Welcome back to SCAMALOT! In this spring 2017 edition, we continue to closely examine aspects of scam emails to help you identify similar attacks in the future. There is usually more than one way to determine if a message is legitimate or not, and by taking the time to look for phishy evidence in your Inbox, you’ll help yourself and the College stay safe from Information Security threats. In today’s adventure, we look at a classic case of a phishing email, with the attacker using a variety of elements to build enough trust for unsuspecting readers to fall victim. This post won’t be a list of every way to determine if an email is legitimate, but will help raise your awareness of common phishing tactics.
First Things First
If you haven’t yet completed the College’s Information Security Education program, all BMC community members are responsible for doing so. Learn how to recognize and respond to common information security threats. For more details, including instructions on how to access and complete the program, visit the LITS blog: http://lits.blogs.brynmawr.edu/7100
Take a minute to review the email below. Do you see anything scammy?
Be Email Defenders: Don’t Trust Unknown Senders
First and foremost, let’s figure out who Robyn Banks is. Clicking on their name in the Outlook Web App will open up a profile card, showing their email address.
OK, it looks like Robyn Banks is a BMC community member. However, even if the message appears to come from an individual or organization you trust, there is always a chance the address is spoofed (forged so the message appears to come from someone other than the actual source) or their account was compromised and is now sending phishing attacks.
What’s the best way to verify if the sender is who they say they are? Pick up the phone and call the individual at a known, trusted number.
Cyber criminals will attempt to lure you in with an urgent call to action or other “important” notifications in subject lines. Take a moment to ask yourself, “Who is BMC Admin, and what important information would they need to tell me?”
LITS will always contact you directly via phone or email; you’ll never have to log in to another site to access a message from us (unless it’s a voicemail!).
Accurate Logo Doesn’t Mean Good to Go!
Don’t let a familiar logo fool you into letting your guard down. Cyber criminals can easily get their hands on images like the official College wordmark, which they can easily obtain via an internet search or on the College’s website
Scammers will send messages to a large number of people hoping a few will take their bait, and what better way to greet everyone than with a vague salutation like “Dear User”?
While a message that addresses you by name is not guaranteed to be legitimate, being addressed as “user” should be setting off your phishing detector.
The Danger Zone
Opening and reading an email is usually innocuous in and of itself. The real danger lies in the action the message asks you to take. In this case, the scammers want you to click on the button to “Sign In” and read the message from “BMC Web Admin.” In reality, clicking on this button will lead to a fake website (that may closely resemble one you’re familiar with). Logging in to this fake website will hand over your BMC credentials to the baddies.
Be cautious when clicking on any links in an email. It’s very simple for anyone to create a hyperlink that leads to somewhere different than what it seems. See for yourself; hover over this link to see the true destination: https://www.webmail.brynmawr.edu (it’s also safe to click on, but contains sound!).
Rather than clicking on links within emails to sign into services such as your email, your bank, or even social media tools such as Facebook or LinkedIn, type in the known URL into your browser.
Where does this button lead?
Hovering over the button reveals its true destination in the lower left hand corner of your browser window. The button in this message is particularly clever, with a different link depending on where your cursor is hovering:
If we place our cursor over the left side of the button, it links to www-personal.umich.edu/~mkd/moodle.brynmawr.edu/login/.
Moving the cursor to the right side reveals a link to myweb.nmu.edu/~chrbaker/passport.pitt.edu/idp/profile/SAML2/POST/SSO/execution/
Odd, right? Why would there be two URLs within one button? Cyber criminals will sometimes build this redundancy into their attacks in hopes that if one of the links is blocked or the fake site taken down, the other will continue to work.
Examining the URLs
Let’s take a look at the first URL again:
There’s a good chance that you’re familiar with the BMC Moodle URL, moodle.brynmawr.edu. However, what’s the deal with the front half of this one?
www-personal is the name of a server at the University of Michigan. Scam alert: It’s possible that the cyber criminals compromised an account at the U of M and were using it to host a fake website designed to look like BMC’s Moodle page. Sound downright devious? You bet!
An email without a signature is another key indicator of a phishing message, and this email isn’t signed by anyone. All communications from LITS will be signed by a LITS staff member; we encourage all community members to also sign their emails.
Lastly, while the text at the very bottom of the email might seem to lend the message credibility and add a comforting touch, Bryn Mawr College does not have a “School Help Center.”
Contact the Help Desk with any questions (x7440, firstname.lastname@example.org). Please feel free to call if you’d like help determining the legitimacy of a message.