The Anatomy of a UMass Boston Spear Phishing Attack

By Wil Khouri
Assistant Vice Provost and Information Security Officer
Information Technology Services / Communications and Infrastructure Services

Spear phishing is phishing crafted to target specific individuals or groups within an organization. The hackers responsible for the spear phishing emails have essentially done their homework regarding who their victim will be, and researched carefully how to personalize and customize the message to make the message more appealing to increase the probability of getting a response from the target audience.

Spear phishing emails are tailored in such a way to include information targeted victims would think only another employee, friend, or family member would know. In this digital age, the Internet, and particularly social media, has made it easy for hackers to gather such pertinent information. For instance, a hacker needs only to visit a victim’s LinkedIn and Facebook pages or look through their web profiles to gather enough information to craft the perfect spear phishing message. In addition, Hackers craft the messages in such a way to grab one’s attention with alarming, shocking, or tempting information.

Recently, UMASS Boston students, faculty and staff received emails appearing to originate from UMASS legitimate addresses. These emails had a variety of subject lines designed to draw people in, including “Important message from UMB Faculty/Staff”, “Important Information”, “[IT Status Alert] Your Account will expire soon”, or “Your account has expired”.

One particular message targeting faculty and staff appeared to be from the address “IT News <psoft@umasscs.net>” with the subject line “[IT Status Alert] Your Account will expire soon” and presented in the following format:

Click the screenshot below to zoom in. Pay attention to the numbers (1-4) in Figure 1 as you read on.

Screenshot of the phishing attack, with UMass IT branding, reading "Your account will expire soon, Sign In to proceed"
Figure 1. The Makeup of the Phishing email targeting UMB employees.

Unfortunately, a handful of employees inadvertently provided Personal Identifiable Information (PII) including passwords, social security numbers, bank routing and personal account numbers, to the hackers. Information Technology Services Security and Systems staff, Human Resources staff, as well as the Information Security staff at the UMASS president’s office, acted swiftly and took the necessary steps to contain the damage. Upon further investigation, we found out that the hackers used the phished PII to access bank accounts, modify bank routing and account information to re-route the employee’s compensation to untraceable credit cards not attached to bank accounts (prepaid access cards), and used the data to file fraudulent tax returns especially when the university confirmed that their “W2” forms had been accessed Online.

Refer to Figure 1 above for the following paragraph.

What made this phishing scam so effective is (1) the spoofed “From” origin which appeared to originate from a functional UMASS president office email account, (2) the subject line format which mimicked our campus “status alert” format, and (3) the use of a legitimate “IT News” template that Information Technology Services (ITS) normally uses for its “alert” communications. As it is the case with many phishing scams, a sense of urgency was added to spice the message up.

That begs the question how would one differentiate legitimate emails from phishing scams?

Fortunately, you can often tell phishing links from safe links by dissecting their construct. The most effective step one may use so not to fall for these scams is to (4) hover the mouse over the link to reveal its Uniform Resource Locator (URL), commonly known as web address destination, and in this case, as it is shown in Figure 1, it shows two components; The first part is the one you see: “Sign in to proceed.” And then there is the second part of the link you don’t see which is revealed by hovering over. This is the actual address that controls where the link will actually go. In our case, it reveals an odd URL: “http://www.jjlemaire.mu/wp-admin/images/sm-prd11.ucollaborate.net.html”. Always be wary of URLs that contain numbers, subtle spelling mistakes, odd connotations, and unfamiliar endings and domain letters (e.g. mu).

What must raise your suspicion are attempts to get you to reveal private information, such as your social security number or bank account information. Phishing attacks may ask you to download files, fill out forms or reply with information. If you cannot determine whether a message is phishing or not, try to contact the sender directly to verify its authenticity but never use the communication means appended to the suspicious message to verify its contents. If still in doubt report it to abuse@umb.edu.

For those who proceeded to click the link, the landing page was engineered to look deceivingly similar to the “UMASS HR Direct” page with the familiar “Secure Access Login” fields with two crucial differences; First, the URL valid certification was missing and presented as follows:

As compared to the valid and secure (5) legitimate site URL:

The most important cue and skill, if you will, is to check for the URL’s valid certification (5). Remember GREEN IS GOOD. NEVER enter any information without first checking the valid certification of the site which always displays a green secure link with a green lock icon: 

The second red flag in the phishing site was the .mu top-level domain which is the code for the “Republic of Mauritius”. Notice that the fraudulent landing page was “www.jjlemaire.mu” and not “sm-
prd11.ucollaborate.net” like it was supposed to be and it was crafted deceivingly with our legitimate domain name imbedded within the .html construct (6). While the public has become more savvy at spotting scams, and in desperation, those malicious actors are spending serious effort in honing their craft making it a challenge to recognize spear phishing messages. However, it is really simple to beat them: Be aware of the cues that raise your suspicion and if in doubt always ask. If you suspect you may have been phished, do act quickly; Change your password at mypassword.umb.edu, and notify ITS staff by emailing abuse@umb.edu.

As threats arise, our campus community will be trained to identify these types of targeted attacks. Information Security often runs simulated Self-Phishing campaigns for educational purposes. For those who fail the simulation we encourage you to take the assigned exercise modules provided post-
simulation or go to: http://iatraining.disa.mil/eta/phishing_v2/launchpage.htm The above link is courtesy of the US Department of Defense. And no, it is not a Phishing attempt nor a simulation if you’re wondering. You do not believe me? Go ahead and hover over the link. It will reveal a “.mil” domain belonging to the US Military.

One last thought… As a community of higher education, our weapon is knowledge. Do take the time to learn how to scrutinize between what is legitimate and what is not. We do not want to feed on fear and paranoia to the point of rendering our tools we use daily useless. Let’s all learn how to defeat the scammers. It is very simple. Really very simple.