PhishTank_FreshPhish

Fresh Phish

Contents

Fresh Phish

Overview

Welcome to the Fresh Phish section of Oakland University's Phish Tank. This page provides examples of phishing messages.

For general phishing information please visit OU's Phish Tank main page.

Fresh Phish

11/7/2024: Fake Benefits Statement Form

In this phishing attack, the attacker, using a schoolcraft.edu address, attempts to get the recipient to fill out a form that they believe will give them a statement on their OU benefits. The recipient is taken to the Google Form on the right after clicking on the "View Your Statement" link in the email on the left. The Google Form importantly asks for a time based token from the DUO app.

Fake Total Compensation Statement.png Cred Harvesting Google Form.png

10/09/2024: Fake Email Validation Request

In this phishing attempt, the attacker using, a non Oakland.edu address, tries to get the recipient to click on a malicious link by making them think they need to verify their email address.

4/30/2024: Credential Harvesting

In this phishing attempt, the attacker tries to solicit usernames and passwords by tricking the target into filling out a Google form.

Credential Form

04/11/2024: Yearbook

In this phishing attempt, the attacker tries to solicit personal information and money by claiming that they are distributing yearbooks for Oakland University. They charge a registration fee in addition to charging you for the "yearbook'

Yearbook 1

Yearbook 2

Yearbook 3

10/11/2023: STUDENT EMPLOYMENT OPPORTUNITY

In this phishing attempt, the attacker tries to recruit students for a job. In the email, the attacker created a Google Form to have you fill out personal information. Notice that it appears from a legitimate organization and that the recruiter is in another country and cannot meet you. It also mentions unspecified tasks and purchases you will have to make on their behalf.

Google Form Phish 1

Google Form Phish 2

Google Form Phish 3

Google Form Phish 4

Google Form Phish 5

7/20/2023: Undelivered message error

In this phishing attempt, the attacker poses as the university and is attempting to have you click on the link inside the email.

Undelivered message error

6/23/2023: Student/staff discounts

In this phishing attempt, the attacker is posing as a head employee for a company called Nordic Sauna. The email goes on to explain the types of products they offer such as being in the "wellness niche" as well as saying that they can offer hundreds to thousands of dollars in discounts in order to attract victims. Keep an eye out for attempts like this as this template has been seen frequently only swapping the name of the company, and the niche it's in; with all the wording and structure remaining the same.

6/22/2023: Internship application

In this phishing attack, the attacker is impersonating a University professor using a fake intership opportunity in order to obtain peronal information from the victims and related info about their school/place of work. These aren't always easy to spot on first glance since they often impersonate legitimate staff and organizations, however notice this was sent from a personal gmail account not tied to the University, and suspiciously requests info to be sent back through a phone number and not email.

6/19/2023: Benefits Review

In this phishing attack, the attacker poses as a financial institution that tries to have the victim contact them under the guise of reviewing the benefits. You can verify this type of email's legitimacy by contacting OU's Benefits Department.

Fresh Benefits

12/13/2022: Invoice for antivirus software renewal

In these phishing attempts, an attacker is attempting to make you believe you have been charged to renew an antivirus product subscription. The emails attempt to solicit contact by providing a number to call for support and/or to cancel the transaction. The sender email addresses are personal and not affiliated with the company or reputable reseller.

Fresh MacAfee1
Fresh Symantec1

10/31/2022: Document shared with you:

In this phishing attempt, an attacker is attempting to make you believe a legitimate document has been shared with you. If you attempt to access the document it then requests you to disclose you NetID credentials and Duo MFA information in a Google form.

Fresh SharedWithYou1
Fresh SharedWithYou2
Fresh SharedWithYou3

10/03/2022: !mportant

In this phishing attempt, an attacker is attempting to create a sense of urgency regarding a denied PayPal claim. There is a poorly crafted initial message which does not appear to be from a legitimate company. Attached is a semi-official looking PDF document back lacks personalization even though the name field is supposed to be populated.

Fresh !mportant-body
Fresh !mportant-pdf

09/30/2022: VP Requesting Assistance

In this phishing attempt, an attacker is attempting to impersonate an OU VP in an effort to start a dialogue with OU Staff member. If viewed in webmail you can see that Google marked the email as suspicious. Additionally you can see the email is coming from a non-OU account.

Fresh Phish-Quickbooks

08/30/2022: Quickbooks

In this phishing attempt, an attacker is attempting to impersonate multiple companies, Quickbooks and Geek Squad in an effort to get the recipient to click on a link and/or download a file. In this instance the email was received at an OU email address despite the email appearing to be addressed to a Gmail address.

Fresh Phish-Quickbooks

08/02/2022: Transfer Big Files

In this phishing attempt, an attacker is impersonating an OU user and attempting to get them click a link \ download a file.

Fresh Phish

5/31/2022: Silent Librarian: Attempt to steal NetID credentials via cloned SSO page

In this latest iteration of the Silent Librarian phishing attempt, an attacker used a compromised Oakland University email account to send an illegitimate notification to a group of users.

Fresh Phish

Unlike the previous post from 3/14/2022, the link in this email redirects to a cloned SSO page that is identical to our actual SSO page. The only noticeable difference between the two is the incorrect URL. This is a fairly sophisticated phishing attack.

Fresh Phish

Credit to @TeamDreier on Twitter for the screenshot

If you filled out this form, please contact [email protected] immediately!

Phishing Indicators:
- Sense of urgency
- Hovering over the link shows this directs to a non OU site
- Phone number in signature belongs to a different department
- Cloned OU SSO sign in page with incorrect URL

3/14/2022: Attempt to steal NetID credentials via imitation SSO page

An unsolicited email is received from an external sender, claiming to be the OU Help Desk, that requests the user to follow a link to re-activate an online certificate.

Fresh Phish

The link redirects to a poor imitation of OU's SSO page where the attacker is looking to steal NetID credentials that are entered.

Fresh Phish

If you filled out this form, please contact [email protected] immediately!

Phishing Indicators:
- Email appears to be from an OU Account but is from an account outside OU
- Sense of urgency
- Hovering over the link shows this directs to a non OU site
- Imitation OU SSO sign in page
  - Poor imitation
  - Grammatical errors
- Request for personal information

3/7/2022: CoS impersonation attempt to steal credentials using imitation sign in page

This phishing attack is similar to the campaign we wrote about on 1/27/2022, except this message appears to come from OU's Chief of Staff.

Fresh Phish

The shared (March) Faculty Re-Scheduled Transcript.docx document contains a link to a web page that is an imitation of a Microsoft sign in page.

Fresh Phish

The attacker wants the user to enter their OU credentials into the web page so that they can steal them.

Fresh Phish

If you filled out this form, please contact [email protected] immediately!

Phishing Indicators:
- Email appears to be from an OU Account but is from a personal Gmail account outside OU
- Hovering over the link shows this directs to a non OU site
- Imitation sign in page
  - URL does not match official Microsoft URL
  - Typo
- Request for personal information

2/14/2022: Tutoring scam attempts to steal bank funds

The phishing attack starts with an unsolicited email requesting a tutor for the sender's child or relative. In this instance, the sender referenced and contacted an actual OU professor in order to make the request seem as legitimate as possible.

Fresh Phish

After some correspondence between the sender and the recipient, the sender attempts to act on their objective.

Fresh Phish

Phishing Indicators:
- Emotionally charged
- Obscure payment method
- Request for personal information

Should the recipient have went along with the sender's obscure request, a fraudulent check would be sent in which the funds don't exist. So when the money is returned to the relative, it would be removed from the recipient's bank account.

Reference: https://blogs.baylor.edu/phishing/2019/06/04/tutor-over-payment-scam/

01/27/2022: Attempt to steal a user's Email Address and Password using a form

Fresh Phish

The shared Faculty Evaluation_.docx has a link to a fillable form

Fresh Phish

The form tricks the user into giving away their Email Address and Password

Fresh Phish

If you filled out this form, please contact [email protected] immediately!

01/19/2022: Users targeted to update personal information in SAIL using a non OU Account

Fresh Phish

Phishing Indicators:
- Email appears to be from an OU Account but is from a personal Gmail account
- Sense of Urgency
- Simultaneously to multiple recipients (vs a mailing list or individual notifications)
- Request for personal information
- Hovering over the link shows this directs to a non OU site

05/11/2021: Users were targeted with a cryptocurrency scam from a compromised OU account

Fresh Phish

Phishing Indicators:
- Email appears to be from an OU Account but is signed by a 3rd party
- Sense of Urgency
- Request for personal information

03/22/2021: We received a phishing impersonating an OU account offering a tax refund

Fresh Phish

Phishing Indicators:
- Although email appears to be from an OU Accountit is not
- Sense of Urgency
- Too Good to be True

11/30/2020: We received a phishing email impersonating the VP of Finance & Administration

Fresh Phish

Phishing Indicators:
- Although email appears to be from an OU Vice President it is using a personal Google Account
- Sense of Urgency
- Request for non-standard contact message
- Grammar and capitalization errors

11/24/2020: We received a phishing email from a staff member claiming that their NetID would become deactivated unless they followed a suspicious link to reset their account.

Fresh Phish

Phishing Indicators:
- Although email appears to be from UTS it is from another Higher-ED institution
- Sense of Urgency
- URL is obfuscated and does not point to OU (netid.oakland.edu)

Phishing Examples:

Spear Phishing \ Impersonating an OU Employee

Phish Example 1

Phishing Indicators:
- Although email appears to be from an OU employee it is from a standard Google gmail account
- Sense of Urgency
- Unusual financial request

General Phishing

Phish Example 2

Phishing Indicators:
- Although email appears to be from an OU Department it is from a non OU domain hr-adm.net
- Link points to a non-OU domain

General Phishing

Phish Example 3

Phishing Indicators:
- Sense of Urgency
- Although email appears to be from an OU Department it is from a non OU account hr-adm.net
- Link and email address point to a non OU Domain

Introduction

Public Documents

Campus Applications

Common Issues

Departments of University Technology Services (UTS)

Distributed Technology Support (DTS)

Fresh Phish

Overview

Fresh Phish

Phishing Examples:

Spear Phishing \ Impersonating an OU Employee

General Phishing

General Phishing