Educause Security Discussion mailing list archives
Re: Active Phishing Attack Against EDUs
From: Steven Alexander <steven.alexander () KCCD EDU>
Date: Thu, 21 Jun 2018 00:22:10 +0000
We received a similar message at two of our colleges, one in April and one in May. They are very similar in tone and approach to the email you shared. The emails came from outside addresses that AFAIK had nothing to do with our colleges. In the example below, "interim" is misspelled as "interin" and there is a period after the title. The other email, also from a college president, had no misspellings or extraneous periods. Both emails contained the same message. I don't know if the links were the same. Regards, Steven Alexander Director of IT Security Kern Community College District From: Thompson, Claire D <cthompson () lexrich5 org<mailto:cthompson () lexrich5 org>> Sent: Friday, May 18, 2018 11:38 AM Subject: FW:[ATTENTION REQUIRED] PORTERVILLE COLLEGE Revised Business Development, Implementation, and Review of Guidelines and Goals [cid:image001.png@01D408BA.30763720] LETTER FROM THE INTERIM PRESIDENT WILLIAM HENRY Dear Colleagues: I will like to remind each and every one of you that this organization holds itself to the highest ethical standards. To that end we are pleased to announce our updated Business Integrity Program. Adherence to the Program standards not only achieves compliance with applicable laws and regulations, but affords us tangible business benefits. These standards also avoids liability for our company and all of us and also protects our reputation, but that is only the first of several benefits. We must not take these benefits for granted as corporate scandals in recent years at Enron, Tyco, and other companies -including some companies in the pharmaceutical and biotechnology industries - have eroded the confidence of employees, customers, shareholders, and others. Each of us must regularly affirm our commitment to integrity by acknowledging our agreement to the standards outlined in the Business Integrity Program. Please recognize the compliance responsibility this organization places in each and every one of us, as it will be taken seriously and any failure to act in accordance with the principles outlined herein. The Business Integrity program is attached in this email and can also be accessed HERE, It is important that all staff go through it thoroughly and adhere to these standards so you will be helping to assure the future success of this organization. Sincerely, William Henry Interin President . [cid:image001.png@01D408BA.30763720] PORTERVILLE COLLEGE 100 E. College Avenue Porterville, CA 93257 Phone: (559) 791-2200 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Sargent, Joe E Sent: Wednesday, June 20, 2018 4:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Active Phishing Attack Against EDUs All, I have had several requests for the original message so others could view the headers etc. It is attached minus the attachment. Thank you, Joe -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly Sent: Wednesday, June 20, 2018 7:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Active Phishing Attack Against EDUs Joe - Can you share content from the message that will allow us to potentially identify some key phrases to filter such messages here? Thanks. - ken On 6/20/18 3:35 PM, Sargent, Joe E wrote:
Earlier today most of our employees received a phishing email that
appeared to be from our president. After some research we found that
were able view the site structure where the link directed users. We
were the only school in the list at that time. As the day has
progressed more and more schools have been built into the structure.
Some schools were there and then were modified to other schools. So,
this is very active. They even have a certificate on the site to make
it more legitimate. The PDF in the email did not have any active
content but did contain the link to the website. Here are the schools
we have seen so far and have not been able to contact (this appears to
still be active with schools being added throughout the day)...
Central Methodist University
Columbia College in Missouri
Champlain College
Walla Walla Community College
Waldorf University
Middlebury College
Texas A&M University San Antonio
Many of these schools may have already had emails go to their users...
Other maybe not. Below is the information we have gathered that may
help you protect your users...
Our initial email came from... (might be different for you) *From:*
Robin Esparza [mailto:resparza () lbschools net]
The link in the document directs you to one of these for your school...
(however, we have seen the links change and it is possible that this
is not your school now - see notes below)
Your school will be represented by an abbreviation in the root of the
web site
Mokaortmdesm.club/<yourschool>/index.php
Mokaortmdesm.club/<yourschoolhttps>/index.php
IP address of web site: 89.36.213.44
The method used to ID schools was to go to the link and input fake
information and click submit. This then sent us to a link at the
target school that would make a user believe the original email was
real because it is policy etc. We have seen this link change for some
schools and later point to another school. So, if the link it not
there now then look at the folders at the root of the web site to be
sure that your school has not been moved to another folder.
If you go to the top level of the website you can actually see the
directory structure. To actually find out where each is pointing to
you have to click the folder/file and then click download on the web
site. Enter fake information and then it will take you to a linked
page at the targeted school. It took us a while to figure this out.
Again, this is active and they appear to have made changes to files
and links. We have seen their processes change as they create more
sites.
I hope this helps you. Apologies if it turns out to be nothing but at
least you can block your users from getting to the web site.
Thank you,
Joe
_____________________________________________________________
Joe Sargent cid:image001.png@01CD9D7C.A1CFD430 Assistant Vice
President for Information and Educational Technologies (IET) and CIO
Walters State cid:image001.png@01CD9D7C.A1CFD430 Jack E. Campbell
College Center Suite 314 cid:image001.png@01CD9D7C.A1CFD430 500 South
Davy Crockett Parkway
Morristown, TN 37813 cid:image001.png@01CD9D7C.A1CFD430 Voice (423)
585-6836 cid:image001.png@01CD9D7C.A1CFD430 Fax: (423) 585-2630
cid:image001.png@01CD9D7C.A1CFD430 E-mail: joe.sargent () ws edu<mailto:joe.sargent () ws edu>
<mailto:joey.sargent () ws edu>
This transmission, regardless of modality, may contain confidential
information and may be subject to protection under the law. If you are
not the intended recipient, or an authorized agent for the intended
recipient, you are hereby notified that use, such as but not limited
to disclosure, copying, or distribution, is prohibited. Please destroy
any and all copies immediately and notify the sender of this erroneous
receipt.
-- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu<mailto:Ken.Connelly () uni edu> p: (319) 273-5850 f: (319) 273-7373 This transmission, regardless of modality, may contain confidential information and may be subject to protection under the law. If you are not the intended recipient, or an authorized agent for the intended recipient, you are hereby notified that use, such as but not limited to disclosure, copying, or distribution, is prohibited. Please destroy any and all copies immediately and notify the sender of this erroneous receipt.
Current thread:
- Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Shawn Shirley (Jun 20)
- Re: Active Phishing Attack Against EDUs Simanovich, Roman (Jun 20)
- Re: Active Phishing Attack Against EDUs Lee Weers (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Schroeder, Christopher (Jun 20)
- Re: Active Phishing Attack Against EDUs Lee Weers (Jun 20)
- Re: Active Phishing Attack Against EDUs Ken Connelly (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Steven Alexander (Jun 20)
- Re: Active Phishing Attack Against EDUs Manjak, Martin (Jun 21)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Manjak, Martin (Jun 22)
- <Possible follow-ups>
- Re: Active Phishing Attack Against EDUs Bridges, Robert A. (Jun 22)
- Re: Active Phishing Attack Against EDUs Scott Finlon (Jun 22)