Re: Active Phishing Attack Against EDUs

["Schroeder, Christopher" <cschroeder () MTSAC EDU>]

Dale,

We have an SPF record that should stop what is being talked about below in the EducauseSec listserv.  Seeing the buzz, 
I'm adding the domain and IP into our drop rules for added comfort.  One of the few reasons we block something or 
someone.

Thanks,

Chris

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Sargent, Joe E
Sent: Wednesday, June 20, 2018 2:09 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Active Phishing Attack Against EDUs

We do verify.  The user did not use a ws.edu address.  It was an external address.  That was the first give away to 
most.

-Joe

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Lee Weers
Sent: Wednesday, June 20, 2018 5:00 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Active Phishing Attack Against EDUs

The sender did not use a central.edu address in our case.

Thank you,

Lee Weers
Director of ITS Infrastructure
Central College
641-628-7675

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Simanovich, Roman
Sent: Wednesday, June 20, 2018 3:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Active Phishing Attack Against EDUs

Do you guys verify SPF records on incoming email? It sounds like you might not based on the phishing email spoofing 
your domain name.

Thanks,
Roman

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Sargent, Joe E
Sent: Wednesday, June 20, 2018 4:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Active Phishing Attack Against EDUs

Earlier today most of our employees received a phishing email that appeared to be from our president.  After some 
research we found that were able view the site structure where the link directed users.  We were the only school in the 
list at that time.  As the day has progressed more and more schools have been built into the structure.  Some schools 
were there and then were modified to other schools. So, this is very active.  They even have a certificate on the site 
to make it more legitimate.  The PDF in the email did not have any active content but did contain the link to the 
website.  Here are the schools we have seen so far and have not been able to contact (this appears to still be active 
with schools being added throughout the day)...

Central Methodist University
Columbia College in Missouri
Champlain College
Walla Walla Community College
Waldorf University
Middlebury College
Texas A&M University San Antonio

Many of these schools may have already had emails go to their users... Other maybe not.  Below is the information we 
have gathered that may help you protect your users...

Our initial email came from... (might be different for you)  From: Robin Esparza [mailto:resparza () lbschools net]

The link in the document directs you to one of these for your school... (however, we have seen the links change and it 
is possible that this is not your school now - see notes below)
Your school will be represented by an abbreviation in the root of the web site

Mokaortmdesm.club/<yourschool>/index.php
Mokaortmdesm.club/<yourschoolhttps>/index.php

IP address of web site: 89.36.213.44

The method used to ID schools was to go to the link and input fake information and click submit.  This then sent us to 
a link at the target school that would make a user believe the original email was real because it is policy etc.  We 
have seen this link change for some schools and later point to another school.  So, if the link it not there now then 
look at the folders at the root of the web site to be sure that your school has not been moved to another folder.



If you go to the top level of the website you can actually see the directory structure.  To actually find out where 
each is pointing to you have to click the folder/file and then click download on the web site.  Enter fake information 
and then it will take you to a linked page at the targeted school.  It took us a while to figure this out.  Again, this 
is active and they appear to have made changes to files and links.  We have seen their processes change as they create 
more sites.



I hope this helps you.  Apologies if it turns out to be nothing but at least you can block your users from getting to 
the web site.

Thank you,
Joe
_____________________________________________________________
Joe Sargent  Assistant Vice President for Information and Educational Technologies (IET) and CIO
Walters State  Jack E. Campbell College Center Suite 314  500 South Davy Crockett Parkway
Morristown, TN 37813  Voice (423) 585-6836  Fax: (423) 585-2630  E-mail: joe.sargent () ws edu<mailto:joey.sargent () 
ws edu>

This transmission, regardless of modality, may contain confidential information and may be subject to protection under 
the law. If you are not the intended recipient, or an authorized agent for the intended recipient, you are hereby 
notified that use, such as but not limited to disclosure, copying, or distribution, is prohibited. Please destroy any 
and all copies immediately and notify the sender of this erroneous receipt.
This transmission, regardless of modality, may contain confidential information and may be subject to protection under 
the law. If you are not the intended recipient, or an authorized agent for the intended recipient, you are hereby 
notified that use, such as but not limited to disclosure, copying, or distribution, is prohibited. Please destroy any 
and all copies immediately and notify the sender of this erroneous receipt.