ITS staff have received numerous reports of a recent email that is attempting to steal your username and password! If you receive an email with the subject line “HEALTH SECURITY ALERT” or “HEALTH ISSUE ANNOUNCEMENT ON CAMPUS”, which looks like the screenshot below, please delete it and do not click any links within.
If you have given your personal information to a phishing attack like this, please act quickly. Change your password at mypassword.umb.edu, and notify IT Staff by emailing abuse@umb.edu for more help.
ITS staff have received numerous reports of a recent email that is attempting to steal your username and password! If you receive an email with the subject line “[your name]@umb.edu Will be close”, which looks like the screenshot below, please delete it and do not click any links within.
If you have given your personal information to a phishing attack like this, please act quickly. Change your password at mypassword.umb.edu, and notify IT Staff by emailing abuse@umb.edu for more help.
By Wil Khouri
Assistant Vice Provost and Information Security Officer
Information Technology Services / Communications and Infrastructure Services
Spear phishing is phishing crafted to target specific individuals or groups within an organization. The hackers responsible for the spear phishing emails have essentially done their homework regarding who their victim will be, and researched carefully how to personalize and customize the message to make the message more appealing to increase the probability of getting a response from the target audience.
Spear phishing emails are tailored in such a way to include information targeted victims would think only another employee, friend, or family member would know. In this digital age, the Internet, and particularly social media, has made it easy for hackers to gather such pertinent information. For instance, a hacker needs only to visit a victim’s LinkedIn and Facebook pages or look through their web profiles to gather enough information to craft the perfect spear phishing message. In addition, Hackers craft the messages in such a way to grab one’s attention with alarming, shocking, or tempting information.
Recently, UMASS Boston students, faculty and staff received emails appearing to originate from UMASS legitimate addresses. These emails had a variety of subject lines designed to draw people in, including “Important message from UMB Faculty/Staff”, “Important Information”, “[IT Status Alert] Your Account will expire soon”, or “Your account has expired”.
One particular message targeting faculty and staff appeared to be from the address “IT News <psoft@umasscs.net>” with the subject line “[IT Status Alert] Your Account will expire soon” and presented in the following format:
Click the screenshot below to zoom in. Pay attention to the numbers (1-4) in Figure 1 as you read on.
Unfortunately, a handful of employees inadvertently provided Personal Identifiable Information (PII) including passwords, social security numbers, bank routing and personal account numbers, to the hackers. Information Technology Services Security and Systems staff, Human Resources staff, as well as the Information Security staff at the UMASS president’s office, acted swiftly and took the necessary steps to contain the damage. Upon further investigation, we found out that the hackers used the phished PII to access bank accounts, modify bank routing and account information to re-route the employee’s compensation to untraceable credit cards not attached to bank accounts (prepaid access cards), and used the data to file fraudulent tax returns especially when the university confirmed that their “W2” forms had been accessed Online.
Refer to Figure 1 above for the following paragraph.
What made this phishing scam so effective is (1) the spoofed “From” origin which appeared to originate from a functional UMASS president office email account, (2) the subject line format which mimicked our campus “status alert” format, and (3) the use of a legitimate “IT News” template that Information Technology Services (ITS) normally uses for its “alert” communications. As it is the case with many phishing scams, a sense of urgency was added to spice the message up.
That begs the question how would one differentiate legitimate emails from phishing scams?
Fortunately, you can often tell phishing links from safe links by dissecting their construct. The most effective step one may use so not to fall for these scams is to (4)hover the mouse over the link to reveal its Uniform Resource Locator (URL), commonly known as web address destination, and in this case, as it is shown in Figure 1, it shows two components; The first part is the one you see: “Sign in to proceed.” And then there is the second part of the link you don’t see which is revealed by hovering over. This is the actual address that controls where the link will actually go. In our case, it reveals an odd URL: “http://www.jjlemaire.mu/wp-admin/images/sm-prd11.ucollaborate.net.html”. Always be wary of URLs that contain numbers, subtle spelling mistakes, odd connotations, and unfamiliar endings and domain letters (e.g. mu).
What must raise your suspicion are attempts to get you to reveal private information, such as your social security number or bank account information. Phishing attacks may ask you to download files, fill out forms or reply with information. If you cannot determine whether a message is phishing or not, try to contact the sender directly to verify its authenticity but never use the communication means appended to the suspicious message to verify its contents. If still in doubt report it to abuse@umb.edu.
For those who proceeded to click the link, the landing page was engineered to look deceivingly similar to the “UMASS HR Direct” page with the familiar “Secure Access Login” fields with two crucial differences; First, the URL valid certification was missing and presented as follows:
As compared to the valid and secure (5) legitimate site URL:
The most important cue and skill, if you will, is to check for the URL’s valid certification (5). Remember GREEN IS GOOD. NEVER enter any information without first checking the valid certification of the site which always displays a green secure link with a green lock icon:
The second red flag in the phishing site was the .mu top-level domain which is the code for the “Republic of Mauritius”. Notice that the fraudulent landing page was “www.jjlemaire.mu” and not “sm-
prd11.ucollaborate.net” like it was supposed to be and it was crafted deceivingly with our legitimate domain name imbedded within the .html construct (6). While the public has become more savvy at spotting scams, and in desperation, those malicious actors are spending serious effort in honing their craft making it a challenge to recognize spear phishing messages. However, it is really simple to beat them: Be aware of the cues that raise your suspicion and if in doubt always ask. If you suspect you may have been phished, do act quickly; Change your password at mypassword.umb.edu, and notify ITS staff by emailing abuse@umb.edu.
As threats arise, our campus community will be trained to identify these types of targeted attacks. Information Security often runs simulated Self-Phishing campaigns for educational purposes. For those who fail the simulation we encourage you to take the assigned exercise modules provided post-
simulation or go to: http://iatraining.disa.mil/eta/phishing_v2/launchpage.htm The above link is courtesy of the US Department of Defense. And no, it is not a Phishing attempt nor a simulation if you’re wondering. You do not believe me? Go ahead and hover over the link. It will reveal a “.mil” domain belonging to the US Military.
One last thought… As a community of higher education, our weapon is knowledge. Do take the time to learn how to scrutinize between what is legitimate and what is not. We do not want to feed on fear and paranoia to the point of rendering our tools we use daily useless. Let’s all learn how to defeat the scammers. It is very simple. Really very simple.
Scammers are willing to invest the time to trick you!
Phishing is a type of cyber scam designed to trick you into giving your personal information.
Today’s example was reported by a few users who could tell something smelled phishy!
In this example, there is no obvious request for money or personal info! The scammer went so far as using a real staff person’s name and title, and even referring to the correct section of the UMass Code of Conduct! That’s crafty! At first even we IT staff weren’t sure if maybe this was a real email…
How can you know when a legit looking email is a scam? Trust your gut, and verify!
★ Be suspicious of unexpected notifications
★ Call the real staff person and ask if the message is real
We got in touch with the real department referred to in the email and they told us it was not real! The scammer is weaving a story about “Academic Dishonesty” by a UMass Boston student. It’s a serious matter, but the message never makes an obvious request for money or personal info. In these “long-cons”, an email like this is the first step in building a relationship of trust between the scammer and the recipient. The scammer hopes you’ll bite and reply, and then the inevitable trap will spring!
If you are suspicious of a file, link, website, or email, you can contact the IT department to ask if it may be a scam. Forward a copy of a suspicious email to abuse@umb.edu.
Always remember…
Don’t take the bait! IT will NEVER ask you for your password. Phishing emails attempt to deceive you into giving up your private information by leading you to fraudulent websites. Learn more at: http://www.umb.edu/it/getting_services/security/phishing/
We all owe a debt of gratitude to today’s scammer for all the clues he gave, warning us we were about to be hustled! However, you can’t rely on obvious signs to protect yourself. Today’s entry was forwarded to IT staff by numerous people on campus:
The email has a link in it. IT Staff were able to investigate this link in a secure way, and saw it directed to a form requesting the user enter their email username and password. Trained IT Staff opened the web page to take the picture below, however you should avoid clicking a link in a suspicious email because it could contain phishing attempts, malicious code, or illegal content, and could cause harm to your computer. Here is the page that these links led to:
Let’s list all the ways that this scammer showed us that they are trying to hustle us. The email text is confusing, the sender’s name doesn’t show up in our staff directory, the sender is using a non-umb.edu email address (probably a previous phishing victim), and the logo on the website is about 7 years out of date.
But what’s the number one way we can tell that this page is trying to hustle us? Let’s get a close up of that URL…Yes, the URL of this page actually has “Hustle” in the address!
All that being said, a point that this blog always tries to hammer home is “Never assume a scammer’s stupidity will adequately protect you from their malice.” (If I may adapt Hanlon’s razor…)
What this means is while many attacks are obvious fakes, it’s not hard for a scammer to make a perfect looking email and web page-you can’t depend on an incompetent scammer to keep yourself safe!
Today’s scammer did a poor job, but how could you be sure it’s a fake, even if the attack were a perfect forgery? Check the URL and the certificate!
To contrast, here is the url bar for the real UMass Boston webmail login. First you can see it says “umb.edu/”. But beyond that, we can tell the page has a security certificate from the green icon. If you click on this green icon, you get additional info about its validity.
If you are suspicious of a file, link, website, or email, you can contact the IT department to ask if it may be a scam. Forward a copy of a suspicious email to abuse@umb.edu.
Always remember…
Don’t take the bait! IT will NEVER ask you for your password. Phishing emails attempt to deceive you into giving up your private information by leading you to fraudulent websites. Learn more at: http://www.umb.edu/it/getting_services/security/phishing/
Large communities like UMass Boston are juicy targets for cyber scammers, because time can be spent crafting a convincing con, then used on a large number of potential victims.Today’s Phishing Wall of Shame entry comes from Patty C., who trusted her gut, and protected herself.
This scammer did a pretty good job! They picked a realistic looking (though not technically real) email address and “spoofed” the From address. They also included a URL that looks legit, because it ends in “umb.edu/”, however this URL is also “spoofed”. Learn more about Email and URL Spoofing in a previous Wall of Shame entry.
IT Staff were able to investigate the spoofed URL in a secure way, and saw it directed to a form requesting the user enter their name and Library barcode. Trained IT Staff opened the file to take a picture, however you should avoid clicking a link in a suspicious email, because they could contain phishing attempts, malicious code, or illegal content and could cause harm to your computer. Here is peak what this link contained:
The page that loads looks exactly like the off-campus login page for EZ-Proxy! The scammer was able to match it very closely. If you had filled in this form with your email and password, your account would be in the hands of this scammer!
If you are suspicious of a link, website, or email, you can contact the IT department to ask if it may be a scam. Forward a copy of a suspicious email to abuse@umb.edu.
Always remember…
Don’t take the bait! IT will NEVER ask you for your password. Phishing emails attempt to deceive you into giving up your private information by leading you to fraudulent websites. Learn more at: http://www.umb.edu/it/getting_services/security/phishing/
A trusted name doesn’t always mean trusted content!
If you ever fall victim to a phishing attack, your email account could be compromised by scammers. If this happens, your account can be used to send attacks to your contacts. Even if you see a familiar name in the “From:” field, it’s not a sure fire way to trust the message. Today’s Phishing Wall of Shame entry comes from Rose C. and Hannah L., who both were emailed by a faculty member they knew, but saw a message they didn’t trust:
Our two Security Stars knew the sender, but they knew him as a faculty member without any relation to the IT department. There was no reason to think that he should be informing them about an issue with their email.
The email has a link in it. IT Staff were able to investigate this link in a secure way, and saw it directed to a form requesting the user enter their email username and password. Trained IT Staff opened the file to take a picture, however you should avoid clicking a link in a suspicious email, because they could contain phishing attempts, malicious code, or illegal content and could cause harm to your computer. Here is what this link contained:
If you are suspicious of a link, website, or email, you can contact the IT department to ask if it may be a scam. Forward a copy of a suspicious email to abuse@umb.edu.
Always remember…
Don’t take the bait! IT will NEVER ask you for your password. Phishing emails attempt to deceive you into giving up your private information by leading you to fraudulent websites. Learn more at: http://www.umb.edu/it/getting_services/security/phishing/
Sometimes phishing attacks are obvious because the contents of the email are clearly not professional. However this is not a reliable way to catch scammers! Today’s Phishing Wall of Shame entry comes from Robyn A., who was savvy enough to sniff out this sophisticated scam. Here’s what it looked like:
This is the most sophisticated email layout we’ve seen so far on the Phishing Wall of Shame series. It’s not perfect, but you can see that it wouldn’t have taken too much more work to make it look perfect.
Never rely on the incompetence of scammers to keep yourself safe!
So how did Robyn know this was a scam? The links that the email encourages users to click don’t lead to a URL that she recognized. When you hover your mouse cursor over a link, your browser shows the URL it leads to. If you expect to see “umb.edu” and don’t, this is a warning sign!
If you are suspicious of a link, website, or email, you can contact the IT department to ask if it may be a scam. Forward a copy of a suspicious email to abuse@umb.edu.
Always remember…
Don’t take the bait! IT will NEVER ask you for your password. Phishing emails attempt to deceive you into giving up your private information by leading you to fraudulent websites. Learn more at: http://www.umb.edu/it/getting_services/security/phishing/
Phishing attacks ask you for your personal information, so scammers can log in to your accounts, steal your money, or even to steal your twitter account! Sometimes they ask you to reply to the email with this personal info, or to click a link leading to a form that asks this. Today’s Phishing Wall of Shame entry comes from Professor Marilyn F., who was savvy enough to know that when a suspicious email tries to get her to download and open a file, there is something fishy going on. Here is the email:
The file attached to this email was a “.HTM” file. HTM or HTML is the markup language that webpages are made of. This could contain phishing attempts, malicious code or illegal content. IT Staff looked at the contents of the file and saw it contained a form requesting the user enter personal details. We opened the file to take a picture, however you should avoid ever downloading or opening attachments that you don’t trust, because they can cause harm to your computer. Here is what this file contained:
While most phishing attacks are laughably obvious, you can’t count on the ineptitude of scammers. Today’s example was submitted by Wendy L., who was able to see through this very realistic forgery, and inform IT Staff about this scam. Check it out below:
The first thing that makes this a more sophisticated attack than the norm is the “From” address. While this can often be a clear way to identify a scam, in this case the scammer was able to spoof a legitimate email address. Read more about Email Spoofing from Lifehacker.com. The From address is easily faked if you know how, so looking at that address is not a reliable way to sniff out a fake.
Another part of the attack is the link at the bottom of the email. Again, it looks legitimate — irs.gov is the real website for the IRS — however, the visible text is also easy to customize, while the URL it sends you to can be different. For example, click the following link to go to the UMB website: http://umb.edu/. See how the visible text said umb.edu, but when you click, it goes somewhere else entirely! To learn more about URL Spoofing, and how to protect yourself, visit the article, How to protect yourself from spoofing… Did I fool you again? The real link is http://www.chiaramailcorp.com/dont-spoofed/. Copying and pasting the URL into a new browser window is another way to avoid URL spoofing.
So with sophisticated scammers out there, how can you stay safe? Just keep your wits about you. Keep reading this blog and you’ll develop a healthy paranoia about scam emails. Never give out your personal info just because someone asks, and don’t trust phone numbers and URLs in an email.
And remember…
Don’t take the bait! IT will NEVER ask you for your password. Phishing emails attempt to deceive you into giving up your private information by leading you to fraudulent websites. Learn more at: http://www.umb.edu/it/getting_services/security/phishing/