Fresh Phish
Contents
Overview
Welcome to the Fresh Phish section of Oakland University's Phish Tank. This page provides examples of phishing messages.
For general phishing information please visit OU's Phish Tank main page.
Fresh Phish
04/11/2024: Yearbook
In this phishing attempt, the attacker tries to solicit personal information and money by claiming that they are distributing yearbooks for Oakland University. They charge a registration fee in addition to charging you for the "yearbook'
10/11/2023: STUDENT EMPLOYMENT OPPORTUNITY
In this phishing attempt, the attacker tries to recruit students for a job. In the email, the attacker created a Google Form to have you fill out personal information. Notice that it appears from a legitimate organization and that the recruiter is in another country and cannot meet you. It also mentions unspecified tasks and purchases you will have to make on their behalf.
7/20/2023: Undelivered message error
In this phishing attempt, the attacker poses as the university and is attempting to have you click on the link inside the email.
6/23/2023: Student/staff discounts
In this phishing attempt, the attacker is posing as a head employee for a company called Nordic Sauna. The email goes on to explain the types of products they offer such as being in the "wellness niche" as well as saying that they can offer hundreds to thousands of dollars in discounts in order to attract victims. Keep an eye out for attempts like this as this template has been seen frequently only swapping the name of the company, and the niche it's in; with all the wording and structure remaining the same.
6/22/2023: Internship application
In this phishing attack, the attacker is impersonating a University professor using a fake intership opportunity in order to obtain peronal information from the victims and related info about their school/place of work. These aren't always easy to spot on first glance since they often impersonate legitimate staff and organizations, however notice this was sent from a personal gmail account not tied to the University, and suspiciously requests info to be sent back through a phone number and not email.
6/19/2023: Benefits Review
In this phishing attack, the attacker poses as a financial institution that tries to have the victim contact them under the guise of reviewing the benefits. You can verify this type of email's legitimacy by contacting OU's Benefits Department.
12/13/2022: Invoice for antivirus software renewal
In these phishing attempts, an attacker is attempting to make you believe you have been charged to renew an antivirus product subscription. The emails attempt to solicit contact by providing a number to call for support and/or to cancel the transaction. The sender email addresses are personal and not affiliated with the company or reputable reseller.
10/31/2022: Document shared with you:
In this phishing attempt, an attacker is attempting to make you believe a legitimate document has been shared with you. If you attempt to access the document it then requests you to disclose you NetID credentials and Duo MFA information in a Google form.
10/03/2022: !mportant
In this phishing attempt, an attacker is attempting to create a sense of urgency regarding a denied PayPal claim. There is a poorly crafted initial message which does not appear to be from a legitimate company. Attached is a semi-official looking PDF document back lacks personalization even though the name field is supposed to be populated.
09/30/2022: VP Requesting Assistance
In this phishing attempt, an attacker is attempting to impersonate an OU VP in an effort to start a dialogue with OU Staff member. If viewed in webmail you can see that Google marked the email as suspicious. Additionally you can see the email is coming from a non-OU account.
08/30/2022: Quickbooks
In this phishing attempt, an attacker is attempting to impersonate multiple companies, Quickbooks and Geek Squad in an effort to get the recipient to click on a link and/or download a file. In this instance the email was received at an OU email address despite the email appearing to be addressed to a Gmail address.
08/02/2022: Transfer Big Files
In this phishing attempt, an attacker is impersonating an OU user and attempting to get them click a link \ download a file.
5/31/2022: Silent Librarian: Attempt to steal NetID credentials via cloned SSO page
In this latest iteration of the Silent Librarian phishing attempt, an attacker used a compromised Oakland University email account to send an illegitimate notification to a group of users.
Unlike the previous post from 3/14/2022, the link in this email redirects to a cloned SSO page that is identical to our actual SSO page. The only noticeable difference between the two is the incorrect URL. This is a fairly sophisticated phishing attack.
Credit to @TeamDreier on Twitter for the screenshot
If you filled out this form, please contact [email protected] immediately!
Phishing Indicators:
- Sense of urgency
- Hovering over the link shows this directs to a non OU site
- Phone number in signature belongs to a different department
- Cloned OU SSO sign in page with incorrect URL
3/14/2022: Attempt to steal NetID credentials via imitation SSO page
An unsolicited email is received from an external sender, claiming to be the OU Help Desk, that requests the user to follow a link to re-activate an online certificate.
The link redirects to a poor imitation of OU's SSO page where the attacker is looking to steal NetID credentials that are entered.
If you filled out this form, please contact [email protected] immediately!
Phishing Indicators:
- Email appears to be from an OU Account but is from an account outside OU
- Sense of urgency
- Hovering over the link shows this directs to a non OU site
- Imitation OU SSO sign in page
- Poor imitation
- Grammatical errors
- Request for personal information
3/7/2022: CoS impersonation attempt to steal credentials using imitation sign in page
This phishing attack is similar to the campaign we wrote about on 1/27/2022, except this message appears to come from OU's Chief of Staff.
The shared (March) Faculty Re-Scheduled Transcript.docx document contains a link to a web page that is an imitation of a Microsoft sign in page.
The attacker wants the user to enter their OU credentials into the web page so that they can steal them.
If you filled out this form, please contact [email protected] immediately!
Phishing Indicators:
- Email appears to be from an OU Account but is from a personal Gmail account outside OU
- Hovering over the link shows this directs to a non OU site
- Imitation sign in page
- URL does not match official Microsoft URL
- Typo
- Request for personal information
2/14/2022: Tutoring scam attempts to steal bank funds
The phishing attack starts with an unsolicited email requesting a tutor for the sender's child or relative. In this instance, the sender referenced and contacted an actual OU professor in order to make the request seem as legitimate as possible.
After some correspondence between the sender and the recipient, the sender attempts to act on their objective.
Phishing Indicators:
- Emotionally charged
- Obscure payment method
- Request for personal information
Should the recipient have went along with the sender's obscure request, a fraudulent check would be sent in which the funds don't exist. So when the money is returned to the relative, it would be removed from the recipient's bank account.
Reference: https://blogs.baylor.edu/phishing/2019/06/04/tutor-over-payment-scam/
01/27/2022: Attempt to steal a user's Email Address and Password using a form
The shared Faculty Evaluation_.docx has a link to a fillable form
The form tricks the user into giving away their Email Address and Password
If you filled out this form, please contact [email protected] immediately!
01/19/2022: Users targeted to update personal information in SAIL using a non OU Account
Phishing Indicators:
- Email appears to be from an OU Account but is from a personal Gmail account
- Sense of Urgency
- Simultaneously to multiple recipients (vs a mailing list or individual notifications)
- Request for personal information
- Hovering over the link shows this directs to a non OU site
05/11/2021: Users were targeted with a cryptocurrency scam from a compromised OU account
Phishing Indicators:
- Email appears to be from an OU Account but is signed by a 3rd party
- Sense of Urgency
- Request for personal information
03/22/2021: We received a phishing impersonating an OU account offering a tax refund
Phishing Indicators:
- Although email appears to be from an OU Accountit is not
- Sense of Urgency
- Too Good to be True
11/30/2020: We received a phishing email impersonating the VP of Finance & Administration
Phishing Indicators:
- Although email appears to be from an OU Vice President it is using a personal Google Account
- Sense of Urgency
- Request for non-standard contact message
- Grammar and capitalization errors
11/24/2020: We received a phishing email from a staff member claiming that their NetID would become deactivated unless they followed a suspicious link to reset their account.
Phishing Indicators:
- Although email appears to be from UTS it is from another Higher-ED institution
- Sense of Urgency
- URL is obfuscated and does not point to OU (netid.oakland.edu)
Phishing Examples:
Spear Phishing \ Impersonating an OU Employee
Phishing Indicators:
- Although email appears to be from an OU employee it is from a standard Google gmail account
- Sense of Urgency
- Unusual financial request
General Phishing
Phishing Indicators:
- Although email appears to be from an OU Department it is from a non OU domain hr-adm.net
- Link points to a non-OU domain
General Phishing
Phishing Indicators:
- Sense of Urgency
- Although email appears to be from an OU Department it is from a non OU account hr-adm.net
- Link and email address point to a non OU Domain