This archive contains examples of actual phishing emails received at UGA in 2016.
The archive starts with the first email reported to Fresh Phish in January 2016. Each entry includes a discussion of the phish and the red flags in that particular message.
These examples are being archived as a way of demonstrating that the more phishing changes, the more it stays the same. The message subjects may shift from time to time, but they tend toward certain types. And some messages are classics, used again and again, with only minor alterations.
You can also view phishing emails from 2017.
Reported on December 29, 2016
Happy New Year! Welcome to 2017 and Fresh Phish's first phish of the year. Well, technically, it's the last phish of 2016, but who's counting?
We're sure you noticed that we changed the sender's information so it probably came from an UGAMail address. So, yes, someone's email may be compromised. (We're on it!)
This message is a bit different from the typical phish. Instead of leading you to believe that you need to take action to start something, this phish claims you have already started a process. You now have to take action to stop something!
Things to consider:
Clicking through to the file linked in this message could create all sorts of havoc. It may provide a form to use to give away your personal information. Or it may contain a virus that can track your movements online, gather your online account login data or corrupt your computer/device.
Only you can prevent successful phishing attempts. Don't get caught.
To Staffs, Employees & Students,
Your request to discontinue your Mailing & Library Access would be processed soon, this is an acknowledgement mail, if you believe this was done in error or mistakenly, kindly see below to cancel now;
CANCEL REQUEST NOW:<link to a .php file hosted in Indonesia removed>
UGA Mail Management.
Reported on December 2, 2016
Okay phish spotters! This one makes us here at Fresh Phish very, very, angry. Why? Because it's a really dirty scam to be pulling on students at any time of the year, but especially nasty during finals. Fresh Phish is feeling salty.
A big shout out goes to ABM (you know who you are!) for bringing this to our attention.
What identifies this message as a phishing scam?
The message carries an implied threat - if you don't do this now, your document won't be submitted, you won't get a confirmation email and you will fail the class. What student wouldn't panic and respond immediatly?
Phishers gonna phish, yo.
From: BlackBoard Learn IT < mailtoaprivateperson[@]atu.edu>
Date: Wed, Nov 30, 2016 at 10:31 AM
Subject: New message
To: User Name User Name <username[@]uga.edu>
Dear (User Name username[@]uga.edu),
We noticed your last document did not upload to our servers and your assignment was not submitted.
To ensure you receive a submission confirmation, you must resubmit again.
RESUBMIT MY DOCUMENT [The link to a bogus BlackBoard login page hosted in the UK has been removed.]
Follow the above instructions to confirm successful submission of your documents
MY UNIVERSITY ADMIN
Reported on December 2, 2016
Every once in a while we see a phishing message that looks so real it almost tempts us to click through. This one is especially tempting (see a larger screenshot that will open in a new window).
Anyone who clicks through to "Sign in" is is taken to a CAS look-alike page. If you are not paying attention, you won't notice:
If you click the link and sign in on the CAS page to look at the schedule, ZOMG! Cows!
It sounds pretty funny. Who doesn't love cows. right? Once you get to the page you can doodle around and look at the cows. Some of the photos get mighty up close and personal. 'Udderly' fascinating. And you'll probably forget how you got there, shake your head and get back to whatever you were doing.
But if you filled in Your UGA MyID and Password to get to the cows, you gave away your login credentials. That means a third party - a stranger - is now able to get into your UGA account. You have potentially given away access to the whole UGA network. And that could cause problems for everyone!
We all need to remember that once a phishing email gets into someone's inbox, it's up to them (email account holder) to avoid falling for it. To put it bluntly, if you click the link, provide the info, download the attachment or reply to the message It's all on you.
We do what we can to protect everyone with an UGAMail account by doing things like blocking known phishing sites, but we can't protect people from themselves.
Wondering why we wrote the web link in number 2 as " uga[.]edu"? That's to avoid putting a live clickable link in the post. We do it with email addresses sometimes too - name[@]uga[.]edu. It's prevent people from clicking through or accidently connecting with the University's homepage or an email account.
Forgive us for the lengthy post. There's a tl,dr at the bottom of the post.
With the holidays right around the corner, phishers everywhere are gearing up for jolly seasonal scams and attempting to hook a sucker. It’s time to pay extra close attention to your inbox and your wallet.
In 2015, the Anti-Phishing Working Group (APWG) reported a 48% hike in phishing attempts during November. (The APWG is an international group dedicated to fighting phishing.) They expect to see that big a jump or more this year. True facts.
We're here to chat with you about some of the more popular phishing attacks used during the holiday shopping season. No one wants to unwrap a phishing scam when there are much better presents out there.
Okay. So we are all likely to be in a rush, looking for deals, shopping online and snagging convenient shipping, right? Well, the phishers know that. And they will take advantage of us given a chance.
Phishing scams to be on the lookout for include:
Online shopping can land you in a world of hurt if you fall for a deal that sounds too good to be true. Why? Well if it sounds too good to be true, it probably isn't. It's probably a scam.
Pop up stores are fairly common. They offer great deals on goods that are often out of reach. If you shop with them you give away your credit card number, your personal information, and usually get nothing but a case of Identity theft.
Scams crop up on social media sites too. Fraudulent gift exchanges seem to be a big thing this year. They promise lots of goodies at the cost of your personal information. Volunteer to get presents from strangers? Why on earth would you want to do that?
This is also the big time of year for fake giveaways - like gift cards and shopping vouchers. All you have to do is give a scammer your personal details and a credit card number to prove you are old enough to participate. Then the cards in the mail! Along with a bill for hundreds of dollars’ worth of purchases you did not make, and maybe even information in the credit card you never applied for but seem to have maxed out.
Be alert to fake apps this year. There are loads of them out there. Many claim to belong to big name, or at least well known, retailers. So what's the big deal? Sign up and give away your info. Several want you to associate them with your Facebook account. Doing that not only gives scammers access to a huge amount of your personal data, but can establish an inroad into the data of anyone associated with your account. (Nice present to give your friends, eh? happy identity theft!)
And as if you did not have enough to worry about - be sure to keep a close eye on your credit cards. It only takes a moment to snap a photo of the front and back of your credit card, or jot down the numbers needed to commit fraud. The new chips go a long way to preventing face to face credit card fraud, but those numbers are still super valuable for use in online shopping fraud. Make sure the card you get back is actually yours and review your statements.
Taking a break from the rush? Be super careful when using free Wi-Fi! That open hotspot is open to criminals too. And the password you got from the barista is just permission to access the network. It does not mean that the network is secure. Avoid logging in to any service online that requires a username and password. Be especially careful to avoid online shopping on public Wi-Fi.
Tl, dr: Phishing is on an uptick for the holidays, be wary of online deals, watch out for fake apps, long-time-no-see contacts, giveaways, and appeals for assistance. And be super careful on free Wi-Fi. Phishers gonna phish and scammers gonna scam.
Reported on November 17, 2016
Whoa! Our expert phish spotters are in full form today. The phish we are going to look at has been reported dozens of times since it arrived in email boxes. Well done, everyone!
One of the most common comments about this email have been how people are sooooo tired of getting these messages.
We're all in this together, my fellow phish foilers, and we appreciate every time you report a phishing attack. We also want to recognize everyone who just growls or mutters and presses the 'delete' key. We smile every time you give phishing the finger (we mean the one that presses the delete key, of course!)
Read through this message. Now think about it and ponder the phishy mysteries:
it's been a while, so we are sending a shout out to all the amazing support people at Weebly. They always respond promptly and efficiently to our reports of phishing. Thanks.
From: Amanda Lastname <email@example.com>
Sent: Thursday, November 17, 2016 11:50 AM
Subject: Alert From Helpdesk !!
This is an E-Mail service alert from service administrator. Some incoming mails have been placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE [link to a help desk form at Weebly has been removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding.
Reported on November 14, 2016
Despite out best efforts, phishers gonna phish.
Messages that our expert phish spotters quickly delete have once more found victims. We have removed the unfortunates' names - and will do our best to protect them from further attacks. The truth is that there is no way to be 100% certain that an email recipient will avoid clicking on a link and giving out their credentials.
Neither of the featured messages came from EITS. What makes that clear?
In Message 1 the single most obvious indicators that the message is a phish are:
Message 2 is similar to Message 1 in many ways. Do a compare and contrast - see what you think.
In both these messages, sentence construction and word choice is very odd. You really have to wonder why a phisher thought claiming an increase in the size of an email account would increase security would prompt someone to click.
We're pretty sure that "maximum security" is what elicited responses.
We all want our online life to be as secure as possible. To do that, we need to learn how to avoid getting caught in phishing scams, keep our software, browser and apps up-to-date, make sure our firewalls are healthy and our antivirus is too.
Take some time to think about these two messages. Try reading the messages aloud. Do they make sense? Do they sound legit? Nope.
Don't get caught!
We have increased the size of UGA Mailbox and also our Security Strength to ensure maximum security of your mailbox. To upgrade Click HERE[link to sketchy looking contact form removed] now and follow instructions.
Failure to upgrade will lead in de-activation of your account.
This is an Email Service Alert from Helpdesk. This is to inform you that your mailbox has exceeds its storage limit, you will be unable to receive and send emails. To re-set your Account Space on our database, prior to maintain your INBOX from 20G to 20.9G. CLICKHERE [link to a site on Weebly has been removed] to Activate.
Reported on November 2, 2016
You keep hearing that phishing is a problem worldwide. We have a treat for you!
It's a Swedish phish. Well, Norwegian, actually. But that's just not as funny. Okay. Maybe that's a little lame. Here's the phish.
From: Christian Gamborg
Sent: Sunday, October 30, 2016 11:34 PM
To: Christian Gamborg
Subject: Passordet ditt utløper i noen dager tid
Passordet ditt utløper i noen dager tid, vennligst klikk på IKT Service Desk [Link to a fake service desk login screen removed] for å logge på og oppdatere gamle
passord og automatisk oppgradere til den nyeste e-post i Outlook Web Apps 2016.
Hvis passordet ikke har blitt oppdatert i dag, vil kontoen din bli suspendert innen 12 timer
Help Desk Administrator
Koblet til Microsoft Exchange
© 2016 Microsoft Corporation. Alle rettigheter reservert
From: Christian Gamborg
Sent: Sunday, October 30, 2016 11:34 PM
To: Christian Gamborg
Subject: Your password will expire in a few days time
Your password will expire in a few days time, please press the ICT Service Desk [*Link to a fake service desk login screen removed] to sign in and update old passwords and automatically upgrade to the latest e-mail in Outlook Web Apps 2016.
If the password has not been updated today, your account will be suspended within 12 hours
Help Desk Administrator
Connected to Microsoft Exchange
© 2016 Microsoft Corporation. All rights reserved
See? Everyone in academia gets this sort of phishing email. It doesn't matter where you are: It matters what you do when you get one.
You can't eat it - so delete it!
Reported on November 2, 2016
We did a total head tilt when this phish was reported. We're pretty sure it came from a legit address at Duke. That could be a spoofed address, but we have a degree of certainty that it came from a compromised Duke account. Ref flag!
It's addressed to "you". That's really strange,but, yes, that's what it really said. And the generic "Dear Member" greeting? Wow. Definitely not personalized in any way. Member of what? Red flag!
So, someone searched your profile on an unnamed site and wanted to post a picture. The profile is presumably at Duke. So why contact you at UGA? Shouldn't you have a Duke email account if you have a Duke profile? GAH! They are using confusion as an emotional lever. Red flag!
Then you are supposed to click a link that is hidden behind text? Red flag!
And when you hover your mouse over the link (without clicking!) it points to a site that is neither at Duke nor UGA. What it is that undecipherable gobbledygook if a URL? RED flag!
Then no signature. And a bogus safety message? RED FLAG! RED FLAG!!!!!
We think we've made our point. This message is chock-full of red flags. We hope no one was hooked by this email. If you were, please let us know. You may be on the hook fr clicking the link, but we can help with catch and release.
From:Profile Alerts <firstname.lastname@example.org>
Sent: Wed 11/2/ 2016 1:54 PM
Subject: Someone searched your profile
Someone searched for your profile information and requested to post a picture.
Click here for more information [Link removed. Trust us, you did not want to go there.]
Note: We limited the information shared for safety reasons.
Reported on October 28, 2016
The email in this example has been altered to protect the privacy of the person who sent it. The sender's name, email address and telephone number have been hidden, as have the contents of their 'Quick Steps' box.
This message is a perfect example of a phish that includes an attachment. The language in this email is designed to pique your curiosity and entice you into opening the attached 'REVIEW DOC' pdf.
This is a very dangerous phishing message! Did you notice that the email is well written and reasonable? The only thing to warn you it might be a phish is the unexpected inclusion of an attachment. If the phisher had included our names on this we might have fallen for it.
We were curious to see what the attachment contained, so we opened it in a secure environment. Do NOT try this at home. Or on campus! You do not want to be responsible for infecting any part of the UGA network.
The attached pdf contained a link embedded in a button. So, the phishers set things up so you would either download malicious software (malware) when you opened the document or when you clicked the button. Or on the website the button linked you to. Fortunately, the techniques we used helped us avoid a malware infection.
The attachment (opened):
Don't worry, we opened the attachment in a protected environment. It's our job to keep the network safe!
Reported on October 27, 2016
This short and simple email is filled with red flags! Sadly, it has had some victims fall for it. Let's go back to the old ask a few questions to see what you can learn.
And answer your own questions:
From:User Name <email@example.com>
Sent: Wednesday, October 27, 2016 4:14 PM
Subject: IT-Service Pass-word Update
Your pass-word will expire in 2 days. to keep your pass-word. CLICK=HERE [the link to a dodgy looking form at tripod has been removed] to update immediately
IT-Service Help Desk.
Reported on October 23, 2016
Wow. Just. Wow. Talk about an email designed to make someone freak out. I'm sure that this was one of the first email messages seen by the departmental account's owner early in the morning. Absolutely no one wants their email account deleted!
Think about this one. Would you have clicked the link to save an important email box like this? Be honest, now.
Fortunately, this landed in the inbox of an extremely expert phish spotter who knew that an active departmental account was not going to be deleted.
So what can we learn about this email?
Looking at the 'From' address, we can tell it was sent from an account in South Africa (.za). That should set your phishy sense tingling! You know there is something wrong with this message.
The greeting is directed at the email account name. It should call the account owner by name. Generic greetings are not unusual, but somebody know enough at UGA to lnow that this is a valid email address. Slightly freaked out: Getting more tingly!
Wait! is that a link hidden behind text? EITS won't do that. EITS is up front about linking - they rarely include an active link (one you can click on) and they will NOT hide it behind text. Phishy senses going *tingle tingle*
Remember, "If you hover, you discover!" A careful mouse-over shows that link goes to a form hosted at a Spanish site. South Africa AND Spain? Those phishy senses are feeling more like a power surge now.
And that sign off! 'The E-MAIL tearn' ? Say what? Check that spelling. Our phishy senses are so set off that we feel like we're in the middle of a Tesla coil. Whoa!
Trust your phishy senses and avoid the net. Phishers gonna phish.
From:MAIL NOTICE <firstname.lastname@example.org>
Sent: Wednesday, October 23, 2016 4:27 AM
To: Departmental Account Name
Subject: Re: Mail - To Be Deleted
Account to be deIetedDeardepartmentalaccount(at)uga.edu
A request to cIose your account was recently sent to us from your Account departmentalaccount(at)uga.edu
Don't recognize this activity? Kindly cancel below if this request is not from you. CANCEL REQUEST [link to sketchy site in Spain removed to protect the innocent]
The E-MAlL tearn
You received this mandatory announcement to update you on important changes with your account.
Reported on October 21, 2016
The phishers are working so hard this week, you can almost smell the virtual chalk dust from their Blackboard emails!
We have seen two basic types of these messages. Both designed to lure you into clicking on a bogus link to read communications from a 'faculty admin'.
These phishing emails seem to be targeted at administrators. They are being delivered to departmental accounts and people who might actually have content on a Blackboard site. If they clicked the link, they could give the phishers access to the departmental account and, possibly, a way into the University network.
Fortunately, we have several expert phish spotters out there who reported these messages to email@example.com . Thank you, phish spotters! Keep up the good work.
Many of the standard red flags are here:
And we especially liked the three exclamation points behind "Blackboard Learning !!!" in the second message. Very professional.
From: Justin Fowler
Sent: Wednesday, October 19, 2016 4:10 PM
To: An Assistant Dean
Subject: Re: Blackboard
You have two important message from Admin Faculty stored in Blackboard site.
Please click below to read the message.
blackboard.com/deptaccount[@]uga.edu/msg/admin/faculty/use382211 [This link looks legit but takes you to a South American site has been removed.]
The link above will be inactive after this mail has been read
Blackboard IT Learning
From: Faculty & Staff
Sent: Wednesday, October 19, 2016 5:10 PM
Subject: Re:You have two important message from Admin Faculty stored in Blackboard site.
Dear member : firstname.lastname@example.org<mailto:email@example.com>
You have 4 notification messages from your faculty admin.
Click below URL to read
blackboard.com/deptaccount[@]uga.edu/mail&_mbox=INBOX/15554ecbfef56e12 [Yet another bogus link removed for your protection.]
Blackboard Learning !!!
Reported October 13, 2016
Getting ready to travel? Headed south for the Georgia/Florida game? Be on the lookout for reservation scams. Remember, the online bad guys know our academic schedule — they know when Fall Break occurs and what most of us will be doing. So, they — being devious — think they can trick us with a fake reservation scam.
Take a look at this one.
Can you spot the red flags? (The four big ones are listed under the email.)
From: Judy Baker <firstname.lastname@example.org>
Sent: Thursday, October 13, 2016 10:49 AM
Subject: Reservation Confirmation
Sequel to our earlier conversation please find our reservation confirmation in the below link:
Reservation Confirmation [Link to a document on Google Drive removed.]
I await your email confirming all is ok as we would be arriving on friday 14th october.
Ms Judy Baker
If you click the link to confirm your reservation, or try to figure out who the email was really meant for, you will probably download malicious software.
"If you hover, you discover!" said a very nice young woman in a recent session we taught.
If you don't already know, you can hover (position) your mouse cursor over a link and the URL will pop up so you can read it. Don't get caught by links hidden behind plain text.
With the holidays just around the corner, some of us may be on the lookout for money-making opportunities. And we're sure to find money-making scams. That is, scams the phishers use to make money.
We all consider picking up a few hours at a part time job now and then. Finding a dream situation where we can do work that returns good money for our precious spare time is on all our minds. But when you find that perfect little side job, you really need to take the time to be sure that job's legit and not a scam.
One of the more popular scams is the Secret Shopper scam. Now, mind you, there are a few legit secret shopper services out there (or so we have been told). However, if an unsolicited invitation to earn money fast lands in your email inbox, it's more than likely a fake.
Secret Shopper scams promise decent amounts of cash fast. Many throw around amounts like $200 a job, for mere minutes of your time. Whenever you see big money offered for a little effort you should be cautious.
In these scams you usually get a check for a large amount of money. Then the following happens:
Here at Fresh Phish we recently saw a Target Shopper Scam that looked a bit like this:
Reported on 10/11/2016
Become A Target Shopper
[Official looking Target banner here]
Receive $200 to spend at Target for FREE!
Buy anything you want in store and give your honest opinion.
Join Target Shopper USA.
So What Happens Now?
Register and if you are selected, you will be sent a free $200 for spending at Target Stores.
Click 'Sign Up' and then complete all of the required fields.
Sign Up [This link to a Latvian website designed to look exactly like Target's has been removed. Latvia? Really?]
Copyright © 2016 Target.com, All rights reserved.
I love how this reads, "Register and if you are selected..." You can take that to mean "Give us your personal information and we will gladly scam you."
BTW - There is no mention of Secret Shoppers on the Target website. And we couldn't find anything on Target Shopper USA in a web search - it simply doesn't exist.
Be careful out there. Phishers gonna phish.
We have seen a few of these sorts of phishing email this week. Have a you gotten one?
Sadly, it appears that at least one of our own may have been caught by the first message and now that account is spamming its contacts list.
Let's take a look at the message to see what may have prompted someone to click on the links and give away their credentials. It's an extremely basic phish - its a "Do this thing or you will lose access to your account" type - that really should not fool anyone.
We can guess that it probably arrived as the recipient was dashing out to an 11 A.M. class. In a hurry, they likely paused long enough to click the link and fill in a form before running to class. No student can afford to be without email!
The sad thing is, most online criminals know us pretty well. they understand human nature and do not scruple to take advantage of us. Monday morning is a great time to send a phishing attack. (So is Friday afternoon.) We are busy, in a hurry and vulnerable. Phish while the victims are jumping!
The second message is the same kind of phishing attack. It threatens to take away a service most people depend on. It may look different, but it essentially a threat. Threats are a red flag - a warning- that an email is a phishing attack.
Compare the messages:
You must always remember these two things:
If you can keep these two simple facts in mind, you can avoid getting caught by many of the phishing emails that find their way into your email box.
From: UserName <email@example.com>
Sent: Monday, September 26, 2016 10:49 AM
Subject: Dear uga.edu User,
Dear uga.edu [link removed] User,
Verify your uga.edu [link removed] Email email account
to avoid email suspension CLICK HERE[link to a phishing webpage removed]
From: User Name <firstname.lastname@example.org>
Sent: Friday, September 30, 2016 11:00 AM
To: A well known fitness tracker company
Subject: RE: Admin Notice
You will not be able to send/receive more emails until you visit the below helpdesk portal link to restore/confirm your email access.
CLICK HERE [link to a non-uga website removed]
Things have been a bit hectic across campus as you all know. That means things have been hectic here at Fresh Phish, too. We have all finally had a chance to catch our breath and now we can get down to writing about phishing.
Bear with me while I cover this for our new Phish Spotters, m'kay?
We spend most of our time here at Fresh Phish talking about phishing email. That's the email you find in your inbox that has been sent by online criminals. Online criminals like to try and catch you in a busy moment, or at a time you are not paying attention. They are trying to take advantage of you and trick you into giving them personal information.
What kind of personal information? On campus it's most often your UGA MyID (or any other username) and password. They like to pretend they are with IT services and that your email has a problem. Or, has been upgraded.
But the bad guys don't stick to campus. So you need to learn how to spot phishing messages in all your email accounts.
With a little practice, phishing is fairly easy to spot. Most phishing email includes what we call red flags:
If you need more information about phishing emails, you can visit our Phish Tank webage.
If you need to report a phishing email, you can forward it to email@example.com .
Received on August 16 - 22, 2016
Dear Email User,
Due to our system update, we urge all Account Users to verify their email by Click verification update email CLICK HERE [link removed] to upgrade your M.H.B Upgrade quota limit.
Your account will be verified within 24hours
UGA © 2016 All Rights Reserved.
Access to your Account is about to expire, We recommend that you update to avoid account suspension. Please kindly follow link and verify your email account CLICK HERE [link removed].
We have increased the size of UGA Mailbox and also our Security Strength to ensure maximum security of your mailbox. To upgrade LOGIN [link removed] now and follow instructions. Failure to upgrade will lead in de-activation of your account.
Why are you still getting phishing email? Our email system handles millions of email on a daily basis. Some phishing messages get through. Reporting phishing helps us fight it and stem the tide. Phishers gonna phish.
Reported on July 2 -July 5, 2016
It's been a while since the last Fresh Phish post. Not because there have been no
attacks, but because there have been far fewer. Almost all of them have been repeats
of familiar phish. But as we start getting closer to Fall Semester, you can expect
to hear more from us.
Over the long 4th of July weekend the phishers decided to resurrect one of the oldies. It's short, it's direct and it's pretty obviously a phish. And it demonstrates that the bad guys know us far too well.
Many of us were out of town for the 4th of July holiday, maybe using free wi-fi at a hotel, or on the road. That would mean we were using services and IP addresses that we don't normally use, right? Right!
This particular phishing attack is designed to take advantage of our over-the-long-weekend travels and trick us into giving up our credentials.
You know we don't name names here at Fresh Phish, but we will tell you that at least three of our own were tricked by this phishing message. They provided their UGA credentials as requested and lost control of their email.
Now their UGAMail accounts are being used by the phishers to distribute even more
phishing email. That means a stranger has access to all the victims' email, all their
contacts and probably a good portion of their lives.
We have received more than 60 reports of this phishing attack. Our expert phish spotters are hard at work! And the phish spotters are coming from people all over campus. After looking at several reports, a visible pattern to the attack is emerging. Let's take a look.
This particular version of the attack started either late on July 1, 2016 or very early on July 2, 2016. The machines of the victims started sending out phishing messages late in the day on the 2nd.
Our expert phish spotters started reporting the phishing attack almost immediately.
A few more reports came in on Sunday, and a flood of reports came in on Tuesday the
So what is important about this timing pattern? It shows that the phishers know what they are doing. More importantly the know what we are doing. And what does that mean?
Phishers know when to attack us. They follow patterns in our behavior and attack while we are engaged and vulnerable. Friday, July 1st, we were getting ready to go out of town, in a hurry and likely to respond without really thinking.
Even though a few people reported the message over the weekend, most of the reports came in on Tuesday the 5th, just as we were all getting back from our long weekend. Once again, we were in a hurry, getting geared up for another work day and deep into our email.
It is likely that we will see more victims as more people return to campus for exactly these reasons.
From: "User Name" <firstname.lastname@example.org<mailto:email@example.com>>
Date: Sat, Jul 2, 2016 at 8:46 PM -0400
To: "User Name" <firstname.lastname@example.org<mailto:email@example.com>>
Cc: "User Name" <firstname.lastname@example.org<mailto:email@example.com>>
Your e-mail account was LOGIN today by Unknown IP address: 18.104.22.168, click on the Administrator link below and LOGIN [link to a webform at a non-uga removed] to validate and verify your e-mail account or your account will be temporary block for sending more messages.
Here at Fresh Phish we sometimes get email reports and can track the level of "good" mail versus the level of spam. (Phishing is a type of spam.) It's easy to see that when the volume of good mail goes up, spam goes up; when good mail goes down, spam goes down.
The bad guys know us very well. If we get to know them too, we can better respond to their attacks and avoid getting caught.
Just a quick note from us to you.
The past year has seen an increase in the number of phishing attacks being reported by you, our expert phish spotters. We appreciate your time and effort in working to promote phishing awareness here on campus. Keep up the good work.
Thank you too, to those phish wranglers who know that the 'delete' key is one of the most powerful weapons we have against phishing. You are our silent partners, but we appreciate it every time you press that key.
Keep on fighting the good fight. Because we all know that phishers gonna phish.
Message 1 - hello
From: "User Name" <firstname.lastname@example.org<mailto:email@example.com>>
Date: June 8, 2016 at 7:12:45 AM EDT
Due to our system update,we urge all Account Users to verify their email by Clicking on deactivate/activate your mail [link to form at Weebly removed] .
Message 2 - VERIFY
From: User Name
Sent: Tuesday, June 07, 2016 1:16 PM
To: User Name <firstname.lastname@example.org>
Your email will be shut-down due to several negligence of emails regarding mailbox upgrade. To avoid this please click HERE [link to faked form at Weebly removed] and verify your mailbox.
Message 3 - alert
From: User Name
Sent: Tuesday, May 31, 2016 3:45 AM
To: User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name;User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name; User Name;
Your email will be shut down due to several negligence of emails regarding mailbox upgrade. To avoid this please Click Here and verify your mailbox [link to bogus UGA form at Weebly removed]
U G A Helpdesk Administrator.
Message 4 - IT NEWS
From: "User Name" <email@example.com>
Date: Fri, May 20, 2016 at 6:47 PM -0400
Subject: IT NEWS
To: "Www Info-Admin" <firstname.lastname@example.org<mailto:email@example.com>>
Dear UGA User,
You have exceeded the limit of your mail box quota, and your currently have emails pending in our servers yet to be delivered to your inbox.
You will not be able to receive or send new emails until your increase and boost your Mail box size.
Login in HERE [link to form at Jimdo removed] to upgrade your WSU outlook email.
Copy right © 2016,
UGA Webmail Maintenance,
All Rights Reserved.
Remember, phishers gonna phish. Don't get tricked by Phishy McPhishface.
We just received a report of a very clever phone phishing scam. (Yes, phishers use the phone, too.) It is definitely a phish of a different color, but it still stinks.
Someone has been misrepresenting themselves as a member of the "EITS – Information Security Support Team". The number they call from showed up as Caller-ID 000-000 (this may not be the only number that will appear.)
The phisher Informed the call recipient that their computer was being used as part of a botnet. The phisher then tried to convince the person they called to download the new EITS malware uninstaller. The call was disconnected before full instructions and a download URL were provided.
Straight up heads up: IF you get a call like this, it is not EITS calling you about installing a security software. Do not agree to install anything on your computer if you receive a call like this.
A brief note for those of you who may not know what a botnet is: A botnet is a network of computers connected to the internet that have been taken over by an attacker. Botnets can be used in all sorts of ways without the permission or knowledge of the people who own them. Botnets are commonly used to distribute spam and malicious software.
Phish Spotters! Cry havoc! That this foul phish shall smell above the earth. What
odious and odorous phish is this?
This phishing attack is an extremely dangerous one. And while paraphrasing Shakespeare may not help, raising awareness of this email will.
We got several reports of an "Account Termination" phish in the past two days. In fact, it was going to be the featured phish today. Then this beauty showed up!
The phishers pretend to warn us that the Account Termination email was a hoax designed to steal our credentials. They go on to say that they have "taken further steps" to apply security measures to prevent future phishing attacks. Our accounts can be made more secure if we just go authenticate them so the security measures can be applied.
What nerve! What planning!
If the link to authenticate were clicked, a bogus CAS page would pop up and, get this, we would give our credentials away. DO NOT click the link! Why? Because EITS will never ask you to provide your credentials in an email. That includes providing a direct link to a form where you can fill them in.
At least one person here at UGA has already lost their credentials to this attack.
From: User Name <firstname.lastname@example.org>
Sent: Thursday, May 19, 2016 7:08 AM
Subject: Illegal Access Blocked (Read).
In light of the phishing attack message that was sent to various email accounts at UGA last week with subject "Account Termination". Please kindly disregard that message as it was a ploy to trick you into revealing your account details. We have taken further steps to prevent such attacks from happening in future.
To make your account more secure with our new UGA - Assist software now installed to protect all email accounts on our server, you will need to authenticate your account using the below link;
- AUTHENTICATE YOUR ACCOUNT NOW - [Link to a totally bogus http:// CAS login form at a site called bug3.com. Link removed.]
Once you authenticate you will get a confirmation message that your account has been authenticated.
UGA Support Team
All the red flags are present, but a little skewed, in the message:
If a service like UGA-Assist existed, don't you think EITS would apply it to all accounts and not waste time waiting for us to confirm we want it? Of course they would!
Phishers gonna phish.
Reported May 15, 2016
A new and different type of phish swam into the UGA waters this weekend. It's an attempt
to get your credit card data that pretends to be from a UGA watchdog service called
Fortunately, it is not to hard to spot if you are an expert. (A big shout out is due to ER who was the first to report this phish!) Unfortunately, it just may not be an easy catch for those who are just learning to be phish spotters.
If your email view allows you to see the sender's address, you can see that it actually comes from an address at telkomsa.net which is a large communications firm in South Africa. The 'to' address is update.net and the form is hosted at yet another site. None of them are UGA sites. This message is clearly a phish.
Take a look at the body of the message. It appears to state that someone tried to use your credit card from an unrecognized/unknown computer. Then it prompts you to go to a website and fill in all your account information for security or if you have "loosed" your credit card.
The message has no signature, no contact information, no company logos - would you
trust this email? Of course you wouldn't, right? Right?
At the very least, you should question why your credit card is being monitored by a group called "securitywatch" at UGA. Especially since it does not exist!
From: "email@example.com" <mailto:firstname.lastname@example.org>
Date: Sun, May 15, 2016 at 2:19 PM -0700
To: "email@example.com" <firstname.lastname@example.org<mailto:email@example.com>>
An attempt was made on your visa/mastercard from an unknown computer. So for security or loosing of your visa/mastercard, we therefore ask you fill in your data correctly to safeguard your credit card. click on this link: http://a really long link that is not secure and takes you to a non-UGA webform [link removed]
What a week for Fresh Phish! Finals week and commencement seem to have brought out
all sorts of phishers.
It has been an extremely busy time for our expert Phish Spotters. Judging by the number of phishing messages being reported, they are working very hard to keep us informed about incoming phish. A big shout out to all of you - our Phish Spotters rock!
We have had a lot of repeat-offender type phishing messages. You know the ones - Update Your Password, Urgent Notice, Revalidate Your Account, Your Mailbox is Full, LOGIN from an unkown IP and so on - they show up all the time.
But did you know that they are actually not the same message? They may look identical, but the phishers have to constantly tweak their messages to get them into your mailbox. Email has filters - that's why some things end up in your Junk folder. The phishers know we use Outlook/OWA, so guess what? they do too! They can test their messages before sending them to our mailboxes. If delivery is sucessful during their test, it will probably work when sent to UGAMail boxes, too.
Phishers want your login credentials: your UGA MyID and password are valuable to them. If they have your login credentials, they have access to your UGA account. They can use your account for more phishing. They might use your account as a starting point for getting more access to the UGA network. If they can hack your machine (PC laptop, phone, etc.) they can use it to build up their own network. They just link it to all their other hacked machines.
That's why we keep telling you that EITS will NOT ask for your credentials. EITS will never ask for your password in an email. We won't send you an email with a clickable link so you can go to a website to validate your account, upgrade your mailbox, or reset your password. If you need to change your password, the proper website information will be included in the email but it will not have a link.
Remember our advice several posts back about hovering your mouse over links? If you hover your mouse over a link in an email you can see the destination or where you would go if you clicked on it. If an email claims to come from the University and the destination is not a valid UGA website this is an clear indication of an attack.
When you do a link check, be especially careful of links that use services that allow you to shorten URLs (Owly, TinyURL, bitly and so on.) Shortened links hide the destination URL. If you can't tell where you are going, you probably should avoid going there. Use your judgement!
Do you sometimes get phishing messages from uga.edu email accounts in your account? That generally indicates that either the sender's account has been compromised or the sender knows how to alter, or spoof, email addresses.
Phishing messages from compromised accounts are making the rounds. All UGA faculty,
staff ans students are vulnerable to them. After all, if you get one, you are likely
to be in the sender's contact list. And we all are prone to trust someone we know.
Phishers are criminals. They work 24/7/365.
You have to pay attention all the time. If you don't, you are likely to get caught.
Phishers gonna phish.
Reported May 6 -May 9, 2016
Alas, Dear Phish Spotters, finals week has seen many email accounts fall to the insidious efforts of the phishers.
The three messages below have been reported at least 40 times each. They have affected multiple UGAMail accounts. And reports keep rolling in.
I suspect most of the phishing victims are students who, concerned with arranging the trip home for the summer, finals, communicating with professors and wrapping up projects with their groups, reacted to the original phishing messages without thinking.
Imagine, working hard all weekend just to get a message in your inbox that tells you your email is being held, or you need to validate your account, or you have to respond or your email account will be shut down.
We get it. We were students once ourselves, caught up in the rush, under pressure to wrap up a semester. We all make mistakes when we are in a hurry. And it is awful that there are email accounts that may be suspended for spamming or phishing because someone tried to do the right thing.
Phishing attacks are getting harder to spot but all the red flags are present in these three messages:
The messages all are sent from trusted addresses - all uga.edu addresses are considered trusted - because UGAMail accounts have been compromised. That's how these messages end up in our inboxes. (The phishers might also fake a uga.edu email address.)
As far as links in email are concerned, get into the habit of looking at the address of any website that asks for your UGA credentials.
The part of the webpage address between the http:// or https:// and the first "/" should end in uga.edu (if there is not http:// or https:// look to the left of the first "/" ). Be aware that some UGA entities have their own, special, URLs. You can always use Google to check things out.
That said, remember that nothing is 100%. Phishers are crafty. They know how to fake email addresses and webpages.
The single most important thing to remember in the case of each of these messages is that EITS will never ask you to provide your credentials in an email. That includes providing a direct link to a form where you can fill them in.
From: User Name <firstname.lastname@example.org>
Sent: Friday, May 6, 2016 6:22 PM
Several of your incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICKHERE [link to a Weebly page removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding.
Technical support team
From: User Name <email@example.com>
Sent: Friday, May 6, 2016 6:00 PM
To: User Name <firstname.lastname@example.org>
Cc: User Name <email@example.com>
Subject: MAY 6TH 2016
Your e-mail account was LOGIN today by Unknown IP address: 104.140.281.028, LOGIN [link to a Weebly page removed] to validate and verify your e-mail account or your account will be temporary block for sending more messages.
From: User Name <firstname.lastname@example.org>
Date: May 9, 2016 at 9:30:14 AM EDT
Subject: UPDATE YOUR ACCOUNT
Due to our database maintenance equipment that is happening in our mail message center, This maintenance of quarantine will help us avoid this dilemma every day and with the new improved software it will provide our users with a new security system to protect our users from getting their accounts hacked.
We recommend that you update your account now to avoid termination or account de-activation.
UPDATE CLICK HERE [link to a Weebly page removed]
As always, your privacy and security are of utmost importance to us. We apologize if you have experienced any difficulties due to this situation, and please know that our technical staffs are working to solve the problem.
Thanks for your anticipated co-operation,
Did you notice that the three messages listed in the post above all point to pages at Weebly? Weebly is an inexpensive web hosting service that is similar to Jimdo. In other words they are a legitimate business that the phishers are taking advantage of.
Reported on 4/28/2016
There has been a run of Court Summons emails at other universities of late. Be on the lookout - they may be featured in UGA email inboxes soon!
This is a heads up post; as such this post is a little different. The two examples below were forwarded to us from a security-minded individual at another university. (A shout out to RP! Thank you!) As far as we know there have been none of these messages received in UGAMail boxes.
These types of phishing messages are downright vicious. They are manipulative, instill panic in just about anyone, and are almost guaranteed to provoke a response from the unwary recipient. And they make us mad as snakes.
The only recourse the recipient has -if they think the email is legit - is to reply or to call. Or do a web search and possibly land on a fake website. In any case they will be phish on the line.
My bet is that the phishers are after one of the first two responses. They want to know if the email address they are sending to is active. That gives them a foot in the door. Remember, the targets of these phishing attacks are at universities. Scoring access to a university network could mean big bucks to a phisher.
Summons Message 1
From: Matthew Siesel [mailto:email@example.com]
Sent: Wednesday, April 27, 2016 4:21 PM
To: <Valid User at Other University>
Subject: <User Full Name> - Request to Appear in Court Letter
<User Full Name>
New York, NY
Dear <User Full Name>,
Your case has been set for hearing on 5/6/2016 at 11:30 AM o'clock in the New York parish co urthouse. Your case is before Judge Corinne Heh in courtroom 182.
You will find it most handy to park on the 015, 027. Judge Corinne Heh's courtroom is on the third floor.
This is a hearing on Western Connecticut State University Violation Ref. 1A12628045.
Please be present for this. If I can be of assistance, please do not hesitate to contact me.
Feldman, Kramer & Monaco, P.C.
Summons Message 2
To: <User Name>
From: Yvonne Safar <firstname.lastname@example.org>
Subject: Steven Rosenberg - Testimonial Subpoena Letter
Date: Thu, 28 Apr 2016 00:27:51 +0800
<User Full Name>
152 West St Ste 3
Danbury, CT 6810
Dear <User Full Name>,
Your case has been set for hearing/trial on 5/5/2016 at 1:30PM o'clock in the Danbury parish co urthouse. Your case is before Judge David Wong in courtroom 166.
You will find it most convenient to park on the 017, 029. Judge David Wong's courtroom is located on the first floor.
This is a hearing on Western Conn Healthcare Inc Complaint No. 1A33889144.
We strongly advise you to be present for this. If you require any further information, feel free to call.
Convery, Thomas V. Attorney
This phish is a real winner. It got through Microsoft's Spam Filters and into several
mailboxes. We had to read the body of the email twice to really appreciate the skill
that went into crafting it. It is definitely a phish, but what gives it away?
Well, let's start with the first red flag, the email address of the sender: They are at Napier University in the UK. Why on earth would someone from a university in the UK be writing to tell us to update our email? Would you have paid any attention to that, though? Or would you have read the email and clicked the link? Be honest, now. All those spurious improvements sound good.
Then there are three more red flags in rapid succession: the generic "All Employee\Staff" greeting, followed by a blind link and a deadline (immediately.) The link would drop anyone who clicked it into a webpage on Tripod, a free website builder that offers web hosting, too.
The final red flags are the inaccurate signature and the 2015 date.
What about all that disclaimer text at the bottom? Surely that would have tipped anyone off! The spacing in the actual email was enough to make it easy to miss unless you scrolled down. The disclaimer would have been especially easy to miss on a phone or a tablet.
A shout out to AM for reporting this message - thanks, AM!
From: False Identity <F.Identity@napier.ac.uk>
Date: Wed, Apr 20, 2016 at 1:39 PM
Subject: RE: IT Service Help Desk
To: False Identity <F.Identity@napier.ac.uk>
To All Employees\Staff,
Take note of this important update that our new web mail has been improved
with a new messaging system from Owa/outlook which also include faster usage on email,
shared calendar,web-documents and the new 2016 anti-spam version.
Kindly use the link below to complete your 2016 Outlook Webmail User authentication form.
CLICK on Outlook Web Access [link removed] to update immediately.
IT Service Desk Support
(About four inches of blank space was removed here.)
This message and its attachment(s) are intended for the addressee(s) only and should
not be read, copied, disclosed, forwarded or relied upon by any person other than
the intended addressee(s) without the permission of the sender. If you are not the
intended addressee you must not take any action based on this message and its attachment(s)
nor must you copy or show them to anyone. Please respond to the sender and ensure
that this message and its attachment(s) are deleted.
It is your responsibility to ensure that this message and its attachment(s) are scanned for viruses or other defects. Edinburgh Napier University does not accept liability for any loss or damage which may result from this message or its attachment(s), or for errors or omissions arising after it was sent. Email is not a secure medium. Emails entering Edinburgh Napier University's system are subject to routine monitoring and filtering by Edinburgh Napier University.
Edinburgh Napier University is a registered Scottish charity. Registration number SC018373
If you were caught out by this phishing message, change your password and run your anti-virus and anti-malware software. Contact the EITS help Desk and report the message or forward it as an attachment to email@example.com.
One of our own has been compromised by the recurring "Update Alert!" phishing scam. We have looked at the red flags for this message a couple of times, so let's look at the actual message content for meaning (if there is any.)
At glance we wondered if there is a webpage out there for randomly composing phishing
messages -like random story generators, or the pages where you can enter a few words
and get a dozen possible band names or a set of song lyrics. Then we decided to break
this phish down line by line and supply possible solutions to each line.
"We temporarily locked your mail account from sending messages" - So try sending a message to yourself or a friend. Did it work? Yes? Not locked! Delete the phish.
"Our system has detected unusual virus in your Folder" - Our email provider, Microsoft would not just send you a message to let you know you have a virus in your email folder. They would disable links and other functionality, like the ability ot download an attachment or a virus. Decide this is a phish and delete it.
"We advice you to empty your trash folder" - If you think it needs it, then by all means empty it. Just don't do it just because this phishing email told you to. Once your trash folder is tidy, delete the phish.
"Update your email account for Security maintenance and protection of your email from virus attacks." - This one has a double whammy. If there are security-driven updates, they are unlikely to be put into effect by you updating your account. But you are constantly told to keep your computer up to date. So which is it? Well, when it comes to updating your email account, you need to use your UGA MyID and password - two things EITS will never ask you to provide - to log in to a form or webpage. You can contact the EITS help Desk to see if this message is legit if you need to. Or you can just delete it.
"We recommend that you update your account to avoid termination." - EITS is not going to terminate your account unless you A) Fall for a phishing message (and then it's only temporary) or B) graduate/retire/leave the University. Laugh at the silly phishers and delete the message.
"UPDATE Click Here" - If you hovered your cursor over this link in the original email, you would have discovered that it went to a totally fake looking URL. Unfortunatley, most people just see the link and click. But not you. You deleted the email, right?
"The System Administrator Management Team" - This team would be the team that managed the people that managed our system. If they existed. And they don't. Even if they did, they probably would not be writing to tell you that you needed to update you email account. Shake your head, shrug your shoulders and hit the 'X' to delete the phish.
"Copyright© Admin Webmail Inc" - The copyright symbol is an attempt to make this message seem important, official and real. If you have not done so, delete the email.
From: Sender Name <Sender Name@uga.edu>
Date: April 17, 2016 at 8:11:04 AM EDT
Subject: Update Alert!
We temporarily locked your mail account from sending messages, Our system has detected unusual virus in your Folder, We advice you to empty your trash folder and Update your email account for Security maintenance and protection of your email from virus attacks.
We recommend that you update your account to avoid termination.
UPDATE Click Here [link removed]
The System Administrator Management Team.
Copyright© Admin Webmail Inc
This phish is almost insulting. Why? The sender is at Tulane, asking use to update
our UGA mail, and the IT service desk is at FSU. Three universities in one phish.
I certainly hope no one on campus was caught by this message.
I have no more words.
Wait! I found some. (You knew I would.)
If you did get caught up in this scam, please contact the EITS Help Desk and let them know. There is a first time for everything. Getting fooled by phishers is forgivable and even understandable - just take some time to learn about phishing so you don't get caught again. If you're here, you're off to a good start.
Phishers gonna phish.
From: LastName, FirstName [mailto:FNLast3@tulane.edu]
Sent: Saturday, April 16, 2016 12:29 PM
Subject: Alert from helpdesk
Your University E-mail account will be shutdown due to several negligence of emails regarding mailbox upgrade. To avoid this please click HERE [link removed] and verify your UGA email account.
ITS Service Desk
Reported on 4/8 - 4/11/2016
Well, we have seen this phish before, and will likely see it again. Other universities
have reported the same phishing scam several times this year as well.
As you can see, the Sender Name has been replaced. That means that someone on campus fell for this scam and gave their credentials away. Now, their UGAMail account has been compromised and is sending out this phishing messages to people in their address book.
We have received a good whiff of this rotten phishing message, now let's take a closer look.
Jargon, jargon and more jargon: What does this message even mean? "Certificate", "delivery configuration", and "account POP settings" are all used to confuse you. (Red flag!)
Awkward! Mixed cases, lame punctuation and awkward sentences like these do not belong in a professional message. So it's unlikely to be legit. (Red flag!)
One sketchy looking link: We removed the link to protect the innocent (and keep them from clicking on it by mistake!). It went to a fake webform at a web address that did not look anything like UGA page URL. (Red flag!)
Who the heck are the "uga Webmaster Team" and what have they done to EITS? (Red flag!)
All snarkiness aside, Phish Spotters, the reason someone fell for this phish is probably simple: They were in hurry.
Why do we think that?
The email was sent on a Friday. The recipient of the phish, Phish Victim Zero*, probably got it on Monday. They skimmed the email, got a little freaked out by the jargon and thought is was official. They went to the webform and filled in their information.
* And that's Phish Victim Zero like Patient Zero - the first person to succumb to the phishing scam. Phishing's not just endemic in universities; it's everywhere. Once your account is compromised, the consequences of being phished can spread through your address book. Okay. So comparing phishing to a virulent disease might be a bit over the top. But then again, the metaphor works.
So, inoculate yourself against phishing scams. Look for Red Flags. Run through the Who, What, Where, Why and When routine (especially that What do they want you to do part.)
From: Sender Name <firstname.lastname@example.org>
Sent: Friday, April 8, 2016 1:17 PM
To: Sender Name
Cc: Sender Name
Subject: Account Notification
Your uga account Certificate expired on the 09-04-2016, This may interrupt your email delivery configuration, and account POP settings, page error when sending message.
To validate your uga mailbox, Please take a second to update your records.
click here: unsecured_fake_webform_at_jimdo
Your uga account will work as normal after the verification process, and your Account Certificate will be re-newed.
uga Webmaster Service
Another shout out is due to the good people at Jimdo - they are always responsive and willing to help us shut down phishing pages that the "bad guys" put up on their site.
Reported on 3/31/2016
Phish spotters assemble! Today we face an insidious evil menace — fortunately not
unlike one we have seen before.
Here we have a phish that appears to come from an internal UGA email account. The address is spoofed to look legitimate and to get fool our email system into thinking it has come from a trusted source. This is a very dangerous email in the hands, um, the inbox of the untrained. Why?
Expert phish spotters know to take a deep breath. Then take a closer look. This message is waving red flags left and right. What are they?
Keep your eyes open!
From: UNIVERSITY OF GEORGIA [mailto:email@example.com]
Sent: Thursday, March 31, 2016 7:22 AM
Subject: WEB ADMIN
Dear UGA webmail user
Due to the new change in our webmail, All staffs and students are require to Validate your webmail login to enable you continue using our mail services. Please click on the link below to validate your email by logging in to your account:
http:// unsecured fake uga portal validation page in Poland that resembles a CAS login page [actual link from the email removed]
Failure to do this, will result in limited access to your mailbox.
Thank you for choosing our UGA Webmail services
UGA Webmail VERIFICATION SERVICES
HelpDesk | UGA Holdings Company LLC. @ 2016
Our expert phish spotters are working overtime!
We have gotten dozens of reports of the "March 28th" phishing message along with the usual "Upgrade Your Email" and "Your email storage is almost full" messages over the last two or three days.
It's almost like the phishers know many of us would be out of town for Easter and
wanted to fill up our email baskets with tasty phish! Oh. Wait. They did know.
Look for the red flags - they are all there.
Sadly, someone here at the University fell victim to this phishing attempt. We have to wonder how. Were they in a hurry? Did they just get back on campus and think the message could be legit? Or were they just trying to do the right thing to keep their email access?
From: Sender Name <firstname.lastname@example.org>
Sent: Monday, March 28, 2016 10:03 AM
Subject: March 28th 2016
To: Sender Name <email@example.com>>
Message From Help desk, we notice some unusual sign in of your account from another browser, for protection we advise you to kindly Click Here [link to fake form at Weebly removed] and fill up the form below, for security reasons,
failure to do so, will lead to account blockage,
Fill up the form below and submit,
Message from Help Desk.
Reported on 3/23/2016
This attempt is rather clever — and draws on our human curiosity to coax us into clicking
the link the phishers provide. The "Daily Campus Bulletin" is entirely fake — but
if you don't know that UGA does not have one, you just might fall for this phish.
We removed the link to the webpage supplied — going there would probably have dropped malicious software, most likely a key logger. Key loggers are designed to track every move made by anyone using the computer they infect. So, even if you did not fill in a form with your UGA MyID and password, it would have been only a matter of time before your computer transmitted that information to the phishers. Not to mention your bank login, your credit card login, your Amazon login... need we go on?
And asking you pass the email on to your friends? Woah. That's low. Phishers gonna phish.
From: Sender Name [mailto:firstname.lastname@example.org]
Sent: Monday, March 14, 2016 6:54 AM
To: Same Name as Sender
Subject: RE: Daily Campus Bulletin for March 14, 2016
Click the following link to view today’s Campus Bulletin:
Click Here on: > Daily Campus Bulletin for March 14, 2016 [link removed]
Kindly forward this update to all your friends on your contact as this is the new development on daily bulletin.
Connected to Microsoft Exchange,
© ADMIN TEAM 2016
Reported on 3/21/2016
We have seen so many of these phishing emails that we are surprised there are any left in the sea.
It's ironic that one of the phish spotters to report this actually had logged in to their account from an IP address they had never used before. So, join me in a shout out to KRP, who not only reported the problem, but avoided taking the bait and giving away the UGA login credentials the phishers were after.
Now seems like a great time for me to mention that 2016 looks like it is set to be the year of the Business Email Compromise (BEC). What's that got to do with a phishing email in your UGA account? Good question. Consider this:
For faculty and staff, UGAMail is your business email account. As employees of this institution, we send and receive email that has to do with the business of running the University and the business of meeting our obligations as staff and faculty.
When you consider the wealth of information that a successful phishing attack could win for an online criminal, it really starts to make sense. Just think about all the personally identifiable information that UGA handles (potential students, current students and alumni!). Pair that with financial information, research information and valuable data-based learning resources and things start to add up.
Your UGA credentials are valuable, y'all! Protect them.
From: Sender Name <email@example.com>
Date: March 21, 2016 at 1:59:12 PM EDT
To: "Info@someplace.com" <Info@someplace.com>
Dear UGA User,
Alert from UGA Service Desk, Our latest IP Security upgrades discovered an irregular Login attempts on your email account earlier today from unknown location with this IP: 22.214.171.124. We recommend that you validate your account to avoid suspension. CLICK HERE [link removed]
EITS - Enterprise Information Technology Services UGA Admin
Copyright © 2016 Admin All rights reserved.
With practically everyone out of town, or at least off campus, the phishers have been ramping up the attacks and casting wide nets. There have been several interesting phishing attempts aimed to get our attention while we are distracted by Spring Break and the beautiful weather. Let's take a look at some recent examples submitted by our expert phish spotters.
Reported on 3/10/2016
These two messages are of the sort we don't see as often as we used to. They both came with attachments that may be carrying a payload of malicious software. If you download the attachment, the software installs. If you fill in the form and return it to the sender, they get the bonus of free and easy access to your login credentials while their software steals everything else.
Much of the time phishing emails of this time are flagged by Microsoft Outlook before we get to see them. That means the phishers were clever enough to craft an attack that actually got through to our UGAMail accounts.
In both these messages, the phishers call on our curiosity to prompt us to open the attachment. In the first message we are told we have money; in the second we are told we owe money. Both are designed to make us think, "Huhn?!? What's this all about?" and open the attached file.
The messages are actually fairly well constructed. Although the first one with its "Dear Sir/Ma" is extremely odd, they did manage to spoof a Bank of America email address to seem credible. All that aside, imagine how you would feel, just back from vacation, tired and mostly broke. Would you want to see who sent you money? I would.
The second message is worth a closer look. One of the first things that should catch your eye and set your phishy senses tingling is mention of "your account". Nowhere does it identify which account, or with what business. The sender is in Russia, so most of us would probably think twice before opening that attachment.
From: From Bank of America www.bankofamerica.com [mailto:Person@bankofamerica.com]
Sent: Thursday, March 10, 2016 12:03 PM
Subject: Remittance Advice Ref:BOA0190289001USA
This is to notify you that the payment instruction we received has been processed through Bank of America into your account that was provided.
Please find the remittance information.
Wire Confirmation No: BOA0190289001USA
Transaction Status: Completed.
Attached to this email is the secure payment receipt from Bank of America. For secure access, You are required to download and authenticate by verifying your email and password via the attached outlook document file transfer page to gain secure access to the receipt.
Let me know when you have it and please confirm the details.
If you are unable to view the file, do not hesitate to contact me.
Bank of America
Payment Processing Unit,
This message contains confidential information and is intended only for the addressed recipient.
If you are not the addressed recipient, you should not disseminate, distribute or copy this e-mail.
From: Person [mailto:Person@rambler.ru]
Sent: Thursday, March 10, 2016 1:52 PM
To: User Name <firstname.lastname@example.org>
Subject: New Invoice #2109-1
This email is being sent in order to inform you that a new invoice has been generated for your account. Please see the attached file.
Reported on 3/7/2016 -3/10/2016
This trio of phishing messages have been reported dozens of times this week. They are fairly run of the mill and one or two of them are variations on themes we have seen before. So what makes them special enough to get more attention here on the Fresh Phish page? Thier timing.
All these phishing messages will be lurking in the email boxes of Faculty, Staff and Students returning from Spring Break. What a great opportunity for the phishers to catch some victims unawares.
Imagine stumbling in, tired from a long flight, exhausted from a drive that took more time than you thought it would and deciding to wind down by a quick look at your email. Just to make sure nothing needs your attention before a well deserved night's rest. And then you find out your password is about to expire, your account will be locked down, your email has been compromised or you have messages stuck in a pending loop.
Would you click on one of the links? The links here have been removed, but in all the messages they pointed to a URL that included either uga-edu, webmail, 365, itservices or outlook as part of thier construction. Mousing over the links with those words in them could fool a tired person into cooperating with the criminals.
From: Off-campus User <email@example.com>
Sent: Monday, March 07, 2016 8:39 AM
To: Off-campus User
Subject: RE: Faculty & Staff Admin Note.
Your Password Expires in 2hour(s) You are to change your Password below via the ACCOUNT MANAGEMENT PAGE.
Click on CHANGE-PASSWORD [link removed]
If Password is not change in the next 2hour(s) Your next log-in Access will be declined.
From: User Name <firstname.lastname@example.org>
Sent: Friday, March 04, 2016 1:44 PM
To: Same User Name <email@example.com>
Subject: Authenticate Your UNIVERSITY OF GEORGIA Webmail
We noticed spam in your UNIVERSITY OF GEORGIA webmail account. Our system has detected unusual virus in your Inbox and trash folder, We advice you to empty your trash folder and update your email account for Security maintenance. We recommend that you update your account to avoid Malwares. UPDATE [link removed]
Microsoft Office Team.
From: "Off-campus User" <firstname.lastname@example.org>
Date: Mar 7, 2016 4:27 AM
Subject: Admin update,
Dear Microsoft outlook user you have pending messages click here [link removed] for update and upgrade of your account.
What can we say? Phishers gonna phish. Don't end up on the hook for clicking a link.
And welcome back from the break, all y'all!
Reported on 3/1/2016
Dear Phish Spotters, I commend each and every one of you who reported this message. The ranks of UGA's expert Phish Spotters are growing, thanks to your efforts. Yet one of our own has been hooked.
This phish is an oldie, but sadly, still effective. And honestly, I am not sure why. The red flags are all there. Do we need a new way of looking at these emails? Should we approach possible phishing emails more analytically? Let's try looking at/for the red flags differently:
Are you tired of all these questions? We are too, but we have to keep asking them so we don't get hooked. Phishers gonna phish.
Your UGA outlook mailbox has exceeded its storage limit to set your e-mail administrator, and you will not be able to receive new mail until you re-validate it.
Click HERE [linkremoved] and login your email.
and login your information to re-validate your email account.
Help Desk Administrator
EITS will not ask for your username and password in an email (it's not secure!) and all changes to your credentials will happen through the EITS MyID Tools and Information webpage.
Reported on 2/26/2016
In spite of the efforts of our expert phish spotters, it looks like several people on the UGA campus have been caught in this phishing attempt. We are seeing email addresses from other campuses, as well — all addressed to the spoofed "email@example.com" email address.
Let's step back for some phish spotting 101. The top five red flags are all there.
The CLICK link points to a form on Jimdo and has nothing even remotely like a UGA web address.
Take a look at the header for this message, too. You need to remember to ask yourself who the sender of the message is, and how they are affiliated with your UGAMail provider. It's easy to look someone up at the UGA website. In this case the answer was "absolutely nothing." So why would you want to give this person your Username and Password?
Remember: It's up to you to keep your credentials safe. Don't give them away.
From: Sender Name [mailto:firstname.lastname@example.org]
Sent: Friday, February 26, 2016 12:34 AM
Your incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK [link removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding.
If a form looks funny, or a URL seems wrong, or you get a funny feeling about submitting your Username and Password, don't do it. Trust your feeling. And check with the EITS Help Desk (706-542-3106).
EITS will never ask for your Username and Password in an email.
Reported on 2/13/2016 and 2/14/2016
Oh, my. Feel the love from those phishers - Valentine's Day really brought them out! We received so many reports on these three messages from our expert phish spotters (<3 y'all!) that if phishing email was chocolate, we'd be in a sugar coma.
Every one of these messages have the standard red flags. (If you don't know the red flags, see "What is Phishing Email" on our Phish Tank page.) The grammar is particularly wretched in Message 2.
Let's focus on links in these three messages. You've probably noticed that the phishier messages did not even bother to hide the links behind a CLICK HERE. The one message that did, linked to the destination, a page at Jimdo. Ok. I have got to take a sec to state that the folks at Jimdo have been extremely responsive to our requests to shut down these phishing pages: they are on top of things.
But this brings us to two points that need mentioning. Ready?
Point one: There are sites that host phishing pages. Some, like Jimdo, are legit businesses that are both responsible and responsive, and actively work with us to shut down the bogus pages. Why do I bring this up? Because you need to know that even trusted businesses may host malicious content.
Point two: phishers tend to take advantage of holidays, big sports events and disasters. Now, it could be a coincidence that this flood of phishing email came on Valentine's day weekend. Or might the phishers have been trying to get to us when we were all distracted by thoughts of romance? I bet on the latter.
We have two big events coming up this year; the Election and the Olympics. Be on the lookout for phishing email related to both. Phishers gonna phish.
From: Sender <email@example.com>
Date: February 14, 2016 at 12:44:05 PM EST
To: Same Sender<senderuga.edu>
Cc: Same Sender<senderuga.edu>
Subject: Upgrade Your Account
Your Two incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE [link removed] to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding
From: IT SERVICE DESK <firstname.lastname@example.org>
Subject: Dear E-mail User,
Date: February 12, 2016 at 11:58:58 PM EST
Dear E-mail User,
Due to database maintenance that is happening in our webmail message centre, we are currently deleting ALL inactive and hacked E-mail account from our email account database, with this new improved security software it will provides our users with a new security system to protect our users from getting their E-mail accounts hacked.
We recommend that you update your account now to avoid termination or account DE-activation.
CLICK ADMIN SYSTEM [link removed]
to verify your webmail account.or Copy paste link for upgrade
"info-webmail-hlpedu.jimdo.com" [link removed]
We are sorry for the inconvenient.
Thank you for your support!
The IT SERVICE DESK
The Official Email Provider of the Conservative Movement™
Please keep this email – it contains all of your important links:
This email has been sent from a virus-free computer protected by Avast.
Sent: Friday, February 12, 2016 2:53 PM
Subject: Your Uga.edu account Certificate expired on the 12-02-2016
Your Uga.edu account Certificate expired on the 12-02-2016, This may interrupt your email delivery configuration, and account POP settings, page error when sending message.
To re-new your webmail Certificate, Please take a second to update your records by link below or copy and paste link
"ug-ed-uga.jimdo.com" [link removed]
Uga.edu account will work as normal after the verification process,
and your webmail Certificate will be re-newed.
Mail Service Team
Reported on 2/1/2016
We saw our fair share of you have reached the storage limit on your mailbox' phishing messages this week. Y'all know those are fake by now, right? And, yes, that includes the ones with a yellow capacity status bar.
Then, we got a really interesting phishing attempt with a bit of a spin. It was limited in the number and types of people who got it. Instead of casting a wide net, the phishers who sent this were after bigger fish.
Take a look at this beauty. It is well organized, well written and reasonably believable. In fact, it is done well enough to distract some recipients from the red flags. We had to look the message over carefully to catch them all.
The sly inclusion of Department at the end was a nice touch, too. That added a little more "officialness." Not.
The expert phish spotter who sent this our way definitely deserves a shout out. So, a big thank you, LC! is in order.
Sent: Thursday, February 04, 2016 6:15 AM
To: Same Sender
Subject: Outlook / Exchange email
Impacted Groups: 2016 Outlook/Exchange Users
Monday Feburary 1, 2016 from 07:00pm to 2:00am
If you are receiving this message, the Outlook / Exchange email servers that provide your email service will undergo scheduled maintenance tonight, Feburary 1, 2016 from 07:00pm to 2:00am
Please Click here [link removed] and log in to your Outlook client prior before 07:00 PM today to enable auto backup of all information's on your mailbox, if you do not log into the auto backup portal, you may lose the connection to your mailbox including all your information's during the maintenance.
If you find it difficult to send or receive messages from your Outlook client after the maintenance period, or tomorrow morning, please close Outlook and then log in again.
We regret this inconvenience and appreciate your patience.
PLEASE DO NOT REPLY DIRECTLY TO THIS MESSAGE.
This is a Broadcast e-mail sent on behalf of the Sender and/or Department. If you
wish to respond, please follow the contact instructions in the message ONLY.
It's obvious that UGA must sometimes perform maintenance on its systems. We try to limit the impact on campus as much as possible. And we try to let you know ahead of time that something is going on.
EITS posts its scheduled maintenance work on its Systems Status website (status.uga.edu). So, if you ever get a message like this you can check the Systems Status Page to see if something really is going on.
And - EITS is not going to ask for your email account details in an email. Nor will EITS send you a link to a from to fill out with your account details.
There is one simple way to check whether your UGAMail is blocked from sending messages.
Think about it....
See if the message sends. It's not something we do every day, but the process is the same if you send a message to a different email account or to back to yourself in your UGAMail account. Or you could send a message to a colleague and go ask if they got the email.
From: Sender Name
Date: Monday, January 25, 2016 at 11:16 AM
To: Same Sender Name
Cc: Same Sender Name
Subject: I T DESK
We temporarily locked your UGA-MAIL account from sending messages, Our system has detected an unusual virus and sign in attempt into your UGA mail box account, We recommend you to [ CLICK HERE ] [link removed] and verify your uga.edu mail account and always exit your UGA account using the Logout button in the upper right corner instead of just closing the tab of your browser. This serves as an additional security measure to prevent unauthorized access to your UGA mail account.
Thanks to the phish spotters who reported this to us and to TC who landed this beauty with ease. It's great to have so many expert anglers on our team!
Remember every day is phishing season. Even if you think you're just small fry in the big UGA pond, your username and password can make a great catch for a cyber criminal.
Don't get caught!
Reported on 1/21/2016
OK, y'all. The phishers are at it again. And it's unfortunate that at least one of us fell for this scam — especially since it's such a basic attack that plays on a lack of knowledge. Let's take care of that right now by giving you the information you need to avoid being fooled by an email like this one.
Did you know that every Outlook mailbox (which powers UGAMail) has 50 GB of storage? That imaginary account quota of 250 MB of storage is so 1990!
Did you know that you can see your mailbox quota? It's easy peasy. To do so, log into your UGAMail account, then do the following:
If you are using the Outlook desktop client, just click the File tab and the info is in your account information under Mailbox Cleanup.
As an added note, remember that you can position your cursor over an email link (don't click it!) and the link destination will appear. In the case of this phish, the CLICKHERE link pointed to page at "jimdo.com". If this had been a legitimate email from the EITS Help Desk, the link would have taken you to a page at "uga.edu."So. Keep on checking your red flags. This email has several — foremost being grammar, a threat of loss of service, a call to action and a mismatch between sender and message. And keep on avoiding being fooled. Phishers gonna phish.
Sent: Thursday, January 21, 2016 5:55 PM
To: User Name <email@example.com>
Subject: University E-mail Upgrade
You have exceeded your University E-mail account limit quota of 250MB your email will be disable in 48hrs due to several negligence of mailbox upgrade. To avoid this please CLICKHERE [link removed] and verify your UGA mailbox
This phishing attack is scary good!
We have removed the recipient’s name to protect the innocent. Dr. Name gets a big shout out for being an expert phish spotter who got this message to their departmental IT staff right away. And a thank you to DF for making sure we got a copy of this email for the Fresh Phish page.
This phishing email is well crafted and extremely difficult to spot. It uses an appeal for assistance with research as a springboard for phishing. The email gets a “they’re playing hardball” bonus for also including a fake CAS link.
What makes this phish so good?
Talk about some chutzpah! The phisher found an actual person, in a matching discipline and used actual contact info – with one tiny, almost unnoticeable change - in a forged signature. Can you spot the change?
It's this: University of Albert email addresses are @ualberta.ca; our phisher left out an ‘a’, so the email address reads @ulberta.ca instead. We almost missed it.
If you look for other red flags there isn’t much to find. The subject is a little odd and should make you pay attention to the rest of the email.Why? Because 'Re:' most frequently appears in a reply to a previous message.
The double greeting is weird, too. NAME being in all caps is quirky, but not a red flag. The grammar is pretty good – a missed word and an incorrect pronoun are the sorts of mistakes anyone can make if they are in a rush. Your phishy senses may be tingling, but you may not feel alarmed at this point.
So where is the real danger? In the first link.
Take a careful look at those links. See the fake CAS link in the first one? Can you spot the double http:// notation? Very sneaky. With the Science Direct (International Journal of Engineering Science) article link at the end, Dr. Name could potentially have clicked the link to see which article was being requested.
The link would have taken Dr. Name to a fake CAS webpage where they might have logged in without thinking and given way their credentials. The CAS is used for so many UGA services that it’s easy to be lulled into making a mistake if you are not paying attention.
Fortunately, Dr. Name was.
Date: January 2, 2016 at 8:28:29 AM EST
Dear Dr. NAME;
I recently read your last article and it was very useful in my field of research.
I wonder, if possible, to send me these articles to use in my current research:
1- http:/ /cas.uga.eduh.in/cas/LoginPage.php?http:/ /www.sciencedirect.com/science/article/pii/S0020722515000397 [link removed]
2- http:/ /www.sciencedirect.com/science/article/pii/S0020722515000427 [link removed]
Thanks for you Cooperation in Advance.
Department of Engineering
University of Alberta
Canada T6G 2R6