SCAMALOT! Part III

Posted May 10th, 2014 at 3:02 pm.

Welcome back to SCAMALOT!, the series where you can learn to be a better spam detective. In Part II, our heroes dove into two messages claiming to be from popular shipping companies and found a treasure trove of scam. This time, we explore a false message claiming to be from within our institution — those scoundrels!

Let’s take a look! MsgList

Well, at first glance that looks ok.  I’m accustomed to messages coming from the Help Desk, Information Services, or directly from a person, so “Bryn Mawr Support” is kind of weird.  But it says it’s important, I’d better open it up!

Important_Notice

Wow, this has the official Bryn Mawr seal, the wordmark I see on the Web site, and the College’s real address and phone number right across the bottom.  Must be real, right?

Let’s keep looking.

The Header

So who is “Bryn Mawr Support”? We hover our mouse over the From: and….oh no!from

That doesn’t seem right.  It doesn’t look like the address for a support desk I’ve ever heard of, and it’s not a Bryn Mawr address or even from Haverford.

The reply address says “no-reply@brynmawr.edu”.  That’s not very friendly.  Usually I can rely to the Help Desk and ask a question…

What else?

The Format

Let’s take a closer look at the message as a whole.  This doesn’t look like a usual IS message.

Sure, maybe it’s a new format….but upon closer examination, the images are oddly sized and misaligned.  The background of the seal doesn’t match the background of the message itself.  The blue of the bar at the bottom is not one of the official Bryn Mawr blue colors.  And why use two different Bryn Mawr logos?   I didn’t think the seal was being used for communications any more.  Isn’t there a page about that? And the wrapping in the footer is odd as well.  Certainly less professional than one might expect…

The Text

text

When we take a careful read, this doesn’t sound very much like a message crafted for our community.  It addresses me as a “subscriber” and is signed by “Webmail Management” — who the heck is that?  I’m quite sure IS has told me that they will always sign with someone’s name.  The grammar and capitalization also has more than a few problems.  There’s no contact information either.

Let’s keep going!

The Links

Ok, so it says “Click Here” in the middle of the message.  If I click, where will I go?

clickhere

That doesn’t look like someplace I want to go!

DO NOT TRY THIS AT HOME — in order to completely investigate, I clicked on the link on an isolated test computer.  My browser gave me this message — another sure sign of badness!  If you get this kind of message when moving around the Internet, proceed with extreme caution.

forgery

What about all those graphics?  Where do they go?

graphics

None of those are links at all!  Why would one add Facebook, Twitter and Email icons if they don’t go anywhere?

Hey!  There’s some links down in that blue bar.  Where do those go?

footerbar

(Huh, what’s “ISLC Home”?)

islc

Both of these go to islc.net….which seems to be an Internet provider in South Carolina.  What does that have to do with Bryn Mawr?  Sounds sketchy to me.

Are there other ways to know?

Not enough for you?  Ok, let’s get down to brass tacks.  Since this is a message claiming to be from Bryn Mawr and is about technology, there’s a few more ways you would know.  If we take a look at what our friends in LITS have said about how they format messages there are some Bryn Mawr specific clues including the message being signed by an IS person and using terminology and service names that are consistent with what we use here at Bryn Mawr.

It’s also good to know that if a message is sent out about a major technology change, you will also find information about that change on http://lits.blogs.brynmawr.edu.  There’s nothing there about a change to Webmail.

The End. OR IS IT!?

This concludes today’s lesson in fake email detection. You can read more about common online scams at OnGuardOnline.gov. And stay safe!

Filed under: Email,Information Security Tags: by Amy Pearlman

Comments are closed.