Fresh Phish

Fresh Phish

Overview

Welcome to the Fresh Phish section of Oakland University's Phish Tank. This page provides examples of phishing messages.

For general phishing information please visit OU's Phish Tank main page.

Fresh Phish

12/13/2022: Invoice for antivirus software renewal

In these phishing attempts, an attacker is attempting to make you believe you have been charged to renew an antivirus product subscription. The emails attempt to solicit contact by providing a number to call for support and/or to cancel the transaction. The sender email addresses are personal and not affiliated with the company or reputable reseller.

Fresh MacAfee1
Fresh Symantec1

10/31/2022: Document shared with you:

In this phishing attempt, an attacker is attempting to make you believe a legitimate document has been shared with you. If you attempt to access the document it then requests you to disclose you NetID credentials and Duo MFA information in a Google form.

Fresh SharedWithYou1
Fresh SharedWithYou2
Fresh SharedWithYou3

10/03/2022: !mportant

In this phishing attempt, an attacker is attempting to create a sense of urgency regarding a denied PayPal claim. There is a poorly crafted initial message which does not appear to be from a legitimate company. Attached is a semi-official looking PDF document back lacks personalization even though the name field is supposed to be populated.

Fresh !mportant-body
Fresh !mportant-pdf

09/30/2022: VP Requesting Assistance

In this phishing attempt, an attacker is attempting to impersonate an OU VP in an effort to start a dialogue with OU Staff member. If viewed in webmail you can see that Google marked the email as suspicious. Additionally you can see the email is coming from a non-OU account.

Fresh Phish-Quickbooks

08/30/2022: Quickbooks

In this phishing attempt, an attacker is attempting to impersonate multiple companies, Quickbooks and Geek Squad in an effort to get the recipient to click on a link and/or download a file. In this instance the email was received at an OU email address despite the email appearing to be addressed to a Gmail address.

Fresh Phish-Quickbooks

08/02/2022: Transfer Big Files

In this phishing attempt, an attacker is impersonating an OU user and attempting to get them click a link \ download a file.

Fresh Phish

5/31/2022: Silent Librarian: Attempt to steal NetID credentials via cloned SSO page

In this latest iteration of the Silent Librarian phishing attempt, an attacker used a compromised Oakland University email account to send an illegitimate notification to a group of users.

Fresh Phish

Unlike the previous post from 3/14/2022, the link in this email redirects to a cloned SSO page that is identical to our actual SSO page. The only noticeable difference between the two is the incorrect URL. This is a fairly sophisticated phishing attack.

Fresh Phish

  • Credit to @TeamDreier on Twitter for the screenshot

If you filled out this form, please contact [email protected] immediately!

  • Phishing Indicators:

    • Sense of urgency
    • Hovering over the link shows this directs to a non OU site
    • Phone number in signature belongs to a different department
    • Cloned OU SSO sign in page with incorrect URL

3/14/2022: Attempt to steal NetID credentials via imitation SSO page

An unsolicited email is received from an external sender, claiming to be the OU Help Desk, that requests the user to follow a link to re-activate an online certificate.

Fresh Phish

The link redirects to a poor imitation of OU's SSO page where the attacker is looking to steal NetID credentials that are entered.

Fresh Phish

If you filled out this form, please contact [email protected] immediately!

  • Phishing Indicators:

    • Email appears to be from an OU Account but is from an account outside OU
    • Sense of urgency
    • Hovering over the link shows this directs to a non OU site
    • Imitation OU SSO sign in page
      • Poor imitation
      • Grammatical errors
    • Request for personal information

3/7/2022: CoS impersonation attempt to steal credentials using imitation sign in page

This phishing attack is similar to the campaign we wrote about on 1/27/2022, except this message appears to come from OU's Chief of Staff.

Fresh Phish

The shared (March) Faculty Re-Scheduled Transcript.docx document contains a link to a web page that is an imitation of a Microsoft sign in page.

Fresh Phish

The attacker wants the user to enter their OU credentials into the web page so that they can steal them.

Fresh Phish

If you filled out this form, please contact [email protected] immediately!

  • Phishing Indicators:

    • Email appears to be from an OU Account but is from a personal Gmail account outside OU
    • Hovering over the link shows this directs to a non OU site
    • Imitation sign in page
      • URL does not match official Microsoft URL
      • Typo
    • Request for personal information

2/14/2022: Tutoring scam attempts to steal bank funds

The phishing attack starts with an unsolicited email requesting a tutor for the sender's child or relative. In this instance, the sender referenced and contacted an actual OU professor in order to make the request seem as legitimate as possible.

Fresh Phish

After some correspondence between the sender and the recipient, the sender attempts to act on their objective.

Fresh Phish

  • Phishing Indicators:

    • Emotionally charged
    • Obscure payment method
    • Request for personal information

Should the recipient have went along with the sender's obscure request, a fraudulent check would be sent in which the funds don't exist. So when the money is returned to the relative, it would be removed from the recipient's bank account.

Reference: https://blogs.baylor.edu/phishing/2019/06/04/tutor-over-payment-scam/

01/27/2022: Attempt to steal a user's Email Address and Password using a form

Fresh Phish

The shared Faculty Evaluation_.docx has a link to a fillable form

Fresh Phish

The form tricks the user into giving away their Email Address and Password

Fresh Phish

If you filled out this form, please contact [email protected] immediately!

01/19/2022: Users targeted to update personal information in SAIL using a non OU Account

Fresh Phish

  • Phishing Indicators:

    • Email appears to be from an OU Account but is from a personal Gmail account
    • Sense of Urgency
    • Simultaneously to multiple recipients (vs a mailing list or individual notifications)
    • Request for personal information
    • Hovering over the link shows this directs to a non OU site

05/11/2021: Users were targeted with a cryptocurrency scam from a compromised OU account

Fresh Phish

  • Phishing Indicators:

    • Email appears to be from an OU Account but is signed by a 3rd party
    • Sense of Urgency
    • Request for personal information

03/22/2021: We received a phishing impersonating an OU account offering a tax refund

Fresh Phish
Fresh Phish

  • Phishing Indicators:

    • Although email appears to be from an OU Accountit is not
    • Sense of Urgency
    • Too Good to be True

11/30/2020: We received a phishing email impersonating the VP of Finance & Administration

Fresh Phish

  • Phishing Indicators:

    • Although email appears to be from an OU Vice President it is using a personal Google Account
    • Sense of Urgency
    • Request for non-standard contact message
    • Grammar and capitalization errors

11/24/2020: We received a phishing email from a staff member claiming that their NetID would become deactivated unless they followed a suspicious link to reset their account.

Fresh Phish

  • Phishing Indicators:

    • Although email appears to be from UTS it is from another Higher-ED institution
    • Sense of Urgency
    • URL is obfuscated and does not point to OU (netid.oakland.edu)

Phishing Examples:

Spear Phishing \ Impersonating an OU Employee

Phish Example 1

  • Phishing Indicators:

    • Although email appears to be from an OU employee it is from a standard Google gmail account
    • Sense of Urgency
    • Unusual financial request

General Phishing

Phish Example 2

  • Phishing Indicators:

    • Although email appears to be from an OU Department it is from a non OU domain hr-adm.net
    • Link points to a non-OU domain

General Phishing

Phish Example 3

  • Phishing Indicators:

    • Sense of Urgency
    • Although email appears to be from an OU Department it is from a non OU account hr-adm.net
    • Link and email address point to a non OU Domain