Malicious email roundup

There have been a lot of malicious emails lately, so I wanted to give you a quick update on what is real and what is fake.

Real
1. Email from UW Office of Research titled “Your Action is Needed! Significant Financial Interest (SFI) Annual Update Required in 14 Days.” It sounds spammy but I have confirmed with the Office of Research that it is legit.
2. UW TAP survey- also confirmed real

Fake Fake Fake
1. “Email Account Closure” notice for Office365 users
2. “Urgent Review” with attached malware-infected PDF
3. “Update Required” phishing attempt to get tax info (says it’s from HR/Payroll)
4. “Beware of phishing emails” with details about supposed UW acct maint and threats to suspend acct
5. “UW Notification”- name-drops both UW and Office365, again threatening to suspend acct
6. Emails claiming you bought a shockingly expensive item- phishing scam targeting your credit card or bank info
7. FedEx delivery scam with attached malware-infected PDF
8. “Meeting notification” phishing scam targeting UW NetID
9. Our old favorite, USAA bank phishing scam
10. And the weirdest one I’ve seen yet- “Notice of Unsatisfied Photo Enforcement Ticket” supposedly from DMV, featuring such convoluted language as might appear in a real government notice.

I could go on and on, but you get the point- fake emails greatly outweigh legitimate ones. If something sounds fishy (or phishy), it’s because it is. Trust your judgment but ask if you’re unsure.

Stay safe!

Malicious email alert

It’s been quiet since the USAA scam emails have died down, but don’t let your guard down yet! There’s a new phishing scam making its rounds.

Like a horoscope, this one is just vague enough to seem to apply to everyone. Note also the inclusion of “uw” in sender address and link- again, what we see is that “uw” is not in the right place in the address for it to be an actual UW domain website.

From: Justin Alexander [mailto:jalexa48@uwo.ca] 
Sent: Tuesday, December 20, 2016 12:06 PM
To: info@ymail.com
Cc: info@ymail.com
Subject: Notice 

 

We have noticed some unusual login attempt to your account, Kindly update
your mailbox for your security purpose, please  <http://web32uw.esy.es/>
Click Here to avoid cancellation. 

 

Thank you for helping us protect you.

 

IT Helpdesk Support.

USAA bank phishing scam email

This USAA bank phishing scam email looks very official, doesn’t it? Only the link and the slight misspellings and grammatical errors give it away as a fake.

email

What scammers did with the link is quite clever. If you hover your mouse over the “Validate Your Account” link, you would see “usaa.com” in there twice. However, usaa.com is not in the right place. If you clicked the link, you would be taken to the web server shown below in red, not usaa.com. Tricky!

usaa_scam

There were several variants of this email. Scammers often change sender address, web link, or even organization name in order to avoid detection by email filters.

Phish of the day- emails held hostage

Today’s phishing example shows off a new technique- threatening to withhold your email until you click link and provide acct information. Not only does it inspire panic, but also curiosity- aren’t you dying to know what those 2 emails are?! I am too, but not enough to get phished.

From: Bodnar, Brittanee Sue [mailto:brittanee.bodnar@wsu.edu]
Sent: Thursday, September 01, 2016 7:03 AM
To: Bodnar, Brittanee Sue
Subject: Upgrade your account

Your Two incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE to login and wait for response from Administrator, we  apologize for any inconvenience and appreciate your understanding

Malicious email alert: PO with .doc attachment

The malicious email below came with a .doc (Word format) attachment. The attachment is most likely a vehicle for installing malware onto your system.

Remember to practice good attachment hygiene- never open attachments from people you don’t know or open attachments on emails you weren’t expecting. When in doubt, contact the sender to inquire about attachments before opening.

 

From: Ole Borgbjerg@s.uw.edu [mailto:Ole Borgbjerg@s.uw.edu]
Sent: Monday, August 29, 2016 11:18 PM
To: diyamagu@u.washington.edu
Subject: Re: PO #099282

Good Morning,

Please find attached PO #099282 duly acknowledged for your attention.

Thanks & regards,

Ole Borgbjerg
Brodersen A/S

Isn’t it ironic?

I’ve got Alanis Morissette’s song Ironic* stuck in my head today. And all because of this phishing email.

From: University of Washington [mailto:Boedkerc@duq.edu]
Sent: Tuesday, August 23, 2016 4:14 AM
To: Me
Subject: Avoid Your Email Suspension

University of Washington

ATTENTION ATTENTION ATTENTION

Verify your University of Washington Email email account

to avoid email suspension

Click Here

Thank You

Copyright c 2013 University of Washington

 

Where does the irony come in, you ask? Because the only way you’d have your email account suspended is if you clicked that link and got phished by them!

*Despite its misrepresentation of the concept of irony, Ironic is a very catchy song. If you don’t know it, check it out- but NOT on your work computers please!!!

 

Malicious email alert- old school email scam

Who doesn’t love old school spam?! Check out this variant of the classic Nigerian email scam. Haven’t seen one of these for a loooong time.

Dear Esteemed Beneficiary in a bid to serve you with honesty we are pleased to inform you that a meeting was held as regards the best way to carry out with the compensation exercise for transparency and most especially to avoid any form of delay in transferring your funds and the high cost of procuring transfer documents, we have came to a final conclusion as all head of organizations involved was duly represented. It was agreed and approved to be issued to you as a valid international ATM card cash-able at any ATM machine designation in the world. The ATM account has already being credited with One million four hundred and ninety thousand united States dollars ($1,490,000.00), with a daily Limit withdrawal of Ten thousand United States Dollars. ($10.000, 00U USD) The ATM card has already being packaged and approved to be delivered to your doorstep via express courier delivery service.

Contact Mr. Rakitic Alves now {Our ATM Rep.} at the ATM Center Benin Republic,
email ( atmserv_department@foxmail.com  )
and reconfirm your delivery information as stated below
Beneficiary Code …………FST9154BR
full Name ……………..,
full home address……….,
your valid phone number….,

Warm Regards
Rose Onwuzuligbo
rose.onwuzuligbo@yahoo.com

 

Malicious email alert: UW acct phishing

Yet another phishing email. This one gets credit for having an interesting sounding web address in any case- techembryo.com. You can see the web address by hovering your mouse (don’t click) over the link below that says View Details.

This one has a plausible sounding sender address, but we can’t rely on sender address for proof of legitimacy because sender address can be easily “spoofed.” The only way to tell if an email is legit is to hover over the link and see where it really goes.

Subject: IT HelpDesk

Date: Thu, 4 Aug 2016 09:25:17 -0500

From: University of Washington <helpdesk@uw.edu>

You have one new message from Mercer IT HelpDesk regarding your mail account.

View Details

University of Washington

Malicious email alert: UW acct phishing attempt

Note that the sender appears to be UW IT. However, sender address is easily faked, so you cannot rely on it to determine whether an email is legit or not.

The link says it is www.washington.edu. Again, this is easily faked. If you hover your mouse over the link, you will see that it is actually going to: www.ucm-bw.be/map/index.php, which is a malicious website hosted in Belgium.

Subject: UW-IT monitors

Date: Sun, 31 Jul 2016

From: University of Washington <help@uw.edu>

Dear User,

Due to security concern we have temporarily suspended your account from all incoming messages.

Kindly log in by visiting our url below and follow prompt.

http://www.washington.edu/

Thank you.

University of Washington