falls for a phish is all on them. Using the delete key to give phishing email the finger is the only way to avoid getting caught.

Here are the deets on DOK:

  • The malware is distributed as part of a tax-related phishing attack
  • DOK is concealed in an attachment
  • The phish itself claims that there are discrepancies in the recipient's tax return
  • Tax problems can easily make someone react with little thought - panic!
  • Opening the attachment downloads the DOK malware
  • The malware shoots out an OS security message instructing you to "update all"
  • The update triggers the malware, which installs a root certificate
  • Then DOK unistalls itself - making the attack next to impossible to detect
  • Mayhem ensues (Well, maybe not mayhem... but it won't be pretty.)

MAC security alert message

We all know that bad guys like to hit us in the wallet. And they love to prey on us, catching us unawares at tax time. (Want more info on tax season scams?)

The IRS won't contact you via email out of the blue. You can call them if you want confirmation that the email is real. You can also report the email by sending it to phishing@irs.gov 

If you used a tax preparer, you can contact them to make sure the email is legit.

Be careful out there.

Mother's Day Scams - a Fresh Phish PSA

Tl;dr - There's a Lowe's coupon scam going around on social media. You are likely to see similar scams claiming to be offered by other companies (IKEA, Home Depot, etc.) How can you avoid getting caught?  Easy peasy. Don't click to claim the coupon!

We all know that scams are everywhere. Phishers take advantage of us every way they can and they like to appeal to our wallets. Especially around holidays. Mother's Day is no exception - and while everyone is thinking about Mom, the phishers are hitting the social media networks with their tasty lures.

In this particular attempt, the phishers are making us an offer that is hard to refuse. Who wouldn't want a $50 dollar coupon from Lowe's?

Scam offers like this one frequently ask you to prove that you're eligible to get the coupon. That usually means providing a credit card number or other personal information as an 'eligibility check'. The unsuspecting can quickly fall victim to a scam designed to steal your identity while preying on your good intentions. 

If you click the provided link (and we know you won't) it drops you on a very real-looking but bogus page with the Lowe's logo. In this particular case, there is a survey to take in order to claim the discount coupon. Can you guess what sort of info you have to provide about yourself?

So.  How do you know this sort of scam is a scam? Let's look at the biggest of the red flags associated with this sort of too-good-to-be-true offer:

A free $50 coupon for EVERYONE!

Fake Lowe's coupon

Let's do some math.

If each of the 1.5 billion users on Facebook every day (according to zephoria.com) could use the coupon, that would be $75,000,000,000 dollars in discounts. Provided they could all get to Lowe's.

If only Lowe's regular customers took advantage to this "deal" (more that 16 million customers per week according to marketrealist.com), that would be about $800,000,000 in discounts.

The NASDAQ financial data for Lowe's shows that either amount is more than Lowe's annual income. Based on these numbers alone, you can assume this coupon is bogus. No corporation is going to go bankrupt over Mother's Day.

You always have to remember to look beyond the deal when it comes to coupon scams on social media sites. Use Google to see if there is any news; visit Snopes.com to see if a scam has been reported or do the math.

By the way, this scam is big enough to have made it onto several news channels. You probably won't see this scam in your social media feeds because of the exposure.

You may see other similar offers, though. Bogus IKEA, Home Depot and Walmart coupons are popular scams among phishers. they crop up ovr ans over again. Like other forms of identity theft, falling victim to a coupon scam can have long lasting ramifications.

Stay alert and be careful out there in the Net. Phishers gonna phish.

Unusual sign-in activity: A Well Crafted Phishing Email

Reported on March 28, 2017

Welcome to Fresh Phish's first ever guest post.

Douglas Stewart, Senior IT Manager at Griffin, contacted us to share an excellent example of a sophisticated phishing attempt. Doug's comments and advice were so good, we contacted him to get permission to post them here.

"I know most of us get phishing emails and most everyone has learned very well how to spot them.  This morning I was sent one that is a very professional looking email – it is grammatically correct, the email is (supposedly) from Microsoft not UGA, and this email looks very much like genuine emails Microsoft does send out if unusual activity occurs on your account.  Since this email is very different from the typical “UGA Helpdesk Administrator” with poor grammar and obvious bogus links phishing email we usually get I decided to take a screen print and remind folks there are some very polished phishing emails out there as well.  If you open the attached file you can see where the link to get further instructions does not refer back to Microsoft or one of its affiliate sites but instead goes to another website - a definite red flag for an email like this one.

If you do ever get an email like this and you are concerned maybe someone has hacked or accessed your account always go to myid.uga.edu and reset your password there.  Just a general rule of thumb, never click a link to change a password unless you have expressly asked for one to be sent to you.  As always feel free to forward any suspicious emails – I would rather tell 100 people its valid than have 1 person click on a bogus one."

We agree with Doug 100%. The email in question is provided here. We know it's way too small to read - so if you click it, you can open it in a new window for a better look.

Phishing Email

Thank you so much, Douglas for contacting us with this whale of a phish - one that is very targeted and intended to net a big return.

You Have 1 New Message and Important Notice

Reported  March 21. 2017

Tl;dr - We respond to too many phishing messages without thinking. That gives online criminals too much control over us. It's time to pay more attention!

Sometimes the simplest phishes are the best. This one is rather well crafted. It's scary that we have not seen many reports of this phish. That could mean one of two things: Either our expert phish spotters are diligently deleting the email, or people are being tricked into responding.

Why did it work? We can speculate a bit.

  • The message says it comes from a UGA Admin - an important person
  • The tone is urgent
  • A link is right there! Right there!

As social creatures, humans tend to respond to authority. A sense of urgency can spark a stimulus response - think carrot and stick. Plus, we are conditioned to click links and the phishers have provided one that's easy to use.

So, that means the bad guys have pushed our social buttons, emotional buttons and physical buttons. We all need to think and not respond. Do not give the bad guys that much control.

You have to question emails like this one. Get in the habit of asking questions like:

  • Who is the sender?
  • Are they an Admin?
  • What kind of Admin could have sent this message? (Admin of what?!?)
  • Why would I be getting a message from an Admin?
  • Why doesn't the Admin identify themselves?
  • Why am I not addressed by name in the email?
  • If I mouse over that link (without clicking!) where does it go?
  • Why is there a direct lnk in this message and not one I can copy and paste?

Message 1

From: User Name <username@uga.edu>
Sent: Tuesday, March 21, 2017 1:26 PM
To: Same User Name <username@uga.edu>
Subject: You Have 1 New Message


You have 1 Important message from your UGA Admin.

Sign In [Link to a bogus non-UGA site removed.]

Thank You
UGA Admin/Service

 

Message 2

From: User Name <username@uga.edu>
Sent: Monday, March 20, 2017 11:55 AM
To: Same User Name <username@uga.edu>
Subject: Important Notice.

You have 2 New Important messages from your UGA Mail Admin.

 

Sign In [Link to a phishing site in Romania has been removed.]

Thank You
UGA Mail Service.

Did you know that billions of phishing emails get sent by criminals every day? Ugh. No wonder it's a challenge to avoid getting caught.

Keep up the good work, phish spotters!

Back from Break Danger: OUTLOOK UPGRADE, UPGRADE YOUR ACCOUNT and VERIFY

Reported on March 12 - 13, 2017

Here at Fresh Phish, reports of multiple phishing attacks have been rolling in. The volume is especially high. (No pun intended - the phishers are inclinde to 'shout' this week. )

Why so many phishes this week? We're all back from break, relaxed and easily taken unawares.

In the past we've talked about how the scammers and phishers know what's up with us. They know the academic calendar, when we are out, when we are back and when we are most vulnerable. Unfortunately, the baddies also know how to manipulate us with threats and a sense of urgency. We react, we click and we get caught.

Don't let the bad guys win. Slow down. Use the red flags to figure things out, hover your mouse over the links to discover where they go - and never forget: EITS will not ask you to validate your account in an email.

Here's the top three that we have been seeing this week:

Message 1

Subject: OUTLOOK UPGRADE
Date: Mon, 13 Mar 2017 02:16:27 -0700
From: username@uga.edu<mailto:username@uga.edu>
Reply-To: noreply[@]outloo.com<mailto:noreply[@]outloo.com>
To: Recipients <username@uga.edu><mailto:username@uga.edu>

You're receiving this email because you have exceed your storage limit and this may cause your Email Service disrupted. Admin request your immediate action by clicking on the link below and sign into your account to upgrade: Click Here [We removed a link to a super sketchy site in Gambia]

Message 2

From: User Name
Sent: Sunday, March 12, 2017 12:23 PM
Subject: UPGRADE YOUR ACCOUNT


This is an Email Service Alert from Help-desk. This is to inform you that your mailbox has exceeds its storage limit, you will be unable to receive and send emails. To re-set your Account Space on our database, prior to maintain your INBOX from 20G to 20.9G. CLICK HERE [This phisher used a .me domain name - phishing is obvsies all about them!] to Activate

Warm Regards,
Help-desk Administrator.

Message 3

From: User Name
Sent: Monday, March 13, 2017 7:14 PM
To: Same User Name
Cc: Same User Name Again
Subject: VERIFY


We temporarily locked your UGA-MAIL account from sending messages, Our system has detected an unusual virus and sign in attempt into your uga.edu mail box account, We recommend you to CLICK HERE [This bogus link pointed to a free website hosting service.] and verify your uga.edu mail account and always exit your uga.edu account using the Logout button in the upper right corner instead of just closing the tab of your browser. This serves as an additional security measure to prevent unauthorized access to your UGA mail account.



Warm Regards,

Helpdesk Administrator.

Fresh Phish gives a massive shout out to all the expert phish spotters who have kept us jumping this week. Keep up the great work and stay safe out there. Phishers gonna phish.

Super Dangerous UGA Alert Phish

Reported on March 6 and 7, 2017

Tl;dr - A well crafted phishing scheme is making the rounds. It's cleverly constructed and can steal your credentials if you're not paying attention. Neither EITS nor UGA will ask you to validate your UGAMail account in an email.

The official looking link in this email points to a fake CAS page. The CAS page looks genuine. How did the Phishers manage that? It's easy to copy a web page.

Here is how this page works:

  1. You read the email and react to the content
  2. You click the link that appears to be an official UGA link
  3. You are dropped into a CAS page that seems authentic
  4. You provide your credentials (MyID and password)
  5. You hit the login button
  6. You are taken to the real CAS page
  7. You assume you made a mistake with your credentials
  8. You put your MyID and password in the fields and CAS -the real CAS this time - authenticates you.

The real danger here is in step 5. When you hit the login button, your MyID and password are also captured by the phishers.

How to avoid getting caught? Look for the red flags (see the Phish Tank for more information). And remember to use your mouse - hover to discover - to identify the actual web address the link points to.

From: University of Georgia <username@uwec.edu>
Sent: Monday, March 6, 2017 6:31 PM
Subject: UGA Alert

Dear User,

This is to confirm that your email account was randomly selected for verification.

Kindly visit the website below and follow prompt to confirm your profile is active.

https://www.uga.edu [link to a bogus CAS login page has been removed]

Failure to validate your profile within 24hours may result to mailbox termination.

Thank you.
University of Georgia

 A shout out is due to KS and PL for being the first to report the UGA Alert phish. Well done and thank you.

Dear UGA® Email users!

Reported on February 28, 2017

This ole thing? It's a standard 'verify your account' phish. The phishers dressed up a bit.

We really like the use of an extended vocabulary in this one. And the specificity of "two (2)" emails is a nice touch. Two sounds way more dangerous than only one (1) email, doesn't it? And the registered trademark symbol adds a whole new level of official!

But when we take a closer look at the generic subject line - OMG everyone has two (2) Incoming Mails that have resulted in their accounts being suspended - random capitalization, strange punctuation and odd language, we realize the truth.

It's just lipstick on a pig.

From: User Name
Sent: Friday, February 24, 2017 4:12 PM
To: Same User Name <username[@]uga.edu>
Subject: Dear UGA® Email users!

Our web administrator has been notify of some Unwarranted /Unauthorized activities in our Webmail database
For these reason two (2) of your Incoming Mails has been suspend till you verify your mailbox

Kindly Click UGA Account Verification <bogus "ugaverificationdesk" link has been removed> to verify your account.

Thank you for C0-operation
UGA® Web admin.

Tax Time = Scam Time: a Fresh Phish PSA

Tl;dr -  A lot of scams are tied to tax time. Use caution and file as early as possible.

Tax time is scam time and there are several scams to be alert to this year. Fresh Phish did some research online and put together this summary for you.

Dates to know:
Filing Deadline - The tax deadline this year is Tuesday, April 18th (the 15th is a Saturday and Monday the 17th is a holiday in D.C.)
Possible Delays - You should also be aware that to scan for potential fraud, the IRS is issuing refund checks later that usual this year. Some returns will be delayed, but refunds should begin arriving on Wednesday, February 15th. The IRS has more information on the 2017 Tax Filing Season.
Popular scams to lookout for:
Tax relief scams -If someone offers to reduce your taxes be alert to scams. Especially if money needs to be paid up front (the scammers will take it and run). If you need to use a tax relief business, check them out thoroughly first.

Federal Student Tax – Did you receive a bill for the Federal Student Tax this year? No? Good, because it doesn’t exist. Be prepared. You may be contacted by scammers if you are a student or the parent of a student.

Fake Affordable Care Act (ACA) notices - Scammers send a fake notice that is designed to look like an official ACA bill. If you get an ACA bill, be alert to potential fraud. The IRS does not send ACA bills: the IRS sends a notice of adjustment to your taxes.

Phishy Tax Preparers - Criminals may claim to be Tax Preparers to trick you into giving away personal information. If you get an unsolicited email from a tax preparer, avoid clicking on links or opening attachments. Just delete the message.  Also, if any tax preparer asks you to pay cash for part of all of your taxes, that's a huge red “it’s-a-scam” flag.

Fake IRS Agents - Criminals pose as IRS agents who call and attempt to scare you into complying with their demands.  Don’t be fooled! If there is a problem, the IRS almost always makes first contact by sending a letter through the US mail.

Have you gotten a call from a bogus IRS agent? Scammers like to use common names like John Jackson, Mike Smith or Anne Jones when posing as IRS agents. If they give you a badge number, they’ll often say it too fast for you to jot down. How do you tell the real agents from the fake ones?

Real IRS agents will not:

  • leave a phone message demanding immediate payment
  • use intimidation or threaten to have you jailed
  • ask for a specific type of payment (cashier's check, cash, money order, bank transfer, prepaid debit card, etc.)
  • ask you to pay over the phone with a credit card
  • call you to verify tax information or personal details
  • ask for your social security number in an email, text or phone call
  • ask for your bank account number in an email, text or on the phone
  • call to let you know you are eligible for a huge refund (usually a huge one)
  • email you telling to update your e-file account
  • direct you to a webpage that begins with anything other than https://www/irs.gov or https://www.irs.gov/ (be alert to bogus sites like irsgov.com, irs.com. irs.net or irs.gov.com )
  • send you a tax transcript you did not request (getting one may indicate you're an ID theft victim)

Criminals often spoof phone numbers so your caller ID might display the correct IRS phone number or ID when a scammer calls.

Filing Online - Be super careful when filing your taxes online. Only do it on a secure computer connected to a secure network. Unencrypted connections can easily be intercepted by crooks who are watching for them. The crooks insert themselves into your transaction and grab your personal information without alerting you to the attack. So, no filing your taxes at the local coffee shop, even if you really need the caffeine.

Tips for avoiding tax time scams:

  • File your taxes early! Get your refund in before the criminals do. Even if you owe taxes this year, the criminals can file a fake return that may launch an IRS investigation. Protect yourself.
  • Use the "Where's my Refund?" tool at the IRS site to track the status of your refund.
  • Get an Identity Protection PIN (IPPIN)  from the IRS. Use your IPPIN along with your Social Security Number to make filing your taxes more secure.
  • Know your rights as a taxpayer. Didn't know you had any? Check out the Taxpayer Bill of Rights for more information.
  • Stay informed. The IRS has a page about Tax Scams and Consumer Alerts and a Google search will get you a lot of information.

Other actions:

Get a phishy email? - If you get an email claiming to be from the IRS you can forward it to phishing@irs.gov

Think you're a victim of ID Theft? - Tell the IRS right away! File a form 14039 to report the theft of your identity. The IRS will send you a letter with follow up instructions (it can take a while.)

Phony IRS Agents? -  Report the call to the Treasury Inspector General for Tax Administration (TIGTA) via their IRS Impersonation Scam Reporting web page  or call (800) 366-4484.

Let the Federal Trade Commission (FTC) know via their FTC Complaint Assistant. Include "IRS Telephone Scam" in the notes to let the FTC know what’s up.


Phish Wrap - 2016 phishes in review

Tl;dr - Knowing the types of phishing attacks you can expect, and getting a feel for the general topics they contain can help you avoid getting caught. Includes a list.

Here at Fresh Phish, our goal is to provide actual phishing emails that are reported on campus and help you learn how to spot them. We know that phishing mostly falls into a few broad catagories. So, we decided to take a look at the types of phishing email we saw in 2016.

These are classic phishing attempts that get repeated over and over again. Why? Because they work. Over and over again.

What if you get an email that falls into one of these types, or touches on one of these topics? It's probably a phish.

Here it a breakdown of what we saw, arranged by type and topic.

Validate Your Account

  • You have spam in your email - validate your account
  • Your account is about to expire - validate to keep it
  • Your account was logged into from an unknown IP address
  • Negligent emails! - we are shutting down your account
  • You exceeded your mail box quota -  make your mail box bigger
  • Authenticate your account now!
  • Your UGA account certificate has expired
  • Unusual sign in activity - validate your account now
  • Database maintenance - update your account
  • We're backing up the servers - validate your email to get updated

Verify Your Account - a Validate Your Account subtype

  • System update - verify your email account
  • Reply to cancel deactivation of UGA services
  • We made your UGA mailbox bigger / more secure
  • We are deleting your UGA Mail account - verify to keep it
  • We made your email service / Microsoft suite faster
  • Our account is on hold, click to contact an administrator
  • We locked your account; click to verify it - with bonus security advice

Unlock / Unblock Your Account - a Verify Your Account subtype

  • Verify your UGAMail account to unblock it
  • Your account temporarily blocked
  • Helpdesk alert - your incoming mail is on hold
  • We noticed a virus so we locked your account

Blackboard-driven Scams

  • Blackboard Newsfeed
  • Blackboard document resubmit request
  • You have messages on Blackboard
  • New message from Blackboard Admin /Faculty Admin
Malware or Phishing Scams with Attachments

  • Court summons
  • Your payment has been processed
  • Confirm a reservation / flight / purchase
  • Shipment could not be delivered
  • Secret Shopper and other scam job offers trying to get all your personal info

Fake Services /Jobs / Websites

  • Sign up for our fake service
  • Important schedule message
  • View the non-existant Campus Bulletin
  • Secret Shopper emails - bogus job offer trying to get all your personal info

Vanity Phish - designed to make you click to find out who searched you

  • Someone searched your profile!
  • I want to join your LinkedIn network

Phishers gonna phish.

Account disables in 48 hours and Mail Closure Warning

Reported on February 6 and February 7, 2017

Boy howdy! The phish are jumpin' today. These two jumped high enough for a pair of expert phish spotters to see.
We're not going to spend too much time on these messages, because the red flags are raised and flying high. (Need info on the red flags? Visit the EITS Phish Tank.)
  1. Check out the senders' mailto addresses: one is in Russia (mail.ru); the other points to a generic looking non-UGA webmail service.
  2. Both messages direct you to update or validate your UGAMail account. EITS will never ask you to validate your account in an email.
  3. Scare tactics are used for motivation: Your account disables or Your mail will be closed.
  4. Both have a close -48 hour deadline - to prod you into responding fast and without much thought.
  5. Neither message is signed with an actual EITS signature. Just who is "Account Team"? And why the confusion from "Request Team.??" They don't seem to know who they are at all.

    Message 1

    From: Account Team ,<mailto:sendername[@]mail.ru.>
    Sent: Monday, February 06, 2017 4:24 PM
    To: account-security <account-security[@]outlookservices.com>
    Subject: Account disables in 48 hours

    Dear User,
    Kindly follow link below to re-validate account. Failure to do so, you will be extricated from accessing your account
    Please visit the link UPDATE NOW [unsecured shortened link to a fake login page removed] to avoid the close down of your account and keep enjoying our services.

    Account Team

    =====

    Message 2

    From: Mail Admin <mailto:Admin[@]webmail.com>
    Sent: Tuesday, February 07, 2017 8:24 AM
    To: Recipient <recipient[@]uga.edu>
    Subject: Mail Closure Warning
    Importance: High

    Dear Recipient <recipient[@]uga.edu>,

    We received authorization from you to close down your mailbox account which is in progress within 48hrs.

    note you will loose all your valuable mails in your Email account, If you will like to continue using your mailbox you have this opportunity to cancel this request.

    CLICK HERE TO CANCEL CLOSURE REQUEST NOW [bogus link to a fake login page ...username=recipient[@]uga.edu has been removed.]

    If you fail to cancel this request before 48hrs you will not have access to you mailbox and it will be close down.

    Thanks for your co-operation.
    Request Team.??

Phishing is serious business, but if you want to read the "Account disables in 48 hours" out lioud, in a bad accent, we'll understand. Fresh Phish is on the lookout for Moose and Squirrel, too.

UGAMail/Validating

Reported February 2 -4, 2017

This set of phishing attacks is coming on strong. Fresh Phish has seen close to 100 reports of this particular phish reported in the past few days. Well done, phish spotters!

We've written about how phishing attacks may look the same on the surface, but be different on the back end. These two examples appear to be the same (except for the dates) until you take a look at the link that is included.

We normally just remove the whole the link, but this time, we left part of the link text in each email so you can see what we mean.

The content of both messages mirror each other word for word: Both of these emails look the same. In fact, the unsecured (http) links pointed to the same free web hosting service. Only the location of the bogus login page was different - and both URLs are designed to trick you into thinking they came from uga.

Example 1:

From: SenderName <sendername[@]uga.edu>
Sent: Thursday, February 02, 2017 1:55 PM
Subject: UGAMail/Validating

University of Georgia we are validating active accounts, if still in use kindly Visit this link [unsecured link to ugamail-activation-page at a free website hosting service removed] to verify account now

Example 2:

From: SenderName <sendername[@]uga.edu>
Sent: Saturday, February 04, 2017 2:15 PM
Subject: UGAMail/Validating

University of Georgia we are validating active accounts, if still in use kindly Visit this link [unsecured link to ugaemail-activationunit at a free website hosting service removed] to verify account now

Remember, you can position your mouse over links -without clicking! - and learn where they will take you. If you hover, you discover. Stay safe out there!

Secure Mail Alert

Reported on February 2, 2017

Happy Groundhog Day, Phish Spotters!

It's funny how this one just sort of poked its head out like Punxsutawney Phil. It certainly could cast a long shadow on someones UGAMail account. Might be hard to winter. Definitely has potential for a chilling effect. Okay. We'll stop now.

Today we have a new twist on an old phish. It plays on curiosity and anticipation - a secure message that you have to sign in to view. The message is designed to make you think the phishers have something important and you have to go to them to get it.

This tactic is made a bit more dangerous by the fact that UGA has a secure message service (SendFiles). The message is clearly written, and grammatically correct; two of the big red flags are absent. These features come together to create message that seems reasonable, believable and easy to fall for.

Any time you get a message like this - or any phishy looking message - you need to ask questions like the following:

  • Why would IT support need to send me a secure message?
  • Why are they calling me a member?
  • Just who the heck is IT Support anyway?
  • Why are they emailing me from a place called wids.com?!?

And reach the conclusion - Obviously NOT from EITS. Delete!

Subject: Secure Mail Alert
Date: Thu, 2 Feb 2017 15:50:20 +0000
From: IT Support <ITsupport@wids.com><mailto:ITsupport@wids.com>



Dear Member,

You have received a secure message from IT Support.

Click here to review the message [link to a bogus site removed].

Note: Your internal messages can only be accessed via your online portal.



IT Support

If you don't know about SendFiles, you should check it out! You can securely send files to anyone. SendFiles also allows you to transfer files up to 2GB in size. Plus, anyone with a UGA MyID can use SendFiles.

Your Profile Name

Reported on February 2, 2017

It's a busy day here at Fresh Phish.  It has been a while since we had two phishing attacks to report in one day! Our expert phish spotters are hard at work, too. They reported this message several times and it's not an easy one to spot.

What makes this message harder to spot than others? Language.  We spend a lot of time going on about bad grammar and poor spelling, but this message is free from either. The big give-aways are the weird mail to address of the sender, the lack of personalization and a signature, and the link that was provided. (It pointed to a non-UGA site.

Take a close look and you'll notice that this is just a basic verify your account phish. The aim of the message is to get you to act without thinking, click the link and give your credentials away. By implying that there is something wrong with your account and they have shut it down until you prove you are who you are, they hope to trick you into responding.

From: System Alert <mailto:systemalert[@]mail.arizona.com>
Sent: Thursday, February 02, 2017 9:22 AM
To: you
Subject: Your Profile Name

*System Alert*

The name registered to this account does not match the name we have on file.

You are required to verify your profile by clicking on the button below:

Verify Profile Now [link to a bogus login page removed. This message has been sanitized for your convenience.]

The name on your profile must match the name registered for this account. Our system will automatically restore your account once completed.

Remember: If you don't click you can't be phished.

UGAMail/Validating

Reported on January 23, 2017

Hello, Phish Spotters! Many of you have reported this phishing email. Thank you.

The phish is short and simple. Unfortunately at least one of our own was caught unawares. Why?

We think it may be because the message is such a nice lure. It's bright, shiny and requires no effort to swallow. Some recipients might even think it's nice that they have a chance to say, "Yes! I still use my UGAMail account. Thank you for asking!"

If only we would all would slow down. Read any email that asks for credentials or personal information out loud. Does it sound legit? Or is the content totally wrong for a business email from the University? (No greeting, no punctuation, weird pronoun usage, links to a non-UGA website and no signature.)

The process of using email has become automatic for many of us: Open, read, click the link, type, close the form and move on. This happens so routinely that we may not even notice what we're doing. It's almost as if we have given mind and body over to the phishers.

Grrrrrr! Arrrrgh! Email zombies!

Time to take back control, y'all.

From: User Name <username[@]uga.edu>
Date: Monday, January 23, 2017 at 1:35 PM
Subject: UGAMail/Validating


University of Georgia we are validating active accounts if still in use kindly Visit this link [link to a fake form at weebly.com has been removed] to verify account now

Mama always said a phishing email's like a rattlesnake. You know it's dangerous, but when somebody gift wraps one and sends it to you, you'll probably open it.

VERIFY

Reported on January 19, 2017

These phishers are using an old reliable phishing attack to see if anyone rises to the bait.

The real email is provided farther down the page.

For now, let's imagine this message in matter-of-fact 'phisher speak':

"We (the phishers) are totally lying to you when we say we locked your UGA-MAIL account so you can't send messages. We want you to believe you have some sort of virus so you'll panic and fall into our trap. Oh, you just have to CLICK HERE and give us your credentials on our bogus webpage. You're supposed to think you are verifying your email account so you can get access back. But, we're crooks, remember? Bwah-ha-ha-ha-ha. Just to sound official we'll warn you to log out of your email account for security. And it might normally help prevent unauthorized access, but right now it won't - because you just gave us your credentials. We totally took advantage of your trust.

Warm Regards,
The Bad Guys"

You would never fall for this phish if it were written in phisher speak. (Obviously not a real dialect / language!) But the real email may be a little more convincing - especially if you are busy or in a rush.

What's the most important point to remember when you receive an email like this one?

EITS will never ask you to verify your credentials in an email message.

From: User Name
Sent: Thursday, January 19, 2017 2:42 PM
To: Same User Name <username[@]uga.edu>
Cc: Same User Name <username[@]uga.edu>
Subject: VERIFY

We temporarily locked your UGA-MAIL account from sending messages, Our system has detected an unusual virus and sign in attempt into your uga.edu mail box account, We recommend you to CLICK HERE [we removed the link to a bogus page on weebly] and verify your uga.edu mail account and always exit your uga.edu account using the Logout button in the upper right corner instead of just closing the tab of your browser. This serves as an additional security measure to prevent unauthorized access to your UGA mail account.

Warm Regards,
Helpdesk Administrator.

Fresh Phish is beginning to think anyone who signs off with "Warm Regards" is not to be trusted. Sorry, Auntie Gladys.

Gmail Phishing Attack Makes the Rounds: A Fresh Phish PSA

Phish Spotter Powers, Activate!

Reports are coming in of a super-clever phishing attack that is targeting Gmail accounts. The attack is catching even expert phish spotters and skilled technical people unawares. Plus, the attack is expected to spread to other services.

Take a few minutes to Google "Gmail phishing attack" to get all the details. There is a lot out there: Fresh Phish recommends the Wordfence article. It has great examples and offers a short, clear lesson on reading URLs. Why the lesson on reading URLs? Because knowing how to read URLs is one of the best ways to avoid getting caught by this scam and many others.

Using two-factor authentication for Gmail will prevent the bad guys from getting very far even if they do manage to grab your username and password.

If you just want the low down:

  • Phishers hijack one or more (Gmail or other) email accounts
  • They create a plausible email message with an attachment
  • They use each account's address book to broadcast more phishing email
  • When you click to preview the attachment, you are taken to a bogus Gmail login page
  • If you log in on the bogus page the crooks quickly take control of your account.

Lather, rinse, repeat.

Remember, even experts are getting caught by this phishing attack. Slow down and think before you click. Learn to spot bogus URLs and you'll have a better chance to avoid getting reeled in by the phishers. And remember, two-factor authentication is your friend.

CC at UAB deserves a loud shout out for bringing this to Fresh Phish's attention. Thanks, CC!

"Bookended" phishing messages - ALERT: Important Newsfeed From Faculty. [And] your email account is temporary deactivated.

Reported on Friday, January 6, 2017 and Monday, January 9, 2017

You know how we here at Fresh Phish keep talking about phishers knowing what we are doing? And how they are especially good at catching us when we are in a hurry or distracted? Well, these two phishing messages are great examples that "bookend" the past weekend.

Message 1 - "ALERT: Important Newsfeed From Faculty." This message arrived at a particularly opportune time for the bad guys. Fresh Phish doesn't think the phishers planned its delivery to coincide with an early release for bad weather. But we are fairly certain some of us clicked the link thinking is was an update on the situation.

Many of the red flags we normally look for are in the email. The biggest is the one that should have had us wondering why we were asked to go to Blackboard if this was a weather / closing update. Those notices come through ArchNews, social media channels or radio communication.

Pro Tip: You can find out more about red flags in phishing email by checking out the bullet points listed under "What is a Phishing Email?" on our Phish Tank page.

Message 2 -"your email account is temporary deactivated." Coming in on Monday morning to a message like this can potentially spark a reaction from anyone who gets it. If you're already feeling behind schedule because of Friday's early closing, this bogus "security issue" might just catch you out.

What's the reddest of red flags in this message?

  • EITS will not send you messages with a unsecured clickable link.
  • EITS will not ask you to follow a link and reconfirm your University of Georgia email account details.

That flag was so red it got two bullet points!

Message 1

From: User Name <username@uga.edu>
Sent: Friday, January 6, 2017 7:24:07 AM
To: Same User Name <sameusername@uga.edu>
Subject: ALERT: Important Newsfeed From Faculty.

To Staffs, Employees & Students,

You have received an Important mail from your Faculty;

Continue_To_Blackboard_Here_To_View: (link removed)

Regards

Blackboard.

==============
Message 2
From: User Name <username@uga.edu>
Sent: Monday, January 9, 2016 6:32 AM
To: Same User Name <sameusername@uga.edu>
Subject: your email account is temporary deactivated.

The University of Georgia

Due to a recent security issue your email account is temporarily deactivated.

You are required to reactivate your University of Georgia email account in less than

24 hours.follow below link and reconfirm your University of Georgia email account details.

[link to a_website_in_Russia (.ru) masquerading_as_the _cas.uga.edu_page. has been removed]

Thank You

© University of Georgia

Fresh Phish gives a shout out to all the expert phish spotters who reported the "your email account is temporary deactivated." message.

When we checked in this morning there were dozens and dozens of people who had drawn our attention to this phish. A whole wall of text that read "Fw: your email account is temporary deactivated." was a glorious thing to see.

It's always good to start the week with a smile - so thanks to all y'all who had us grinning from ear to ear.

New Message For You.

Reported on December 29, 2016

Happy New Year! Welcome to 2017 and Fresh Phish's first phish of the year. Well, technically, it's the last phish of 2016, but who's counting?

We're sure you noticed that we changed the sender's information so it probably came from an UGAMail address. So, yes, someone's email may be compromised. (We're on it!)

This message is a bit different from the typical phish. Instead of leading you to believe that you need to take action to start something, this phish claims you have already started a process. You now have to take action to stop something!

Things to consider:

  1. It is addressed to "Staffs, Employees & Students" - Does this make sense? Why send this message to everyone as is implied? Is it likely that everyone on campus discontinued theses services?
  2. The grammar and sentence structure is far from business-like. Try reading this email out loud. Does it sound even remotely professional?
  3. Does the link point to a UGA site? No. It points to a file download.
  4. The name of the service is incorrect, the mail service provider is not identified either. EITS will always identify itself in email.

Clicking through to the file linked in this message could create all sorts of havoc. It may provide a form to use to give away your personal information. Or it may contain a virus that can track your movements online, gather your online account login data or corrupt your computer/device.

Only you can prevent successful phishing attempts. Don't get caught.

From: User Name <username@uga.edu>
Sent: Thursday, December 29, 2016 3:21 PM
To: Same User Name <sameusername@uga.edu>
Subject: New Message For You.

To Staffs, Employees & Students,

Your request to discontinue your Mailing & Library Access would be processed soon, this is an acknowledgement mail, if you believe this was done in error or mistakenly, kindly see below to cancel now;

CANCEL REQUEST NOW:<link to a .php file hosted in Indonesia removed>

Best Regards

 UGA Mail Management.

New Message (Blackboard Phishing Scam)

Reported on December 2, 2016

Okay phish spotters! This one makes us here at Fresh Phish very, very, angry. Why? Because it's a really dirty scam to be pulling on students at any time of the year, but especially nasty during finals. Fresh Phish is feeling salty.

A big shout out goes to ABM (you know who you are!) for bringing this to our attention.

What identifies this message as a phishing scam?

  1. BlackBoard Learn IT has a single person's email address as the reply to.
  2. The subject is generic: "New Message" tells you nothing about the contents.
  3. The message is addressed to the recipient's email address not the person.
  4. The link to resubmit goes to a bogus site. (Hover your mouse over any link to see where it goes without clicking.)
  5. The signature is totally wonky.

The message carries an implied threat - if you don't do this now, your document won't be submitted, you won't get a confirmation email and you will fail the class. What student wouldn't panic and respond immediatly?

Phishers gonna phish, yo.

From: BlackBoard Learn IT < mailtoaprivateperson[@]atu.edu>
Date: Wed, Nov 30, 2016 at 10:31 AM
Subject: New message
To: User Name User Name <username[@]uga.edu>

Dear (User Name username[@]uga.edu),

We noticed your last document did not upload to our servers and your assignment was not submitted.

To ensure you receive a submission confirmation, you must resubmit again.

RESUBMIT MY DOCUMENT [The link to a bogus BlackBoard login page hosted in the UK has been removed.]

Follow the above instructions to confirm successful submission of your documents

Regards,
MY UNIVERSITY ADMIN
Blackboard Learn

Schedule Message looks "ophishal"

Reported on December 2, 2016

Every once in a while we see a phishing message that looks so real it almost tempts us to click through.  This one is especially tempting (see a larger screenshot that will open in a new window).

Anyone who clicks through to "Sign in" is is taken to a CAS look-alike page. If you are not paying attention, you won't notice:

  1. It is not a secure page (there is no lock icon in the URL)
  2. The URL is not associated with UGA (not a uga[.]edu website)
  3. The URL is for a Holstein cow website that is being abused by phishers

If you click the link and sign in on the CAS page to look at the schedule, ZOMG! Cows!

It sounds pretty funny. Who doesn't love cows. right? Once you get to the page you can doodle around and look at the cows. Some of the photos get mighty up close and personal. 'Udderly' fascinating. And you'll probably forget how you got there, shake your head and get back to whatever you were doing.

But if you filled in Your UGA MyID and Password to get to the cows, you gave away your login credentials. That means a third party - a stranger - is now able to get into your UGA account. You have potentially given away access to the whole UGA network. And that could cause problems for everyone!

We all need to remember that once a phishing email gets into someone's inbox, it's up to them (email account holder) to avoid falling for it. To put it bluntly, if you click the link, provide the info, download the attachment or reply to the message It's all on you.

We do what we can to protect everyone with an UGAMail account by doing things like blocking known phishing sites, but we can't protect people from themselves.

Schedule email

Wondering why we wrote the web link in number 2 as " uga[.]edu"? That's to avoid putting a live clickable link in the post. We do it with email addresses sometimes too - name[@]uga[.]edu. It's prevent people from clicking through or accidently connecting with the University's homepage or an email account.

‘Tis the Season – for Phishing! (A Fresh Phish PSA)

Forgive us for the lengthy post. There's a tl,dr at the bottom of the post.

With the holidays right around the corner, phishers everywhere are gearing up for jolly seasonal scams and attempting to hook a sucker. It’s time to pay extra close attention to your inbox and your wallet.

In 2015, the Anti-Phishing Working Group (APWG) reported a 48% hike in phishing attempts during November. (The APWG is an international group dedicated to fighting phishing.) They expect to see that big a jump or more this year. True facts.

We're here to chat with you about some of the more popular phishing attacks used during the holiday shopping season. No one wants to unwrap a phishing scam when there are much better presents out there.

Okay. So we are all likely to be in a rush, looking for deals, shopping online and snagging convenient shipping, right? Well, the phishers know that. And they will take advantage of us given a chance.

Phishing scams to be on the lookout for include:

  • Fake delivery notices (or fake unable to deliver notices.)
  • Fake "we are holding your package" notices (there’s postage due, or it’s too big, or there is some sort of problem sending it along, etc.)
  • Fake receipts for purchases - these can look official. If you try to contact the sender to say you did not order anything, you will get caught in the scam. (Be on the lookout for attachments and hidden "click here" links in the body of the message,)
  • Fake travel reservations - phishers love to impersonate travel agencies and airlines. it must be the uniforms. These are especially dangerous if you just booked a flight or a room somewhere. Make sure the messages are from the services you used – if in doubt, we recommend going to the official site online and contacting the service to make sure they emailed you. It takes a little longer but can save years of grief that can come from identity theft after following a bogus link and filling in a form.
  • Fake e-cards from people you love or someone you have not heard from in a while are common around the holidays. Scammers will use online information about you to trick you into following a link to a fake online card service like Hallrnark (see the ‘r’ and the ‘n’ playacting at being an ‘m’?)
  • Fake requests for help from people who usually travel or who are likely to be out of the country. (They claim to have lost their wallet, gotten mugged, thrown in jail, etc.)

Online shopping can land you in a world of hurt if you fall for a deal that sounds too good to be true. Why? Well if it sounds too good to be true, it probably isn't. It's probably a scam.

Pop up stores are fairly common. They offer great deals on goods that are often out of reach. If you shop with them you give away your credit card number, your personal information, and usually get nothing but a case of Identity theft.

Scams crop up on social media sites too. Fraudulent gift exchanges seem to be a big thing this year. They promise lots of goodies at the cost of your personal information. Volunteer to get presents from strangers? Why on earth would you want to do that?

This is also the big time of year for fake giveaways - like gift cards and shopping vouchers. All you have to do is give a scammer your personal details and a credit card number to prove you are old enough to participate. Then the cards in the mail! Along with a bill for hundreds of dollars’ worth of purchases you did not make, and maybe even information in the credit card you never applied for but seem to have maxed out.

Be alert to fake apps this year. There are loads of them out there. Many claim to belong to big name, or at least well known, retailers. So what's the big deal? Sign up and give away your info. Several want you to associate them with your Facebook account. Doing that not only gives scammers access to a huge amount of your personal data, but can establish an inroad into the data of anyone associated with your account. (Nice present to give your friends, eh? happy identity theft!)

And as if you did not have enough to worry about - be sure to keep a close eye on your credit cards. It only takes a moment to snap a photo of the front and back of your credit card, or jot down the numbers needed to commit fraud. The new chips go a long way to preventing face to face credit card fraud, but those numbers are still super valuable for use in online shopping fraud. Make sure the card you get back is actually yours and review your statements.

Taking a break from the rush? Be super careful when using free Wi-Fi! That open hotspot is open to criminals too. And the password you got from the barista is just permission to access the network. It does not mean that the network is secure. Avoid logging in to any service online that requires a username and password. Be especially careful to avoid online shopping on public Wi-Fi.

Tl, dr: Phishing is on an uptick for the holidays, be wary of online deals, watch out for fake apps, long-time-no-see contacts, giveaways, and appeals for assistance. And be super careful on free Wi-Fi. Phishers gonna phish and scammers gonna scam.

Be safe!

Alert from Helpdesk!!

Reported on November 17, 2016

Whoa! Our expert phish spotters are in full form today. The phish we are going to look at has been reported dozens of times since it arrived in email boxes. Well done, everyone!

One of the most common comments about this email have been how people are sooooo tired of getting these messages.

We're all in this together, my fellow phish foilers, and we appreciate every time you report a phishing attack. We also want to recognize everyone who just growls or mutters and presses the 'delete' key. We smile every time you give phishing the finger (we mean the one that presses the delete key, of course!)

Read through this message. Now think about it and ponder the phishy mysteries:

  • Who is "system administrator"?
  • Does it ever state that the messages belong to you?
  • Why on earth would anyone want to log in and wait for a response; especially from the somewhat sinister sounding "Administrator". That could be anyone!
  • Does "login and wait" sound like normal behavior to you?
  • "Inconveniece" and "understanding", eh? We understand that this inconvenience is a phishing message.
  • Do you ever wonder what percentage of phishing emails end with "Warm Regards" ? Or "Kind Regards", for that matter. We're betting it's a high number.
  • Oh, yeah - We prefer to use EITS Help Desk and we almost always include a contact number.

it's been a while, so we are sending a shout out to all the amazing support people at Weebly. They always respond promptly and efficiently to our reports of phishing. Thanks.

From: Amanda Lastname <alastname@uwo.ca>
Sent: Thursday, November 17, 2016 11:50 AM
To: info1@uwo.ca
Subject: Alert From Helpdesk !!

This is an E-Mail service alert from service administrator. Some incoming mails have been placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE [link to a help desk form at Weebly has been removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding.

Warm Regards,
Helpdesk Administrator.

IT NEWS and Helpdesk

Reported on November 14, 2016

Despite out best efforts, phishers gonna phish.

Messages that our expert phish spotters quickly delete have once more found victims. We have removed the unfortunates' names - and will do our best to protect them from further attacks. The truth is that there is no way to be 100% certain that an email recipient will avoid clicking on a link and giving out their credentials.

Neither of the featured messages came from EITS. What makes that clear?

In Message 1 the single most obvious indicators that the message is a phish are:

  • EITS will not ask for your username (email) and password in an email. That's 'will not' as in never ever.
  • As your email providers, we won't make you responsible for applying an email security upgrade. We'll handle that. (But you still need to keep your own browsers and software up-to-date!)
  • EITS won't threaten to deactivate your account if you don't apply a non-existant upgrade.
  • Links from EITS will almost always be presented as full URLs. If you are ever in doubt, you can contact the EITS Help Desk to confirm an email is legit.

 Message 2 is similar to Message 1 in many ways. Do a compare and contrast - see what you think.

In both these messages, sentence construction and word choice is very odd. You really have to wonder why a phisher thought claiming an increase in the size of an email account would increase security would prompt someone to click.

We're pretty sure that "maximum security" is what elicited responses.

We all want our online life to be as secure as possible. To do that, we need to learn how to avoid getting caught in phishing scams, keep our software, browser and apps up-to-date, make sure our firewalls are healthy and our antivirus is too.

Take some time to think about these two messages. Try reading the messages aloud. Do they make sense? Do they sound legit? Nope.

Don't get caught!

Message 1

From: User Name <username@uga.edu>
Subject: IT NEWS
To: admi.n@uga.edu

Good Morning,

We have increased the size of UGA Mailbox and also our Security Strength to ensure maximum security of your mailbox. To upgrade Click HERE[link to sketchy looking contact form removed] now and follow instructions.

Or send

Email:

Password:

Failure to upgrade will lead in de-activation of your account.

Thanks !

ITS Helpdesk

Message 2

From: User Name <username@uga.edu>
Subject: Helpdesk
To: User Name <username@uga.edu>
CC: User Name <username@uga.edu>

This is an Email Service Alert from Helpdesk. This is to inform you that your mailbox has exceeds its storage limit, you will be unable to receive and send emails. To re-set your Account Space on our database, prior to maintain your INBOX from 20G to 20.9G. CLICKHERE [link to a site on Weebly has been removed] to Activate. 

Warm Regards,

Helpdesk Administrator.

Swedish Fish Phish

Reported on November 2, 2016

You keep hearing that phishing is a problem worldwide. We have a treat for you!

Package of Swedish Fish candies

It's a Swedish phish. Well, Norwegian, actually. But that's just not as funny. Okay. Maybe that's a little lame. Here's the phish.

From: Christian Gamborg
Sent: Sunday, October 30, 2016 11:34 PM
To: Christian Gamborg
Subject: Passordet ditt utløper i noen dager tid

Passordet ditt utløper i noen dager tid, vennligst klikk på IKT Service Desk [Link to a fake service desk login screen removed] for å logge på og oppdatere gamle passord og automatisk oppgradere til den nyeste e-post i Outlook Web Apps 2016.

Hvis passordet ikke har blitt oppdatert i dag, vil kontoen din bli suspendert innen 12 timer

Help Desk Administrator
Koblet til Microsoft Exchange
© 2016 Microsoft Corporation. Alle rettigheter reservert

Translation

From: Christian Gamborg
Sent: Sunday, October 30, 2016 11:34 PM
To: Christian Gamborg
Subject: Your password will expire in a few days time

Your password will expire in a few days time, please press the ICT Service Desk [*Link to a fake service desk login screen removed] to sign in and update old passwords and automatically upgrade to the latest e-mail in Outlook Web Apps 2016.

If the password has not been updated today, your account will be suspended within 12 hours

Help Desk Administrator

Connected to Microsoft Exchange

© 2016 Microsoft Corporation. All rights reserved

See? Everyone in academia gets this sort of phishing email. It doesn't matter where you are: It matters what you do when you get one.

You can't eat it - so delete it!

Someone searched your profile

Reported on November 2, 2016

We did a total head tilt when this phish was reported. We're pretty sure it came from a legit address at Duke. That could be a spoofed address, but we have a degree of certainty that it came from a compromised Duke account. Ref flag!

It's addressed to "you". That's really strange,but, yes, that's what it really said. And the generic "Dear Member" greeting? Wow. Definitely not personalized in any way. Member of what? Red flag!

So, someone searched your profile on an unnamed site and wanted to post a picture. The profile is presumably at Duke. So why contact you at UGA? Shouldn't you have a Duke email account if you have a Duke profile? GAH! They are using confusion as an emotional lever. Red flag!

Then you are supposed to click a link that is hidden behind text? Red flag!

And when you hover your mouse over the link (without clicking!) it points to a site that is neither at Duke nor UGA. What it is that undecipherable gobbledygook if a URL? RED flag!

Then no signature. And a bogus safety message? RED FLAG! RED FLAG!!!!!

We think we've made our point. This message is chock-full of red flags. We hope no one was hooked by this email. If you were, please let us know. You may be on the hook fr clicking the link, but we can help with catch and release.

From:Profile Alerts <username@duke.edu>
Sent: Wed 11/2/ 2016 1:54 PM
To: you
Subject: Someone searched your profile

Dear Member,

Someone searched for your profile information and requested to post a picture.

Click here for more information [Link removed. Trust us, you did not want to go there.]

Note: We limited the information shared for safety reasons.

Review Info

Reported on October 28, 2016

The email in this example has been altered to protect the privacy of the person who sent it. The sender's name, email address and telephone number have been hidden, as have the contents of their 'Quick Steps' box.

This message is a perfect example of a phish that includes an attachment. The language in this email is designed to pique your curiosity and entice you into opening the attached 'REVIEW DOC' pdf.

This is a very dangerous phishing message! Did you notice that the email is well written and reasonable? The only thing to warn you it might be a phish is the unexpected inclusion of an attachment. If the phisher had included our names on this we might have fallen for it.

We were curious to see what the attachment contained, so we opened it in a secure environment. Do NOT try this at home. Or on campus! You do not want to be responsible for infecting any part of the UGA network.

The attached pdf contained a link embedded in a button. So, the phishers set things up so you would either download malicious software (malware) when you opened the document or when you clicked the button. Or on the website the button linked you to. Fortunately, the techniques we used helped us avoid a malware infection.

The email:

Phishing email with dangerous attachement

The attachment (opened):

The email attachement

Don't worry, we opened the attachment in a protected environment. It's our job to keep the network safe!

IT-Service Pass-word Update

Reported on October 27, 2016

This short and simple email is filled with red flags! Sadly, it has had some victims fall for it. Let's go back to the old ask a few questions to see what you can learn.

Ask yourself:

  1. Who is username at aup.edu (American University of Paris) and why are they telling you that your pass-word will expire? How do they know?
  2. Why will your reply go to a non-UGA email address?
  3. I'm not even addressed by name. How doe they know they have the correct person?
  4. Why is the email using pass-word instead of password?
  5. Hover over the link to discover that it points to tripod - why is it going there and not to uga.edu?
  6. Why is the message signed by IT-Service Help Desk and not EITS Help Desk?
  7. Your pass-word will expire in 2 days? Would EITS send an email like this one?

And answer your own questions:

  1. Who knows? They are at a different university and have way of knowing the status of your password.
  2. Your reply will go to a non-UGA email address because this is a phishing message. If you do not reply, you will not get phished.
  3. Why are you not addressed by name? Probably because the phishers don't even know who you are. They don't care who you are, either. They just want your information. EITS will include your name in emails.
  4. Phishing messages are known for their spelling errors and strange grammar. Not all phishing messages are transparent, but many are easy to spot based on spelling an grammar alone,
  5. If you see a non-UGA website associated with a form or request for personal information do not click through to it. It's almost guaranteed to be a phishing site. If this message was from EITS it would point to a uga,edu website and the link would be typed out so you could copy and paste it into your browser.
  6. This is an easy one! Because it's not from EITS!
  7. EITS will send out Password Expiration Notification, but they include all the information you need to navigate to the proper page, make the changes and how to get help, if you need it. Plus the email will be addressed to you, not an email service, and include your name in the greeting. And they aren't going to give you a short deadline and threaten to cut off your email service if you fail to act immediately. That's what phishers do.

From:User Name <username@aup.edu>
Sent: Wednesday, October 27, 2016 4:14 PM
To: info(at)mail.com.
Subject: IT-Service Pass-word Update

Your pass-word will expire in 2 days. to keep your pass-word. CLICK=HERE [the link to a dodgy looking form at tripod has been removed] to update immediately

 Thank you,
IT-Service Help Desk.

RE: Mail - To Be Deleted

Reported on October 23, 2016

Wow. Just. Wow. Talk about an email designed to make someone freak out. I'm sure that this was one of the first email messages seen by the departmental account's owner early in the morning. Absolutely no one wants their email account deleted!

Think about this one. Would you have clicked the link to save an important email box like this? Be honest, now.

Fortunately, this landed in the inbox of an extremely expert phish spotter who knew that an active departmental account was not going to be deleted.

So what can we learn about this email?

Looking at the 'From' address, we can tell it was sent from an account in South Africa (.za). That should set your phishy sense tingling! You know there is something wrong with this message.

The greeting is directed at the email account name. It should call the account owner by name. Generic greetings are not unusual, but somebody know enough at UGA to lnow that this is a valid email address. Slightly freaked out: Getting more tingly!

Wait! is that a link hidden behind text? EITS won't do that. EITS is up front about linking - they rarely include an active link (one you can click on) and they will NOT hide it behind text. Phishy senses going *tingle tingle*

Remember, "If you hover, you discover!" A careful mouse-over shows that link goes to a form hosted at a Spanish site. South Africa AND Spain? Those phishy senses are feeling more like a power surge now.

And that sign off! 'The E-MAIL tearn' ?  Say what? Check that spelling. Our phishy senses are so set off that we feel like we're in the middle of a Tesla coil. Whoa!

Trust your phishy senses and avoid the net. Phishers gonna phish.

From:MAIL NOTICE <infomailbox@jsglobal.co.za>
Sent: Wednesday, October 23, 2016 4:27 AM
To: Departmental Account Name
Subject: Re: Mail - To Be Deleted

 Account to be deIeted                

Deardepartmentalaccount(at)uga.edu

A request to cIose your account was recently sent to us from your Account  departmentalaccount(at)uga.edu

Don't recognize this activity? Kindly cancel below if this request is not from you.  CANCEL REQUEST [link to sketchy site in Spain removed to protect the innocent]

 The E-MAlL tearn



You received this mandatory announcement to update you on important changes with your account.   

Blackboard Phishing Emails

Reported on October 21, 2016

The phishers are working so hard this week, you can almost smell the virtual chalk dust from their Blackboard emails!

We have seen two basic types of these messages.  Both designed to lure you into clicking on a bogus link to read communications from a 'faculty admin'.

These phishing emails seem to be targeted at administrators. They are being delivered to departmental accounts and people who might actually have content on a Blackboard site.  If they clicked the link, they could give the phishers access to the departmental account and, possibly, a way into the University network.

Fortunately, we have several expert phish spotters out there who reported these messages to abuse@uga.edu . Thank you, phish spotters! Keep up the good work.

Many of the standard red flags are here:

  • Generic recipient (An Assistant Dean? Really!?!)
  • Odd subject lines - one provides too little information and the other too much
  • Generic greeting - that incorporates an email address as a name
  • Strange grammar
  • Generic sign off

And we especially liked the three exclamation points behind "Blackboard Learning !!!" in the second message. Very professional.

Message 1

From: Justin Fowler
Sent: Wednesday, October 19, 2016 4:10 PM
To: An Assistant Dean
Subject: Re: Blackboard


To: deptaccount@uga.edu<mailto:deptaccount@uga.edu>

You have two important message from Admin Faculty stored in Blackboard site.

Please click below to read the message.

blackboard.com/deptaccount@uga.edu/msg/admin/faculty/use382211 [This link that looks legit but took you to a South American site has been removed.]

The link above will be inactive after this mail has been read

Thanks

Blackboard IT Learning

Message 2

From: Faculty & Staff
Sent: Wednesday, October 19, 2016 5:10 PM
To: deptaccount@uga.edu<mailto:deptaccount@uga.edu>
Subject: Re:You have two important message from Admin Faculty stored in Blackboard site.


Dear member : deptaccount@uga.edu<mailto:deptaccount@uga.edu>
You have 4 notification messages from your faculty admin.
Click below URL to read

blackboard.com/deptaccount@uga.edu/mail&_mbox=INBOX/15554ecbfef56e12 [Yet another bogus link removed for your protection.]


Thanks
Blackboard Learning !!!

Reservation Confirmation

Reported October 13, 2016

Getting ready to travel? Headed south for the Georgia/Florida game? Be on the lookout for reservation scams. Remember, the online bad guys know our academic schedule — they know when Fall Break occurs and what most of us will be doing. So, they — being devious — think they can trick us with a fake reservation scam.

Take a look at this one.

Can you spot the red flags? (The four big ones are listed under the email.)

From: Judy Baker <nameofaccomodation@gmail.com>
Sent: Thursday, October 13, 2016 10:49 AM
To:
Subject: Reservation Confirmation

Dear Sir

Sequel to our earlier conversation please find our reservation confirmation in the below link:

Reservation Confirmation [Link to a document on Google Drive removed.]

I await your email confirming all is ok as we would be arriving on friday 14th october.

Yours truly

Ms Judy Baker

  1. It's not addressed to you.
  2. There's a generic "Dear Sir" when it should be your name. (Funny: A lot of women reported this one.)
  3. The language is strange — read it aloud — stilted fake-professional mixed with casual phrases.
  4. The link is hidden behind the "Reservation Confirmation". Where does it actually take you?

If you click the link to confirm your reservation, or try to figure out who the email was really meant for, you will probably download malicious software.

Expert Phish Spotter Tip

"If you hover, you discover!" said a very nice young woman in a recent session we taught.

If you don't already know, you can hover (position) your mouse cursor over a link and the URL will pop up so you can read it. Don't get caught by links hidden behind plain text.

Don't Trust Secret Shopper Emails

With the holidays just around the corner, some of us may be on the lookout for money-making opportunities. And we're sure to find money-making scams. That is, scams the phishers use to make money.

We all consider picking up a few hours at a part time job now and then. Finding a dream situation where we can do work that returns good money for our precious spare time is on all our minds. But when you find that perfect little side job, you really need to take the time to be sure that job's legit and not a scam.

One of the more popular scams is the Secret Shopper scam. Now, mind you, there are a few legit secret shopper services out there (or so we have been told). However, if an unsolicited invitation to earn money fast lands in your email inbox, it's more than likely a fake.

Secret Shopper scams promise decent amounts of cash fast. Many throw around amounts like $200 a job, for mere minutes of your time. Whenever you see big money offered for a little effort you should be cautious.

In these scams you usually get a check for a large amount of money. Then the following happens:

  1. You are instructed to deposit the check and use your $200 "commission" to buy whatever you want at Target.
  2. The bank releases part of the funds while they hold the rest.
  3. Oh, and you need to wire the remainder fo the money to the next Secret Shopper.
  4. You shop.
  5. You send the funds on.
  6. You find out the check was a fake and you are in big trouble with your bank.

 Here at Fresh Phish we recently saw a Target Shopper Scam that looked a bit like this:

Job Offer

Reported on 10/11/2016

Become A Target Shopper          

[Official looking Target banner here]   

Receive $200 to spend at Target for FREE!

Buy anything you want in store and give your honest opinion.

 Join Target Shopper USA.

  • Review Requirements:
  •  Store Layout
  •  Staff Friendliness
  • Product Selection
  • Value for Money

So What Happens Now?

Register and if you are selected, you will be sent a free $200 for spending at Target Stores.

 Click 'Sign Up' and then complete all of the required fields.

  • If you are selected to be a Target shopper, you will be sent a free $200 for spending at our shops.
  • Send us your review for your Target shopping experience.
  • Your review will make a difference for providing better services.
  • Reviewers are selected at random every week and if selected, you will be contacted via phone or email.

Sign Up [This link to a Latvian website designed to look exactly like Target's has been removed. Latvia? Really?]       

Copyright © 2016 Target.com, All rights reserved.           

I love how this reads, "Register and if you are selected..." You can take that to mean "Give us your personal information and we will gladly scam you."

BTW - There is no mention of Secret Shoppers on the Target website. And we couldn't find anything on Target Shopper USA in a web search - it simply doesn't exist.

Be careful out there. Phishers gonna phish.

Dear uga.edu User and RE: Admin Notice

We have seen a few of these sorts of phishing email this week. Have a you gotten one?

Sadly, it appears that at least one of our own may have been caught by the first message and now that account is spamming its contacts list.

Let's take a look at the message to see what may have prompted someone to click on the links and give away their credentials. It's an extremely basic phish - its a "Do this thing or you will lose access to your account" type - that really should not fool anyone.

We can guess that it probably arrived as the recipient was dashing out to an 11 A.M. class. In a hurry, they likely paused long enough to click the link and fill in a form before running to class. No student can afford to be without email!

The sad thing is, most online criminals know us pretty well. they understand human nature and do not scruple to take advantage of us. Monday morning is a great time to send a phishing attack. (So is Friday afternoon.) We are busy, in a hurry and vulnerable. Phish while the victims are jumping!

The second message is the same kind of phishing attack. It threatens to take away a service most people depend on. It may look different, but it essentially a threat. Threats are a red flag - a warning- that an email is a phishing attack.

Compare the messages:

  • The subject lines are unbusiness-like, telling you nothing useful.
  • Both have generic greetings - you are not mentioned by name.
  • Each message threatens to take away your email service
  • Instructions to "CLICK HERE" or else are given. (In all caps no less. How Rude!)
  • Both feature generic sign offs - one just reads "Thank You" while the other at least attempts to seem official with a technical sounding title and a phone number.

You must always remember these two things:

  • EITS will never ask you to confirm your account details in an email.
  • They will not use CLICK HERE as a link.

If you can keep these two simple facts in mind, you can avoid getting caught by many of the phishing emails that find their way into your email box.


Message 1

From: UserName <username@uga.edu>
Sent: Monday, September 26, 2016 10:49 AM
To: aguy@gmail.com
Subject: Dear uga.edu User,


Dear uga.edu [link removed] User,

Verify your uga.edu [link removed] Email email account
to avoid email suspension CLICK HERE[link to a phishing webpage removed]

Thank You

==========

Message 2

From: User Name <username@aston.ac.uk>
Sent: Friday, September 30, 2016 11:00 AM
To: A well known fitness tracker company
Subject: RE: Admin Notice


Dear Customer/User,


You will not be able to send/receive more emails until you visit the below helpdesk portal link to restore/confirm your email access.


CLICK HERE [link to a non-uga website removed]



System Administrator
201.286.2331

Welcome Back, Everyone!

Things have been a bit hectic across campus as you all know. That means things have been hectic here at Fresh Phish, too. We have all finally had a chance to catch our breath and now we can get down to writing about phishing.

Bear with me while I cover this for our new Phish Spotters, m'kay?

We spend most of our time here at Fresh Phish talking about phishing email. That's the email you find in your inbox that has been sent by online criminals. Online criminals like to try and catch you in a busy  moment, or at a time you are not paying attention. They are trying to take advantage of you and trick you into giving them personal information.

What kind of personal information? On campus it's most often your UGA MyID (or any other username) and password. They like to pretend they are with IT services and that your email has a problem. Or, has been upgraded.

But the bad guys don't stick to campus. So you need to learn how to spot phishing messages in all your email accounts.

How to Spot a Phish

With a little practice, phishing is fairly easy to spot. Most phishing email includes what we call red flags:

  1. Wants you to take action (like validate your webmail login or upgrade an account)
  2. Has a close deadline for acting ( or it implies do it NOW or suffer the consequences)
  3. Features poor grammar and spelling ("All staffs and students are require", etc.)
  4. Threatens to remove access to a service (stop or limit access to your mailbox, etc.)
  5. Tries to trigger an emotional response — such as panic — to goad you into responding with the information they request. (Fail to do this and suffer the consequences!)
  6. Has a generic recipient ( Like "Dear UGA webmail user" )
  7. Asks you to provide your UGA MyID and password (usually in an online form you click through to)
  8. Provides a bogus link to a bogus page with a bogus form on a bogus phishing site. (Bogus is such a great word, isn't it? So emotive. You get the idea.)

If you need more information about phishing emails, you can visit our Phish Tank webage.

If you need to report a phishing email, you can forward it to abuse@uga.edu .

Dear Email User, Access to Your Account and Mailbox Size Increased

Received on August 16 - 22, 2016

Here are examples of the sorts of phishing emails you will see almost every day. Two of the most important things to remember during your time at UGA is the following:

  1. EITS will never ask for your UGA MyID and password.
  2. You will never receive messages from EITS asking you to log in to upgrade your inbox.

Example 1

Dear Email User,

 Due to our system update, we urge all Account Users to verify their email by Click verification update email CLICK HERE [link removed] to upgrade your M.H.B Upgrade quota limit.

 Your account will be verified within 24hours

 Thanks

UGA © 2016  All Rights Reserved.

========

Example 2

Access to your  Account is about to expire, We recommend that you update to avoid account suspension. Please kindly follow link and verify your email account CLICK HERE [link removed].

========

Example 3

We have increased the size of UGA Mailbox and also our Security Strength to ensure maximum security of your mailbox. To upgrade LOGIN [link removed] now and follow instructions. Failure to upgrade will lead in de-activation of your account.

Thanks !

ITS Helpdesk

Why are you still getting phishing email? Our email system handles millions of email on a daily basis. Some phishing messages get through. Reporting phishing helps us fight it and stem the tide. Phishers gonna phish.

Verify

Reported on July 2 -July 5, 2016

It's been a while since the last Fresh Phish post. Not because there have been no attacks, but because there have been far fewer. Almost all of them have been repeats of familiar phish. But as we start getting closer to Fall Semester, you can expect to hear more from us.

Over the long 4th of July weekend the phishers decided to resurrect one of the oldies. It's short, it's direct and it's pretty obviously a phish. And it demonstrates that the bad guys know us far too well.  

Many of us were out of town for the 4th of July holiday, maybe using free wi-fi at a hotel, or on the road. That would mean we were using services and IP addresses that we don't normally use, right? Right!

This particular phishing attack is designed to take advantage of our over-the-long-weekend travels and trick us into giving up our credentials.

You know we don't name names here at Fresh Phish, but we will tell you that at least three of our own were tricked by this phishing message. They provided their UGA credentials as requested and lost control of their email.

Now their UGAMail accounts are being used by the phishers to distribute even more phishing email. That means a stranger has access to all the victims' email, all their contacts and probably a good portion of their lives.

We have received more than 60 reports of this phishing attack. Our expert phish spotters are hard at work! And the phish spotters are coming from people all over campus. After looking at several reports, a visible pattern to the attack is emerging. Let's take a look.

This particular version of the attack started either late on July 1, 2016 or very early on July 2, 2016. The machines of the victims started sending out phishing messages late in the day on the 2nd.

Our expert phish spotters started reporting the phishing attack almost immediately. A few more reports came in on Sunday, and a flood of reports came in on Tuesday the 5th.

So what is important about this timing pattern? It shows that the phishers know what they are doing. More importantly the know what we are doing. And what does that mean?

Phishers know when to attack us. They follow patterns in our behavior and attack while we are engaged and vulnerable. Friday, July 1st, we were getting ready to go out of town, in a hurry and likely to respond without really thinking.

Even though a few people reported the message over the weekend, most of the reports came in on Tuesday the 5th, just as we were all getting back from our long weekend. Once again, we were in a hurry, getting geared up for another work day and deep into our email.

It is likely that we will see more victims as more people return to campus for exactly these reasons.

From: "User Name" <username@uga.edu<mailto:username@uga.edu>>
Date: Sat, Jul 2, 2016 at 8:46 PM -0400
Subject: Verify
To: "User Name" <username@uga.edu<mailto:username@uga.edu>>
Cc: "User Name" <username@uga.edu<mailto:username@uga.edu>>


Your e-mail account was LOGIN today by Unknown IP address: 103.240.180.228, click on the Administrator link below and LOGIN [link to a webform at a non-uga removed] to validate and verify your e-mail account or your account will be temporary block for sending more messages.

Here at Fresh Phish we sometimes get email reports and can track the level of "good" mail  versus the level of spam. (Phishing is a type of spam.) It's easy to see that when the volume of good mail goes up, spam goes up; when good mail goes down, spam goes down.

The bad guys know us very well. If we get to know them too, we can better respond to their attacks and avoid getting caught.

Fresh Phish's First Anniversary - July 2, 2016

Just a quick note from us to you.

The past year has seen an increase in the number of phishing attacks being reported by you, our expert phish spotters. We appreciate your time and effort in working to promote phishing awareness here on campus. Keep up the good work.

Thank you too, to those phish wranglers who know that the 'delete' key is one of the most powerful weapons we have against phishing. You are our silent partners, but we appreciate it every time you press that key.

Keep on fighting the good fight. Because we all know that phishers gonna phish.

Hello, VERIFY, Alert, IT NEWS

Reported May 20 - June 8, 2016
The phishers are at it again.

After a bit of quiet time here at Fresh Phish, we've seen an influx of messages over the last couple of days.  Most of these messages are the kind that our Expert Phish Spotters either report or delete as soon as they arrive in UGAMail inboxes.

Unfortunately, some of our own are still being tricked by the wiles of phishers. That's the case in the first three messages in today's post. These are examples that have been reported dozens of times.
As our Expert Phish Spotters could tell you, they are common phishing emails of the sort that arrive in our mailboxes every day. You can feel free to delete them or report them to EITS. Each of these messages feature the red flags that distinguish them as phishing messages: generic subjects, no greeting, poor grammar, links to non-UGA webforms on non-UGA websites and incorrect or non-existant signatures.

We included message number 3 to demonstrate the horrors of having your email contacts raided. An entire contact group has been sent this phishing email. Will they fall for it? Who knows? It will look like it came from a trusted sender, so it is likely that at least one of that long chain of User Names will click the link, fill in the form, and give out their credentials.
Imagine having to explain to all those contacts that you were phished and no, you did not send them that email.
Message number 4 is worth mentioning. There is some lazy phishing going on there. It appears that a phisher has recycled this message. How so? It claims to be sent to a UGA user, and to come from theUGA Webmail Maintenance Team (there isn't one by the specific name, BTW) but it prompts the recipient to upgrade their WSU Outlook account.

Message 1 - hello

From: "User Name" <username@uga.edu<mailto:username@uga.edu>>
Date: June 8, 2016 at 7:12:45 AM EDT
Subject: hello

Due to our system update,we urge all Account Users to verify their email by Clicking on deactivate/activate your mail [link to form at Weebly removed] .
Thanks!

Message 2 - VERIFY

From: User Name
Sent: Tuesday, June 07, 2016 1:16 PM
To: User Name <username@uga.edu>
Subject: VERIFY


Your email will be shut-down due to several negligence of emails regarding mailbox upgrade. To avoid this please click HERE [link to faked form at Weebly removed] and verify your mailbox.

Warm Regards,
Help-desk Administrator

Message 3 - alert

From: User Name
Sent: Tuesday, May 31, 2016 3:45 AM
To: User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name;User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name;
Subject: alert


Your email will be shut down due to several negligence of emails regarding mailbox upgrade. To avoid this please Click Here and verify your mailbox [link to bogus UGA form at Weebly removed]

Warm Regards,
U G A Helpdesk Administrator.

Message 4 - IT NEWS

From: "User Name"  <username@student.swosu.edu>
Date: Fri, May 20, 2016 at 6:47 PM -0400
Subject: IT NEWS
To: "Www Info-Admin" <info@uga.edu<mailto:info@uga.edu>>


Dear UGA User,

You have exceeded the limit of your mail box quota, and your currently have emails pending in our servers yet to be delivered to your inbox.

You will not be able to receive or send new emails until your increase and boost your Mail box size.


Login in HERE [link to form at Jimdo removed] to upgrade your WSU outlook email.


Technical Support
Copy right © 2016,
UGA Webmail Maintenance,
All Rights Reserved.

Remember, phishers gonna phish. Don't get tricked by Phishy McPhishface.

Phone Phish: A Phish of  Different Color

We just received a report of a very clever phone phishing scam. (Yes, phishers use the phone, too.) It is definitely a phish of a different color, but it still stinks.

Someone has been misrepresenting themselves as a member of the "EITS – Information Security Support Team".  The number they call from showed up as Caller-ID 000-000 (this may not be the only number that will appear.)

The phisher Informed the call recipient that their computer was being used as part of a botnet. The phisher then tried to convince the person they called to download the new EITS malware uninstaller. The call was disconnected before full instructions and a download URL were provided.

Straight up heads up: IF you get a call like this, it is not EITS calling you about installing a security software. Do not agree to install anything on your computer if you receive a call like this.

A brief note for those of you who may not know what a botnet is: A botnet is a network of computers connected to the internet that have been taken over by an attacker. Botnets can be used in all sorts of ways without the permission or knowledge of the people who own them. Botnets are commonly used to distribute spam and malicious software.

Illegal Access Blocked (Read).

Reported 5/19/2016

Phish Spotters! Cry havoc! That this foul phish shall smell above the earth. What odious and odorous phish is this?  

This phishing attack is an extremely dangerous one. And while paraphrasing Shakespeare may not help, raising awareness of this email will.

We got several reports of an "Account Termination" phish in the past two days. In fact, it was going to be the featured phish today. Then this beauty showed up!

The phishers pretend to warn us that the Account Termination email was a hoax designed to steal our credentials. They go on to say that they  have "taken further steps" to apply security measures to prevent future phishing attacks. Our accounts can be made more secure if we just go authenticate them so the security measures can be applied.

What nerve! What planning!

If the link to authenticate were clicked, a bogus CAS page would pop up and, get this, we would give our credentials away. DO NOT click the link! Why? Because EITS will never ask you to provide your credentials in an email. That includes providing a direct link to a form where you can fill them in.

At least one person here at UGA has already lost their credentials to this attack.

From: User Name <username@uga.edu>
Sent: Thursday, May 19, 2016 7:08 AM
Subject: Illegal Access Blocked (Read).

Dear Colleague,

In light of the phishing attack message that was sent to various email accounts at UGA last week with subject "Account Termination". Please kindly disregard that message as it was a ploy to trick you into revealing your account details. We have taken further steps to prevent such attacks from happening in future.

To make your account more secure with our new UGA - Assist software now installed to protect all email accounts on our server, you will need to authenticate your account using the below link;

- AUTHENTICATE YOUR ACCOUNT NOW - [Link to a totally bogus http:// CAS login form at a site called bug3.com. Link removed.]

Once you authenticate you will get a confirmation message that your account has been authenticated.

Yours sincerely,

UGA Support Team

All the red flags are present, but a little skewed, in the message:

  • Wants you to take action (Examples: click and log in; validate your account.)
  • Has a close deadline for acting (Examples: implies right now.)
  • Features poor grammar and spelling (Examples: Incomplete sentences.)
  • Threatens to "remove access" to a service (Examples: More accurately, You have to activate the service or continue to get phishing email.)
  • Tries to trigger an emotional response — such as panic — to goad you into responding with the information they request. In this case the response would be relief ate not getting more phishing emails, and excitement about setting up the service.

If a service like UGA-Assist existed, don't you think EITS would apply it to all accounts and not waste time waiting for us to confirm we want it? Of course they would!

Phishers gonna phish.

Visa/Mastercard

Reported May 15, 2016

A new and different type of phish swam into the UGA waters this weekend. It's an attempt to get your credit card data that pretends to be from a UGA watchdog service called "securitywatch".

Fortunately, it is not to hard to spot if you are an expert. (A big shout out is due to ER who was the first to report this phish!) Unfortunately, it just may not be an easy catch for those who are just learning to be phish spotters.

If your email view allows you to see the sender's address, you can see that it actually comes from an address at telkomsa.net which is a large communications firm in South Africa. The 'to' address is update.net and the form is hosted at yet another site. None of them are UGA sites. This message is clearly a phish.

Take a look at the body of the message. It appears to state that someone tried to use your credit card from an unrecognized/unknown computer. Then it prompts you to go to a website and fill in all your account information for security or if you have "loosed" your credit card.

The message has no signature, no contact information, no company logos - would you trust this email? Of course you wouldn't, right? Right?

At the very least, you should question why your credit card is being monitored by a group called "securitywatch" at UGA. Especially since it does not exist!

From: "securitywatch@uga.edu" <mailto:telkomsa27954@telkomsa.net>
Date: Sun, May 15, 2016 at 2:19 PM -0700
Subject: Visa/Mastercard
To: "info@update.net" <info@update.net<mailto:info@update.net>>


An attempt was made on your visa/mastercard from an unknown computer. So for security or loosing of your visa/mastercard, we therefore ask you fill in your data correctly to safeguard your credit card. click on this link: http://a really long link that is not secure and takes you to a non-UGA webform [link removed]

A Friendly Note From Fresh Phish

What a week for Fresh Phish! Finals week and commencement seem to have brought out all sorts of phishers.

It has been an extremely busy time for our expert Phish Spotters. Judging by the number of phishing messages being reported, they are working very hard to keep us informed about incoming phish. A big shout out to all of you - our Phish Spotters rock!

We have had a lot of repeat-offender type phishing messages. You know the ones - Update Your Password, Urgent Notice, Revalidate Your Account, Your Mailbox is Full, LOGIN from an unkown IP and so on - they show up all the time.

But did you know that they are actually not the same message? They may look identical, but the phishers have to constantly tweak their messages to get them into your mailbox. Email has filters - that's why some things end up in your Junk folder. The phishers know we use Outlook/OWA, so guess what? they do too! They can test their messages before sending them to our mailboxes. If delivery is sucessful during their test, it will probably work when sent to UGAMail boxes, too.

Phishers want your login credentials: your UGA MyID and password are valuable to them. If they have your login credentials, they have access to your UGA account. They can use your account for more phishing. They might use your account as a starting point for getting more access to the UGA network. If they can hack your machine (PC laptop, phone, etc.) they can use it to build up their own network. They just link it to all their other hacked machines.

That's why we keep telling you that EITS will NOT ask for your credentials. EITS will never ask for your password in an email. We won't send you an email with a clickable link so you can go to a website to validate your account, upgrade your mailbox, or reset your password. If you need to change your password, the proper website information will be included in the email but it will not have a link.

Remember our advice several posts back about hovering your mouse over links? If you hover your mouse over a link in an email you can see the destination or where you would go if you clicked on it. If an email claims to come from the University and the destination is not a valid UGA website this is an clear indication of an attack.

When you do a link check, be especially careful of links that use services that allow you to shorten URLs (Owly, TinyURL, bitly and so on.) Shortened links hide the destination URL. If you can't tell where you are going, you probably should avoid going there. Use your judgement!

Do you sometimes get phishing messages from uga.edu email accounts in your account? That generally indicates that either the sender's account has been compromised or the sender knows how to alter, or spoof, email addresses.

Phishing messages from compromised accounts are making the rounds. All UGA faculty, staff ans students are vulnerable to them. After all, if you get one, you are likely to be in the sender's contact list. And we all are prone to trust someone we know.

Phishers are criminals. They work 24/7/365.

You have to pay attention all the time. If you don't, you are likely to get caught.

Phishers gonna phish.

Untitled, MAY 6TH 2016 and UPDATE YOUR ACCOUNT

Reported May 6 -May 9, 2016

Alas, Dear Phish Spotters, finals week has seen many email accounts fall to the insidious efforts of the phishers.

The three messages below have been reported at least 40 times each. They have affected multiple UGAMail accounts. And reports keep rolling in.

I suspect most of the phishing victims are students who, concerned with arranging the trip home for the summer, finals, communicating with professors and wrapping up projects with their groups, reacted to the original phishing messages without thinking.

Imagine, working hard all weekend just to get a message in your inbox that tells you your email is being held, or you need to validate your account, or you have to respond or your email account will be shut down.

We get it. We were students once ourselves, caught up in the rush, under pressure to wrap up a semester. We all make mistakes when we are in a hurry. And it is awful that there are email accounts that may be suspended for spamming or phishing because someone tried to do the right thing.

Phishing attacks are getting harder to spot but all the red flags are present in these three messages:

  • Wants you to take action (Examples: click and log in, validate your account or update your account.)
  • Has a close deadline for acting (Examples: all imply right now, though only one explicitly states that.)
  • Features poor grammar and spelling (Examples: from ADMINISTRATOR, was LOGIN today, our technical staffs.)
  • Threatens to remove access to a service (Examples: messages or email)
  • Tries to trigger an emotional response — such as panic — to goad you into responding with the information they request.

The messages all are sent from trusted addresses - all uga.edu addresses are considered trusted - because UGAMail accounts have been compromised. That's how these messages end up in our inboxes. (The phishers might also fake a uga.edu email address.)

As far as links in email are concerned, get into the habit of looking at the address of any website that asks for your UGA credentials.

The part of the webpage address between the http:// or https:// and the first "/" should end in uga.edu (if there is not http:// or https:// look to the left of the first "/" ). Be aware that some UGA entities have their own, special, URLs. You can always use Google to check things out.

That said, remember that nothing is 100%. Phishers are crafty. They know how to fake email addresses and webpages.

The single most important thing to remember in the case of each of these messages is that EITS will never ask you to provide your credentials in an email. That includes providing a direct link to a form where you can fill them in.

Message 1

From: User Name <username@uga.edu>
Sent: Friday, May 6, 2016 6:22 PM
Subject:


Several of your incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICKHERE [link to a Weebly page removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding.

Regards,

Technical support team

=====

Message 2


From: User Name <username@uga.edu>
Sent: Friday, May 6, 2016 6:00 PM
To: User Name <username@uga.edu>
Cc: User Name <username@uga.edu>
Subject: MAY 6TH 2016

Your e-mail account was LOGIN today by Unknown IP address: 104.140.281.028, LOGIN [link to a Weebly page removed] to validate and verify your e-mail account or your account will be temporary block for sending more messages.

Warm Regards,
Help-desk Administrator.

=====

Message 3


From: User Name <username@uga.edu>
Date: May 9, 2016 at 9:30:14 AM EDT
Subject: UPDATE YOUR ACCOUNT

Due to our database maintenance equipment that is happening in our mail message center, This maintenance of quarantine will help us avoid this dilemma every day and with the new improved software it will provide our users with a new security system to protect our users from getting their accounts hacked.

We recommend that you update your account now to avoid termination or account de-activation.

UPDATE CLICK HERE  [link to a Weebly page removed]

As always, your privacy and security are of utmost importance to us. We apologize if you have experienced any difficulties due to this situation, and please know that our technical staffs are working to solve the problem.

Thanks for your anticipated co-operation,
Helpdesk Administrator.


Did you notice that the three messages listed in the post above all point to pages at Weebly? Weebly is an inexpensive web hosting service that is similar to Jimdo. In other words they are a legitimate business that the phishers are taking advantage of.

Request to Appear in Court Letter and <User Full Name> - Testimonial Subpoena Letter

Reported on 4/28/2016

There has been a run of Court Summons emails at other universities of late. Be on the lookout - they may be featured in UGA email inboxes soon!

This is a heads up post; as such this post is a little different. The two examples below were forwarded to us from a security-minded individual at another university. (A shout out to RP! Thank you!) As far as we know there have been none of these messages received in UGAMail boxes. 

These types of phishing messages are downright vicious. They are manipulative, instill panic in just about anyone, and are almost guaranteed to provoke a response from the unwary recipient. And they make us mad as snakes.

The only recourse the recipient has -if they think the email is legit - is to reply or to call. Or do a web search and possibly land on a fake website. In any case they will be phish on the line.

My bet is that the phishers are after one of the first two responses. They want to know if the email address they are sending to is active. That gives them a foot in the door. Remember, the targets of these phishing attacks are at universities. Scoring access to a university network could mean big bucks to a phisher.

Summons Message 1

From: Matthew Siesel [mailto:the4js@cox.net]
Sent: Wednesday, April 27, 2016 4:21 PM
To: <Valid User at Other University>
Subject: <User Full Name> - Request to Appear in Court Letter

<User Full Name>

New York, NY
RE: NY-0669100

Dear <User Full Name>,
Your case has been set for hearing on 5/6/2016 at 11:30 AM o'clock in the New York parish co urthouse. Your case is before Judge Corinne Heh in courtroom 182.
You will find it most handy to park on the 015, 027. Judge Corinne Heh's courtroom is on the third floor.
This is a hearing on Western Connecticut State University Violation Ref. 1A12628045.
Please be present for this. If I can be of assistance, please do not hesitate to contact me.

Kind Regards,

 Digital Signature

Feldman, Kramer & Monaco, P.C.
Matthew Siesel.
Tel.: 866-215-8234.

----

Summons Message 2


To: <User Name>
From: Yvonne Safar <bzetting@cox.net>
Subject: Steven Rosenberg - Testimonial Subpoena Letter
Date: Thu, 28 Apr 2016 00:27:51 +0800
<User Full Name>
152 West St Ste 3
Danbury, CT 6810
RE: CT-9450399

Dear <User Full Name>,
Your case has been set for hearing/trial on 5/5/2016 at 1:30PM o'clock in the Danbury parish co urthouse. Your case is before Judge David Wong in courtroom 166.
You will find it most convenient to park on the 017, 029. Judge David Wong's courtroom is located on the first floor.
This is a hearing on Western Conn Healthcare Inc Complaint No. 1A33889144.
We strongly advise you to be present for this. If you require any further information, feel free to call.

Sincerely,

Convery, Thomas V. Attorney
Yvonne Safar.
T.: 800-504-7547.

RE: IT Service Help Desk

Reported on 4/20/2016

This phish is a real winner. It got through Microsoft's Spam Filters and into several mailboxes. We had to read the body of the email twice to really appreciate the skill that went into crafting it. It is definitely a phish, but what gives it away?

Well, let's start with the first red flag, the email address of the sender: They are at Napier University in the UK. Why on earth would someone from a university in the UK be writing to tell us to update our email? Would you have paid any attention to that, though? Or would you have read the email and clicked the link? Be honest, now. All those spurious improvements sound good.

Then there are three more red flags in rapid succession: the generic "All Employee\Staff" greeting, followed by a blind link and a deadline (immediately.) The link would drop anyone who clicked it into a webpage on Tripod, a free website builder that offers web hosting, too.

The final red flags are the inaccurate signature and the 2015 date.

What about all that disclaimer text at the bottom? Surely that would have tipped anyone off! The spacing in the actual email was enough to make it easy to miss unless you scrolled down. The disclaimer would have been especially easy to miss on a phone or a tablet.

A shout out to AM for reporting this message - thanks, AM!

From: False Identity <F.Identity@napier.ac.uk>
Date: Wed, Apr 20, 2016 at 1:39 PM
Subject: RE: IT Service Help Desk
To: False Identity <F.Identity@napier.ac.uk>


To All Employees\Staff,


Take note of this important update that our new web mail has been improved

with a new messaging system from Owa/outlook which also include faster usage on email,

shared calendar,web-documents and the new 2016 anti-spam version.

Kindly use the link below to complete your 2016 Outlook Webmail User authentication form.

CLICK on Outlook Web Access [link removed] to update immediately.


Regards,
IT Service Desk Support
02-2-2015

(About four inches of blank space was removed here.)

This message and its attachment(s) are intended for the addressee(s) only and should not be read, copied, disclosed, forwarded or relied upon by any person other than the intended addressee(s) without the permission of the sender. If you are not the intended addressee you must not take any action based on this message and its attachment(s) nor must you copy or show them to anyone. Please respond to the sender and ensure that this message and its attachment(s) are deleted.

It is your responsibility to ensure that this message and its attachment(s) are scanned for viruses or other defects. Edinburgh Napier University does not accept liability for any loss or damage which may result from this message or its attachment(s), or for errors or omissions arising after it was sent. Email is not a secure medium. Emails entering Edinburgh Napier University's system are subject to routine monitoring and filtering by Edinburgh Napier University.

Edinburgh Napier University is a registered Scottish charity. Registration number SC018373

If you were caught out by this phishing message, change your password and run your anti-virus and anti-malware software. Contact the EITS help Desk and report the message or forward it as an attachment to abuse@uga.edu.

Update Alert!

Reported on 4/17/2016

One of our own has been compromised by the recurring "Update Alert!" phishing scam. We have looked at the red flags for this message a couple of times, so let's look at the actual message content for meaning (if there is any.)

At glance we wondered if there is a webpage out there for randomly composing phishing messages -like random story generators, or the pages where you can enter a few words and get a dozen possible band names or a set of song lyrics. Then we decided to break this phish down line by line and supply possible solutions to each line.

"We temporarily locked your mail account from sending messages" - So try sending a message to yourself or a friend. Did it work? Yes? Not locked! Delete the phish.

"Our system has detected unusual virus in your Folder" - Our email provider, Microsoft would not just send you a message to let you know you have a virus in your email folder. They would disable links and other functionality, like the ability ot download an attachment or a virus. Decide this is a phish and delete it.

"We advice you to empty your trash folder" - If you think it needs it, then by all means empty it. Just don't do it just because this phishing email told you to. Once your trash folder is tidy, delete the phish.

"Update your email account for Security maintenance and protection of your email from virus attacks." - This one has a double whammy. If there are security-driven updates, they are unlikely to be put into effect by you updating your account. But you are constantly told to keep your computer up to date. So which is it? Well, when it comes to updating your email account, you need to use your UGA MyID and password - two things EITS will never ask you to provide - to log in to a form or webpage. You can contact the EITS help Desk to see if this message is legit if you need to. Or you can just delete it.

"We recommend that you update your account to avoid termination." - EITS is not going to terminate your account unless you A) Fall for a phishing message (and then it's only temporary) or B) graduate/retire/leave the University. Laugh at the silly phishers and delete the message.

"UPDATE Click Here" - If you hovered your cursor over this link in the original email, you would have discovered that it went to a totally fake looking URL. Unfortunatley, most people just see the link and click. But not you. You deleted the email, right?

"The System Administrator Management Team" - This team would be the team that managed the people that managed our system. If they existed. And they don't. Even if they did, they probably would not be writing to tell you that you needed to update you email account. Shake your head, shrug your shoulders and hit the 'X' to delete the phish.

"Copyright© Admin Webmail Inc" - The copyright symbol is an attempt to make this message seem important, official and real. If you have not done so, delete the email.

From: Sender Name <Sender Name@uga.edu>
Date: April 17, 2016 at 8:11:04 AM EDT
Subject: Update Alert!


We temporarily locked your mail account from sending messages, Our system has detected unusual virus in your Folder, We advice you to empty your trash folder and Update your email account for Security maintenance and protection of your email from virus attacks.


We recommend that you update your account to avoid termination.


UPDATE Click Here [link removed]


Thanks,
The System Administrator Management Team.
Copyright© Admin Webmail Inc

Alert from helpdesk

Reported on 4/16/2016

This phish is almost insulting. Why? The sender is at Tulane, asking use to update our UGA mail, and the IT service desk is at FSU. Three universities in one phish. I certainly hope no one on campus was caught by this message.

I have no more words.

Wait! I found some. (You knew I would.)

If you did get caught up in this scam, please contact the EITS Help Desk and let them know. There is a first time for everything. Getting fooled by phishers is forgivable and even understandable - just take some time to learn about phishing so you don't get caught again. If you're here, you're off to a good start.

Phishers gonna phish.

From: LastName, FirstName [mailto:FNLast3@tulane.edu]
Sent: Saturday, April 16, 2016 12:29 PM
Subject: Alert from helpdesk

Your University E-mail account will be shutdown due to several negligence of emails regarding mailbox upgrade. To avoid this please click HERE [link removed] and verify your UGA email account.

Regards,

ITS Service Desk
© The Florida State University, 600 W. College Avenue, Tallahassee, FL 32306 | Privacy Policy | Copyright

Account Notification

Reported on 4/8 - 4/11/2016

Well, we have seen this phish before, and will likely see it again. Other universities have reported the same phishing scam several times this year as well.

As you can see, the Sender Name has been replaced. That means that someone on campus fell for this scam and gave their credentials away. Now, their UGAMail account has been compromised and is sending out this phishing messages to people in their address book.

We have received a good whiff of this rotten phishing message, now let's take a closer look.

Jargon, jargon and more jargon: What does this message even mean? "Certificate", "delivery configuration", and "account POP settings" are all used to confuse you. (Red flag!)

Awkward! Mixed cases, lame punctuation and awkward sentences like these do not belong in a professional message. So it's unlikely to be legit. (Red flag!)

One sketchy looking link: We removed the link to protect the innocent (and keep them from clicking on it by mistake!). It went to a fake webform at a web address that did not look anything like UGA page URL. (Red flag!)

Who the heck are the "uga Webmaster Team" and what have they done to EITS? (Red flag!)

All snarkiness aside, Phish Spotters, the reason someone fell for this phish is probably simple: They were in hurry.

Why do we think that?

The email was sent on a Friday. The recipient of the phish, Phish Victim Zero*, probably got it on Monday. They skimmed the email, got a little freaked out by the jargon and thought is was official. They went to the webform and filled in their information.

* And that's Phish Victim Zero like Patient Zero - the first person to succumb to the phishing scam. Phishing's not just endemic in universities; it's everywhere. Once your account is compromised, the consequences of being phished can spread through your address book. Okay. So comparing phishing to a virulent disease might be a bit over the top. But then again, the metaphor works.

So, inoculate yourself against phishing scams. Look for Red Flags. Run through the Who, What, Where, Why and When routine (especially that What do they want you to do part.)

From: Sender Name <sendername@uga.edu>
Sent: Friday, April 8, 2016 1:17 PM
To: Sender Name
Cc: Sender Name
Subject: Account Notification


Your uga account Certificate expired on the 09-04-2016, This may interrupt your email delivery configuration, and account POP settings, page error when sending message.
To validate your uga mailbox, Please take a second to update your records.

click here: unsecured_fake_webform_at_jimdo  

Your uga account will work as normal after the verification process, and your Account Certificate will be re-newed.

Sincerely,

uga Webmaster Service

Another shout out is due to the good people at Jimdo - they are always responsive and willing to help us shut down phishing pages that the "bad guys" put up on their site.

WEB ADMIN

Reported on 3/31/2016

Phish spotters assemble! Today we face an insidious evil menace — fortunately not unlike one we have seen before.

Here we have a phish that appears to come from an internal UGA email account. The address is spoofed to look legitimate and to get fool our email system into thinking it has come from a trusted source. This is a very dangerous email in the hands, um, the inbox of the untrained. Why?

  1. It comes from the "UNIVERSITY OF GEORGIA"
  2. It has an official looking email address "admin@uga.edu"
  3. The inexperienced tend to trust "Admins" because they have authority
  4. It contains jargon to make it sound official
  5. It has an official looking link to an official looking webpage
  6. The URL had an official looking "uga" web address (we removed it) that went to - ugavalidationportal.c0.pl/cas.uga.edu (UGA is in there twice!) If you know how to read URLs you know that the website is supposedly in Poland.
  7. It contains a scary warning about limited access to UGAMail
  8. That signature looks wicked official with words like "Company" and "LLC" and a date

Expert phish spotters know to take a deep breath. Then take a closer look. This message is waving red flags left and right. What are they?

  1. Wants you to take action (validate your webmail login)
  2. Has a close deadline for acting (implies do it NOW or suffer the consequences)
  3. Features poor grammar and spelling (All staffs and students are require, etc.)
  4. Threatens to remove access to a service (Failure to do this, will result in limited access to your mailbox)
  5. Tries to trigger an emotional response — such as panic — to goad you into responding with the information they request. (Failure to do this, will result in limited access to your mailbox)
  6. Has a generic recipient (Dear UGA webmail user)
  7. Asks you to provide your UGA MyID and password — in the form you click through to
  8. Provides a bogus link to a bogus page with a bogus form on a bogus phishing site. Bogus is such a great word, isn't it? So emotive.

Keep your eyes open!

From: UNIVERSITY OF GEORGIA [mailto:admin@uga.edu]
Sent: Thursday, March 31, 2016 7:22 AM
Subject: WEB ADMIN

Dear UGA webmail user

Due to the new change in our webmail, All staffs and students are require to Validate your webmail login to enable you continue using our mail services. Please click on the link below to validate your email by logging in to your account:


http:// unsecured fake uga portal validation page in Poland that resembles a CAS login page [actual link from the email removed]

Failure to do this, will result in limited access to your mailbox.

Thank you for choosing our UGA Webmail services

Regards,

UGA Webmail VERIFICATION SERVICES

HelpDesk | UGA Holdings Company LLC. @ 2016

March 28, 2016

Reported 3/28/2016

Our expert phish spotters are working overtime!

We have gotten dozens of reports of the "March 28th" phishing message along with the usual "Upgrade Your Email" and "Your email storage is almost full" messages over the last two or three days.

It's almost like the phishers know many of us would be out of town for Easter and wanted to fill up our email baskets with tasty phish! Oh. Wait. They did know.

Look for the red flags - they are all there.

Sadly, someone here at the University fell victim to this phishing attempt. We have to wonder how. Were they in a hurry? Did they just get back on campus and think the message could be legit? Or were they just trying to do the right thing to keep their email access?

From: Sender Name <sendername@uga.edu>
Sent: Monday, March 28, 2016 10:03 AM
Subject: March 28th 2016
To: Sender Name <sendername@uga.edu>>


Message From Help desk, we notice some unusual sign in of your account from another browser, for protection we advise you to kindly Click Here [link to fake form at Weebly removed] and fill up the form below, for security reasons,
failure to do so, will lead to account blockage,
Fill up the form below and submit,
Message from Help Desk.

Daily Campus Bulletin for March 14, 2016

Reported on 3/23/2016

This attempt is rather clever — and draws on our human curiosity to coax us into clicking the link the phishers provide. The "Daily Campus Bulletin" is entirely fake — but if you don't know that UGA does not have one, you just might fall for this phish.

We removed the link to the webpage supplied — going there would probably have dropped malicious software, most likely a key logger. Key loggers are designed to track every move made by anyone using the computer they infect. So, even if you did not fill in a form with your UGA MyID and password, it would have been only a matter of time before your computer transmitted that information to the phishers. Not to mention your bank login, your credit card login, your Amazon login... need we go on?

And asking you pass the email on to your friends? Woah. That's low. Phishers gonna phish.

From: Sender Name [mailto:sendername@nch.org]
Sent: Monday, March 14, 2016 6:54 AM
To: Same Name as Sender
Subject: RE: Daily Campus Bulletin for March 14, 2016‏


Click the following link to view today’s Campus Bulletin:

Click Here on: > Daily Campus Bulletin for March 14, 2016 [link removed]

Kindly forward this update to all your friends on your contact as this is the new development on daily bulletin.

Connected to Microsoft Exchange,
© ADMIN TEAM 2016

Anti-Spam

Reported on 3/21/2016

We have seen so many of these phishing emails that we are surprised there are any left in the sea.

It's ironic that one of the phish spotters to report this actually had logged in to their account from an IP address they had never used before. So, join me in a shout out to KRP, who not only reported the problem, but avoided taking the bait and giving away the UGA login credentials the phishers were after.

Now seems like a great time for me to mention that 2016 looks like it is set to be the year of the Business Email Compromise (BEC). What's that got to do with a phishing email in your UGA account? Good question. Consider this:

For faculty and staff, UGAMail is your business email account. As employees of this institution, we send and receive email that has to do with the business of running the University and the business of meeting our obligations as staff and faculty.

When you consider the wealth of information that a successful phishing attack could win for an online criminal, it really starts to make sense. Just think about all the personally identifiable information that UGA handles (potential students, current students and alumni!). Pair that with financial information, research information and valuable data-based learning resources and things start to add up.

Your UGA credentials are valuable, y'all! Protect them.

From: Sender Name <sendername@uga.edu>
Date: March 21, 2016 at 1:59:12 PM EDT
To: "Info@someplace.com" <Info@someplace.com>
Subject:Anti-Spam

Dear UGA User,

 Alert from UGA Service Desk, Our latest IP Security upgrades discovered an irregular Login attempts on your email account earlier today from unknown location with this IP: 11.177.214.20. We recommend that you validate your account to avoid suspension. CLICK HERE [link removed]

Thank You.

EITS - Enterprise Information Technology Services UGA Admin

Copyright © 2016 Admin All rights reserved.

Spring Break - A Busy Week for Phishing

With practically everyone out of town, or at least off campus, the phishers have been ramping up the attacks and casting wide nets. There have been several interesting phishing attempts aimed to get our attention while we are distracted by Spring Break and the beautiful weather. Let's take a look at some recent examples submitted by our expert phish spotters.

Remittance Advice Ref:BOA0190289001USA

New Invoice #2109-1

Reported on 3/10/2016

These two messages are of the sort we don't see as often as we used to. They both came with attachments that may be carrying a payload of malicious software. If you download the attachment, the software installs. If you fill in the form and return it to the sender, they get the bonus of free and easy access to your login credentials while their software steals everything else.

Much of the time phishing emails of this time are flagged by Microsoft Outlook before we get to see them. That means the phishers were clever enough to craft an attack that actually got through to our UGAMail accounts.

In both these messages, the phishers call on our curiosity to prompt us to open the attachment. In the first message we are told we have money; in the second we are told we owe money. Both are designed to make us think, "Huhn?!? What's this all about?" and open the attached file.

The messages are actually fairly well constructed. Although the first one with its "Dear Sir/Ma" is extremely odd, they did manage to spoof a Bank of America email address to seem credible. All that aside, imagine how you would feel, just back from vacation, tired and mostly broke. Would you want to see who sent you money? I would.

The second message is worth a closer look. One of the first things that should catch your eye and set your phishy senses tingling is mention of "your account". Nowhere does it identify which account, or with what business. The sender is in Russia, so most of us would probably think twice before opening that attachment.

Message 1

From: From Bank of America www.bankofamerica.com [mailto:Person@bankofamerica.com]
Sent: Thursday, March 10, 2016 12:03 PM
To: Username
Subject: Remittance Advice Ref:BOA0190289001USA

Dear Sir/Ma,

This is to notify you that the payment instruction we received has been processed through Bank of America into your account that was provided.

Please find the remittance information.

Wire Confirmation No: BOA0190289001USA

Transaction Status: Completed.

Attached to this email is the secure payment receipt from Bank of America. For secure access, You are required to download and authenticate by verifying your email and password via the attached outlook document file transfer page to gain secure access to the receipt.

Let me know when you have it and please confirm the details.

If you are unable to view the file, do not hesitate to contact me.

Regards,

Person,
Bank of America
Payment Processing Unit,

www.bankofamerica.com<http://www.bankofamerica.com>

***************************************************************************

This message contains confidential information and is intended only for the addressed recipient.

If you are not the addressed recipient, you should not disseminate, distribute or copy this e-mail.

***************************************************************************

Message 2

From: Person [mailto:Person@rambler.ru]
Sent: Thursday, March 10, 2016 1:52 PM
To: User Name <username@uga.edu>
Subject: New Invoice #2109-1

This email is being sent in order to inform you that a new invoice has been generated for your account. Please see the attached file.

Thank you.
Person

RE: Faculty & Staff Admin Note.

Authenticate Your UNIVERSITY OF GEORGIA Webmail

Admin update

Reported on 3/7/2016 -3/10/2016

This trio of phishing messages have been reported dozens of times this week. They are fairly run of the mill and one or two of them are variations on themes we have seen before. So what makes them special enough to get more attention here on the Fresh Phish page? Thier timing.

All these phishing messages will be lurking in the email boxes of Faculty, Staff and Students returning from Spring Break. What a great opportunity for the phishers to catch some victims unawares.

Imagine stumbling in, tired from a long flight, exhausted from a drive that took more time than you thought it would and deciding to wind down by a quick look at your email. Just to make sure nothing needs your attention before a well deserved night's rest. And then you find out your password is about to expire, your account will be locked down, your email has been compromised or you have messages stuck in a pending loop.

Would you click on one of the links? The links here have been removed, but in all the messages they pointed to a URL that included either uga-edu, webmail, 365, itservices or outlook as part of thier construction. Mousing over the links with those words in them could fool a tired person into cooperating with the criminals. 

Message 1

From: Off-campus User <ocuser@atlanta.k12.ga.us>
Sent: Monday, March 07, 2016 8:39 AM
To: Off-campus User
Subject: RE: Faculty & Staff Admin Note.

Attention,

Your Password Expires in 2hour(s) You are to change your Password below via the ACCOUNT MANAGEMENT PAGE.

Click on CHANGE-PASSWORD [link removed]

If Password is not change in the next 2hour(s) Your next log-in Access will be declined.


Regards,
IT Services

Many Thanks,

Message 2

From: User Name <username@uga.edu>
Sent: Friday, March 04, 2016 1:44 PM
To: Same User Name <username@uga.edu>
Subject: Authenticate Your UNIVERSITY OF GEORGIA Webmail

We noticed spam in your UNIVERSITY OF GEORGIA webmail account. Our system has detected unusual virus in your Inbox and trash folder, We advice you to empty your trash folder and update your email account for Security maintenance. We recommend that you update your account to avoid Malwares. UPDATE [link removed]


Thanks,
Microsoft Office Team.

Message 3

From: "Off-campus User" <ocuser@uea.ac.uk>
Date: Mar 7, 2016 4:27 AM
Subject: Admin update,
To:
Cc:

Dear Microsoft outlook user you have pending messages click here [link removed] for update and upgrade of your account.

What can we say?  Phishers gonna phish. Don't end up on the hook for clicking a link.

And welcome back from the break, all y'all!

Reupgrade Your Outlook Account

Reported on 3/1/2016

Dear Phish Spotters, I commend each and every one of you who reported this message. The ranks of UGA's expert Phish Spotters are growing, thanks to your efforts. Yet one of our own has been hooked.

This phish is an oldie, but sadly, still effective. And honestly, I am not sure why. The red flags are all there. Do we need a new way of looking at these emails? Should we approach possible phishing emails more analytically? Let's try looking at/for the red flags differently:

  • Who? - Who sent the email? Who is it addressed to? Who is in the greeting? Do the names match? Do they make sense?
  • What? - What is the email about? What does it want me to do? Does it want me to click a link or download a file?
  • Where? - Where does that link point to when I hover my mouse pointer over it? Is it a UGA website? Does it look strange?
  • When? -  When am I expected to respond? Is my response supposedly required to keep a service active? Or restore a service?
  • Why? - Why am I expected to respond? Does it seem like a legitimate problem or request?
  • How? - How does the message make me feel? Am I feeling anxious? Rushed? Panicked? Manipulated?

Are  you tired of all these questions? We are too, but we have to keep asking them so we don't get hooked. Phishers gonna phish.

From: Sender Name <sendername@uga.edu>
Received: 3/1/2016 16:20:29 -05:00
To: inf.o@uga.edu
Subject: Reupgrade Your Outlook Account


Your UGA outlook mailbox has exceeded its storage limit to set your e-mail administrator, and you will not be able to receive new mail until you re-validate it.

Click HERE [linkremoved] and login your email.

and login your information to re-validate your email account.

Thanks

2016 UGA
Help Desk Administrator

EITS will not ask for your username and password in an email (it's not secure!) and all changes to your credentials will happen through the EITS MyID Tools and Information webpage.

Subject: (blank)

Reported on 2/26/2016

In spite of the efforts of our expert phish spotters, it looks like several people on the UGA campus have been caught in this phishing attempt. We are seeing email addresses from other campuses, as well — all addressed to the spoofed "upgrade@uga.edu" email address.

Let's step back for some phish spotting 101. The top five red flags are all there.

  • Wants you to take action (Click a link.)
  • Has a close deadline for acting (Implies as soon as possible.)
  • Features poor grammar and spelling (Wonky punctuation and "response from Administrator".)
  • Threatens to remove access to a service (Sort of inside out loss of service — they are supposedly holding your messages.)
  • Tries to trigger an emotional response — such as panic — to goad you into responding with the information they request. (This message is a tantalizing soft sell, designed to make you feel anxious. You want those messages.)

The CLICK link points to a form on Jimdo and has nothing even remotely like a UGA web address.

Take a look at the header for this message, too. You need to remember to ask yourself who the sender of the message is, and how they are affiliated with your UGAMail provider. It's easy to look someone up at the UGA website. In this case the answer was "absolutely nothing." So why would you want to give this person your Username and Password?

Remember: It's up to you to keep your credentials safe. Don't give them away.

From: Sender Name [mailto:sendername@uga.edu]
Sent: Friday, February 26, 2016 12:34 AM
To: upgrade@uga.edu
Subject:

Your incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK [link removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding.

Warm Regards,

Help-desk Administrator.

If a form looks funny, or a URL seems wrong, or you get a funny feeling about submitting your Username and Password, don't do it. Trust your feeling. And check with the EITS Help Desk (706-542-3106).

EITS will never ask for your Username and Password in an email.

Upgrade Your Account

Dear E-mail User

Your Uga.edu account Certificate expired on the 12-02-2016

Reported on 2/13/2016 and 2/14/2016

Oh, my. Feel the love from those phishers - Valentine's Day really brought them out! We received so many reports on these three messages from our expert phish spotters (<3 y'all!) that if phishing email was chocolate, we'd be in a sugar coma.

Every one of these messages have the standard red flags. (If you don't know the red flags, see "What is Phishing Email" on our Phish Tank page.) The grammar is particularly wretched in Message 2.

Let's focus on links in these three messages. You've probably noticed that the phishier messages did not even bother to hide the links behind a CLICK HERE. The one message that did, linked to the destination, a page at Jimdo. Ok. I have got to take a sec to state that the folks at Jimdo have been extremely responsive to our requests to shut down these phishing pages: they are on top of things.

But this brings us to two points that need mentioning. Ready?

Point one: There are sites that host phishing pages. Some, like Jimdo, are legit businesses that are both responsible and responsive, and actively work with us to shut down the bogus pages. Why do I bring this up? Because you need to know that even trusted businesses may host malicious content.

Point two: phishers tend to take advantage of holidays, big sports events and disasters. Now, it could be a coincidence that this flood of phishing email came on Valentine's day weekend. Or might the phishers have been trying to get to us when we were all distracted by thoughts of romance? I bet on the latter.

We have two big events coming up this year; the Election and the Olympics. Be on the lookout for phishing email related to both. Phishers gonna phish.

Message 1


From: Sender <sender@uga.edu>
Date: February 14, 2016 at 12:44:05 PM EST
To: Same Sender<senderuga.edu>
Cc: Same Sender<senderuga.edu>
Subject: Upgrade Your Account

Your Two incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE [link removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding

=====

Message 2


From: IT SERVICE DESK <sender@siu.edu>
Subject: Dear E-mail User,
Date: February 12, 2016 at 11:58:58 PM EST
To: Recipients


Dear E-mail User,

Due to database maintenance that is happening in our webmail message centre, we are currently deleting ALL inactive and hacked E-mail account from our email account database, with this new improved security software it will provides our users with a new security system to protect our users from getting their E-mail accounts hacked.

We recommend that you update your account now to avoid termination or account DE-activation.
CLICK ADMIN SYSTEM [link removed]
to verify your webmail account.or Copy paste link for upgrade
"info-webmail-hlpedu.jimdo.com" [link removed]

We are sorry for the inconvenient.
Thank you for your support!
Sincerely,
The IT SERVICE DESK
The Official Email Provider of the Conservative Movement™
Please keep this email – it contains all of your important links:

This email has been sent from a virus-free computer protected by Avast.

=====

Message 3

From: Sender
Sent: Friday, February 12, 2016 2:53 PM
Subject: Your Uga.edu account Certificate expired on the 12-02-2016


Your Uga.edu account Certificate expired on the 12-02-2016, This may interrupt your email delivery configuration, and account POP settings, page error when sending message.


To re-new your webmail Certificate, Please take a second to update your records by link below or copy and paste link


"ug-ed-uga.jimdo.com" [link removed]


Uga.edu account will work as normal after the verification process,
and your webmail Certificate will be re-newed.


Sincerely,
Mail Service Team

Outlook / Exchange email

Reported on 2/1/2016

We saw our fair share of  you have reached the storage limit on your mailbox' phishing messages this week. Y'all know those are fake by now, right? And, yes, that includes the ones with a yellow capacity status bar.

Then, we got a really interesting phishing attempt with a bit of a spin. It was limited in the number and types of people who got it. Instead of casting a wide net, the phishers who sent this were after bigger fish.

Take a look at this beauty. It is well organized, well written and reasonably believable. In fact, it is done well enough to distract some recipients from the red flags. We had to look the message over carefully to catch them all.

  • The sender and the recipient are the same
  • There is no greeting — just an authoritative ATTENTION
  • February is misspelled
  • A link for you to click — before we removed it, it connected to a page at 'sitesumo'
  • An odd slip in instructions — "prior before"
  • The threat of loosing all the "information's" in your mailbox
  • No sign-off

The sly inclusion of Department at the end was a nice touch, too. That added a little more "officialness." Not.

The expert phish spotter who sent this our way definitely deserves a shout out. So, a big  thank you, LC! is in order.

From: Sender
Sent: Thursday, February 04, 2016 6:15 AM
To: Same Sender
Subject: Outlook / Exchange email

ATTENTION

Impacted Groups: 2016 Outlook/Exchange Users

Monday Feburary 1, 2016 from 07:00pm to 2:00am

If you are receiving this message, the Outlook / Exchange email servers that provide your email service will undergo scheduled maintenance tonight, Feburary 1, 2016 from 07:00pm to 2:00am

Please Click here [link removed] and log in to your Outlook client prior before 07:00 PM today to enable auto backup of all information's on your mailbox, if you do not log into the auto backup portal, you may lose the connection to your mailbox including all your information's during the maintenance.

If you find it difficult to send or receive messages from your Outlook client after the maintenance period, or tomorrow morning, please close Outlook and then log in again.

We regret this inconvenience and appreciate your patience.

----------------------------------------------------------------------------
PLEASE DO NOT REPLY DIRECTLY TO THIS MESSAGE.

This is a Broadcast e-mail sent on behalf of the Sender and/or Department. If you
wish to respond, please follow the contact instructions in the message ONLY.

It's obvious that UGA must sometimes perform maintenance on its systems. We try to limit the impact on campus as much as possible. And we try to let you know ahead of time that something is going on.

EITS posts its scheduled maintenance work on its Systems Status website (status.uga.edu). So, if you ever get a message like this you can check the Systems Status Page to see if something really is going on.

IT DESK

Reported on 1/25/2016
This phish takes a slightly different approach than most others. By presenting itself as a security measure, the message tries to earn your trust and dupe you into providing the information the phishers want.
The red flags are still there:
  • Wonky from, to and cc addresses - this message was sent from a named individual and not the EITS Help Desk.
  • The subject is rather generic and not the sort EITS would use.
  • The body of the message has some odd punctuation.
  • An official email would not lack spacing,
  • It describes a loss of service. (You can't send email.)
  • It asks you to do something. (Go to a page and verify your account.)
  • The link is 'hidden' with a CLICK HERE. (Mousing over the link in the original message revealed a 'weebly.com' address.)
  • An official communication about UGAMail would have used the correct spelling.

And - EITS is not going to ask for your email account details in an email. Nor will EITS send you a link to a from to fill out with your account details.

There is one simple way to check whether your UGAMail is blocked from sending messages.

Think about it....

Email yourself!

See if the message sends. It's not something we do every day, but the process is the same if you send a message to a different email account or to back to yourself in your UGAMail account. Or you could send a message to a colleague and go ask if they got the email.

From: Sender Name
Date: Monday, January 25, 2016 at 11:16 AM
To: Same Sender Name
Cc:  Same Sender Name
Subject: I T DESK

We temporarily locked your UGA-MAIL account from sending messages, Our system has detected an unusual virus and sign in attempt into your UGA mail box account, We recommend you to [ CLICK HERE ]  [link removed] and verify your uga.edu mail account and always exit your UGA account using the Logout button in the upper right corner instead of just closing the tab of your browser. This serves as an additional security measure to prevent unauthorized access to your UGA mail account.

Warm Regards,

Helpdesk Administrator.

Thanks to the phish spotters who reported this to us and to TC who landed this beauty with ease. It's great to have so many expert anglers on our team!

Remember every day is phishing season. Even if you think you're just small fry in the big UGA pond, your username and password can make a great catch for a cyber criminal.

Don't get caught!

University E-mail Upgrade

Reported on 1/21/2016

OK, y'all. The phishers are at it again. And it's unfortunate that at least one of us fell for this scam — especially since it's such a basic attack that plays on a lack of knowledge. Let's take care of that right now by giving you the information you need to avoid being fooled by an email like this one.

Did you know that every Outlook mailbox (which powers UGAMail) has 50 GB of storage? That imaginary account quota of 250 MB of storage is so 1990!

Did you know that you can see your mailbox quota? It's easy peasy. To do so, log into your UGAMail account, then do the following:

  1. Click on the Gear icon in the upper-right corner of this window.
  2. Choose Options.
  3. Under the Account tab, you will see a heading titled "Mailbox usage," which displays how much space is being used.

If you are using the Outlook desktop client, just click the File tab and the info is in your account information under Mailbox Cleanup.

As an added note, remember that you can position your cursor over an email link (don't click it!) and the link destination will appear. In the case of this phish, the CLICKHERE link pointed to page at "jimdo.com". If this had been a legitimate email from the EITS Help Desk, the link would have taken you to a page at "uga.edu."

So. Keep on checking your red flags. This email has several — foremost being grammar, a threat of loss of service, a call to action and a mismatch between sender and message. And keep on avoiding being fooled. Phishers gonna phish.
From: User Name <user.name@uga.edu>

Sent: Thursday, January 21, 2016 5:55 PM
To: User Name <user.name@uga.edu>
Subject: University E-mail Upgrade

You have exceeded your University E-mail account limit quota of 250MB your email will be disable in 48hrs due to several negligence of mailbox upgrade. To avoid this please CLICKHERE [link removed] and verify your UGA mailbox

Subject: Re:

Reported on 1/3/2016
Welcome to the first Fresh Phish post of the year!

This phishing attack is scary good!

We have removed the recipient’s name to protect the innocent. Dr. Name gets a big shout out for being an expert phish spotter who got this message to their departmental IT staff right away. And a thank you to DF for making sure we got a copy of this email for the Fresh Phish page.

This phishing email is well crafted and extremely difficult to spot. It uses an appeal for assistance with research as a springboard for phishing. The email gets a “they’re playing hardball” bonus for also including a fake CAS link.

What makes this phish so good?

  1. The recipient, Dr. Name is an actual professor here at UGA.
  2. Dr. Name is also a published researcher with articles at the Science Direct website (link #2.)
  3. The alleged sender is an actual person at the University of Alberta. His signature was spoofed using legitimate contact information.
  4. Both Dr. Name and the alleged sender are involved in engineering.

Talk about some chutzpah! The phisher found an actual person, in a matching discipline and used actual contact info – with one tiny, almost unnoticeable change - in a forged signature. Can you spot the change?

It's this: University of Albert email addresses are @ualberta.ca; our phisher left out an ‘a’, so the email address reads @ulberta.ca instead. We almost missed it.

If you look for other red flags there isn’t much to find. The subject is a little odd and should make you pay attention to the rest of the email.Why? Because 'Re:' most frequently appears in a reply to a previous message.

The double greeting is weird, too. NAME being in all caps is quirky, but not a red flag. The grammar is pretty good – a missed word and an incorrect pronoun are the sorts of mistakes anyone can make if they are in a rush. Your phishy senses may be tingling, but you may not feel alarmed at this point.

So where is the real danger? In the first link.

Take a careful look at those links. See the fake CAS link in the first one? Can you spot the double http:// notation? Very sneaky. With the Science Direct (International Journal of Engineering Science) article link at the end, Dr. Name could potentially have clicked the link to see which article was being requested.

The link would have taken Dr. Name to a fake CAS webpage where they might have logged in without thinking and given way their credentials. The CAS is used for so many UGA services that it’s easy to be lulled into making a mistake if you are not paying attention.

Fortunately, Dr. Name was.

From: "sender@ulberta.ca<mailto:sender@ulberta.ca>"
Date: January 2, 2016 at 8:28:29 AM EST
To: <recipient@uga.edu<mailto:recipient@uga.edu>
Subject: Re:

Hi

Dear Dr. NAME;

I recently read your last article and it was very useful in my field of research.
I wonder, if possible, to send me these articles to use in my current research:


1- http:/ /cas.uga.eduh.in/cas/LoginPage.php?http:/ /www.sciencedirect.com/science/article/pii/S0020722515000397 [link removed]


2- http:/ /www.sciencedirect.com/science/article/pii/S0020722515000427 [link removed]


Thanks for you Cooperation in Advance.


Sender Name
Department of Engineering
University of Alberta
Edmonton, AB
Canada T6G 2R6
--5433dccb7b37d239eadc9e74c066bbfd--

Additional Resources