USAA bank phishing scam email

This USAA bank phishing scam email looks very official, doesn’t it? Only the link and the slight misspellings and grammatical errors give it away as a fake.

email

What scammers did with the link is quite clever. If you hover your mouse over the “Validate Your Account” link, you would see “usaa.com” in there twice. However, usaa.com is not in the right place. If you clicked the link, you would be taken to the web server shown below in red, not usaa.com. Tricky!

usaa_scam

There were several variants of this email. Scammers often change sender address, web link, or even organization name in order to avoid detection by email filters.

Phish of the day- emails held hostage

Today’s phishing example shows off a new technique- threatening to withhold your email until you click link and provide acct information. Not only does it inspire panic, but also curiosity- aren’t you dying to know what those 2 emails are?! I am too, but not enough to get phished.

From: Bodnar, Brittanee Sue [mailto:brittanee.bodnar@wsu.edu]
Sent: Thursday, September 01, 2016 7:03 AM
To: Bodnar, Brittanee Sue
Subject: Upgrade your account

Your Two incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE to login and wait for response from Administrator, we  apologize for any inconvenience and appreciate your understanding

Malicious email alert: PO with .doc attachment

The malicious email below came with a .doc (Word format) attachment. The attachment is most likely a vehicle for installing malware onto your system.

Remember to practice good attachment hygiene- never open attachments from people you don’t know or open attachments on emails you weren’t expecting. When in doubt, contact the sender to inquire about attachments before opening.

 

From: Ole Borgbjerg@s.uw.edu [mailto:Ole Borgbjerg@s.uw.edu]
Sent: Monday, August 29, 2016 11:18 PM
To: diyamagu@u.washington.edu
Subject: Re: PO #099282

Good Morning,

Please find attached PO #099282 duly acknowledged for your attention.

Thanks & regards,

Ole Borgbjerg
Brodersen A/S

Isn’t it ironic?

I’ve got Alanis Morissette’s song Ironic* stuck in my head today. And all because of this phishing email.

From: University of Washington [mailto:Boedkerc@duq.edu]
Sent: Tuesday, August 23, 2016 4:14 AM
To: Me
Subject: Avoid Your Email Suspension

University of Washington

ATTENTION ATTENTION ATTENTION

Verify your University of Washington Email email account

to avoid email suspension

Click Here

Thank You

Copyright c 2013 University of Washington

 

Where does the irony come in, you ask? Because the only way you’d have your email account suspended is if you clicked that link and got phished by them!

*Despite its misrepresentation of the concept of irony, Ironic is a very catchy song. If you don’t know it, check it out- but NOT on your work computers please!!!

 

Malicious email alert- old school email scam

Who doesn’t love old school spam?! Check out this variant of the classic Nigerian email scam. Haven’t seen one of these for a loooong time.

Dear Esteemed Beneficiary in a bid to serve you with honesty we are pleased to inform you that a meeting was held as regards the best way to carry out with the compensation exercise for transparency and most especially to avoid any form of delay in transferring your funds and the high cost of procuring transfer documents, we have came to a final conclusion as all head of organizations involved was duly represented. It was agreed and approved to be issued to you as a valid international ATM card cash-able at any ATM machine designation in the world. The ATM account has already being credited with One million four hundred and ninety thousand united States dollars ($1,490,000.00), with a daily Limit withdrawal of Ten thousand United States Dollars. ($10.000, 00U USD) The ATM card has already being packaged and approved to be delivered to your doorstep via express courier delivery service.

Contact Mr. Rakitic Alves now {Our ATM Rep.} at the ATM Center Benin Republic,
email ( atmserv_department@foxmail.com  )
and reconfirm your delivery information as stated below
Beneficiary Code …………FST9154BR
full Name ……………..,
full home address……….,
your valid phone number….,

Warm Regards
Rose Onwuzuligbo
rose.onwuzuligbo@yahoo.com

 

Malicious email alert: UW acct phishing

Yet another phishing email. This one gets credit for having an interesting sounding web address in any case- techembryo.com. You can see the web address by hovering your mouse (don’t click) over the link below that says View Details.

This one has a plausible sounding sender address, but we can’t rely on sender address for proof of legitimacy because sender address can be easily “spoofed.” The only way to tell if an email is legit is to hover over the link and see where it really goes.

Subject: IT HelpDesk

Date: Thu, 4 Aug 2016 09:25:17 -0500

From: University of Washington <helpdesk@uw.edu>

You have one new message from Mercer IT HelpDesk regarding your mail account.

View Details

University of Washington

Malicious email alert: UW acct phishing attempt

Note that the sender appears to be UW IT. However, sender address is easily faked, so you cannot rely on it to determine whether an email is legit or not.

The link says it is www.washington.edu. Again, this is easily faked. If you hover your mouse over the link, you will see that it is actually going to: www.ucm-bw.be/map/index.php, which is a malicious website hosted in Belgium.

Subject: UW-IT monitors

Date: Sun, 31 Jul 2016

From: University of Washington <help@uw.edu>

Dear User,

Due to security concern we have temporarily suspended your account from all incoming messages.

Kindly log in by visiting our url below and follow prompt.

http://www.washington.edu/

Thank you.

University of Washington

Malicious email alert: UW acct phishing email

Another phishing email targeting UW email acct.

It initially appears to contain a link called “Click on show images to read secured message” (see image 1 below). In some email applications, clicking the link will take you directly to a malicious website. In other applications, it will turn into an image (see image 2 below), which is itself a link. If you then click anywhere on the image, it will go to a malicious website.

phish1

phish2

Another thing that is notable about this email is that the link includes washington.edu and uw.edu. However, it does not go to a washington.edu or uw.edu website.

Let’s break this web address down into its components: domain, directory, and webpage.

link

Of the 3 components, the one you need to check is the domain. In this example, we can see it is NOT a washington.edu or uw.edu domain and is therefore not a legitimate UW website.

The directory and webpage components do contain washington.edu and uw.edu, but this does not matter. These components can be named anything.

 

Malicious email alert: more UW email phishing attempts

Another pair of phishing emails targeted at UW email:

From: Linscott, Brian
Sent: Wednesday, June 8, 2016 8:21 AM
Subject: Helpdesk Update

Your e-mail account was LOGIN today by Unknown IP address Unknown IP 232.22.88 233,click on the Administrator link below to validate your e-mail account or your account will be temporary block for sending more messages.

Click Link To Validate Your Account

Sincerely,

IT Department

 

 

From: University of Washington <taboao@cloud32.hdrserver.com.br>
Subject: Problem with your email account
Date: June 6, 2016 12:25:53 PM PDT

Dear User,

Member Services identified a problem with your email account. To correct this issue, please click here to resolve.

Regards,

© 2016 University of Washington | Seattle, WA