Tag Archives: scamalot

SCAMALOT! Part VI

Welcome to a special edition of SCAMALOT! In this post, we change course from our usual mission of providing tips and tricks for recognizing phishing attacks to learn how to assess automated emails you’ll encounter in your inbox.

At times, you will receive automated messages from Bryn Mawr College or Bi-College software, like the password reset web site. These messages may be less personalized and come from an address that does not belong to an individual (e.g. help@brynmawr.edu, accounts@haverford.edu), which may make them look suspicious at first glance.

While it’s much better to be overly cautious than too trusting when navigating your inbox, it’s good to know that not every message that contains suspicious elements or lacks certain information is a phishing email. This post will examine a legitimate email that may seem dubious to some — the password expiry notification email.

After reading this post, you’ll be better equipped to approach various types of automated emails with confidence!

Password Expiry Email

accounts@haverford.edu? What is this?

Sample question: “Not only is this email coming from a Haverford address, but it’s not even coming from a real person. Who is accounts@haverford.edu?!”

Bi-Co Password email header

This is a valid question! Bryn Mawr College and Haverford manage some account access jointly. Password expiry emails are sent from Haverford to both BMC and HC folks when their passwords will expire soon.

The email includes contact info for Bi-Co community members to utilize if they have questions regarding the legitimacy of the message.

PW Expiry contact info

Also, at the bottom of the email, you’ll notice that it is indeed signed by a HC staff member and a BMC staff member.

PW signature

The password expiry notification email is very good about providing ways to verify its authenticity; however, not all automated emails you receive from BMC or Bi-Co software will provide this information. The most effective way to determine if any message is legitimate is to contact the sender via a known, trusted [method]. If the email is not signed by an individual sender, utilize the Faculty/Staff directory to contact someone from within the relevant department: http://www.brynmawr.edu/find/facultystaff/. The Help Desk can also help verify the legitimacy of messages.

Important to remember: just because a message says it comes from a BMC, Haverford, or other familiar domain, doesn’t mean it’s legitimate!

Why is it directing me to a Haverford URL?

Sample question: “The email is telling me to go to a Haverford website to change my password. That seems very phishy to me.”

This is another valid point. Because both colleges use the same password management software across both campuses, there is only one web site for it, currently hosted by Haverford. The email mentions this:

PW Expiry 1

You’ll notice that if you visit the URL password.brynmawr.edu or accounts.haverford.edu, they lead to the exact same page: https://idm.haverford.edu/identity/self-service/bico/kiosk.jsf

password.brynmawr.edu and accounts.haverford.edu use what’s known as URL redirection, which allows organizations to use easy to remember web addresses, even if the full URL later changes with software changes.

Consider the purpose (and tone) of the message

Before taking any action, always stop to analyze the purpose and tone of the message. Consider what the message is trying to convey. Is the message purely informational, or is it urging you to log in to a website or open an attachment? If the message is informational and not asking for any action or input from you, it isn’t phishing!

Phishing messages will often create a sense of urgency to convince you to take action or face consequences (e.g. “Verify your account within 24 hours or your account will be deleted!”). Notice that the password expiry notification email does not contain threatening language, but rather advises the recipient to change their password at their earliest convenience.PW Expiry earliest convenience

Approach any message that asks you to open an attachment or click on a link with extreme caution. Criminals can easily spoof links to look real, but take you to a fake login page where they can steal your sensitive information. Get into the habit of typing known, trusted URLs into your browser rather than clicking on links within emails. Automated emails sent from College/Bi-Co software, such as the password expiry notification, will usually advise you to type in the URL of the password reset page.

Know your role!

Be aware of College policies and processes as they pertain to your role on campus. You should expect regular emails notifying you when your Bi-Co password is scheduled to expire. If you receive an email requesting that you change your College password and you’re suspicious, contact the Help Desk.

That’s it for this edition of SCAMALOT! Learn more about how to recognize scams by completing the College’s Information Security Education Program: http://lits.blogs.brynmawr.edu/7100

Contact the Help Desk with any questions (x7440, help@brynmawr.edu). Again, you are welcome to call if you’d like help determining the legitimacy of a message.

 

 

 

SCAMALOT! Part V

In this edition of SCAMALOT, we’ll take a closer look at an email that raises a number of common phishing flags. Scam emails aren’t always as easy to identify as you might think; it may have been a while since you’ve been asked to wire money to a foreign prince! The most dubious attacks have a very realistic tone and come from what looks like a legitimate person or organization (or as we’ll see below, from an actual Bryn Mawr College account). This means that stopping for just a moment to analyze the details of a message is imperative to protect yourself and the College from harm.

After reading this post, you’ll be better equipped to recognize phishing attacks and hopefully be persuaded to look at your emails just a bit more scrupulously in the future.

As with previous editions of SCAMALOT, this post won’t be a list of every way to determine if an email is legitimate, but it will help raise your awareness of common phishing tactics.

Don’t automatically trust an email from a known person/organization

As we covered in SCAMALOT Part IV, just because an email appears to come from someone at a trusted organization (such as the College), it does not automatically disqualify the chance that it could be a scam. The email address could have been spoofed (forged so the message appears to come from someone other than the actual source) or their account was compromised and is now sending phishing attacks. In this particular example, by clicking on Robin’s name in the email’s header, we see the account sending the phishing emails is indeed a Bryn Mawr College account. The account had been compromised by a previous phishing attack.

What’s ITS?

You might also have noticed that although the message is from Robin Banks, the greeting line (if you could call it that) reads “ITS Chief Technology Officer.”

A department called “ITS” does not exist at Bryn Mawr College. Library and Information Technology Services (or LITS) certainly does! That being said, lookout for phishing attacks claiming to come from LITS or LITS staff.

Also, by examining the email signature, we can see that the message is not signed by Robin or another individual. Beware of ambiguous signatures signed by a team or group. All communications from LITS will be signed by a LITS staff member; we encourage all community members to also sign their emails. This signature also contains a few other strange elements, including a copyright year and the subject line of the email (with gratuitous use of exclamation points!!! — another way scammers try to grab your attention).

Sniff Out Social Engineering Attacks

Cyber criminals are experts at creating appealing “bait” to convince folks to “bite” and provide the attackers with sensitive information. Learn to recognize the common elements of their traps:

Deadlines

“If not verified within 24 hours…”

Attackers know that when confronted with a deadline, people are more likely to take action. You may recognize this cheap tactic from TV advertisements: “Call within the next 2 minutes for free shipping!”

Consequences

“…you might not be able to receive new emails.”

“…your account will be blocked.”

Attackers know that the idea of not having access to email is a frightening thought. Phishing emails often present you with impending penalties such as being locked out of your accounts, not getting a package delivered, being fined by the IRS, etc.

Calls for Action

“Please click the link below and and verify your account.”

Note: Yes, the email does have this typo!

The attacker has instilled a sense of urgency with the deadline and consequence; now, they’ll provide a way to prevent the consequence. Don’t take the bait! It’s best practice not log into a service such as your email, bank, or social media accounts from links within emails. Navigate to the service from a known, trusted URL by typing it into your browser or using a bookmark. Have further questions about the validity of the message? Contact the person or organization from a known, trusted phone number. LITS can help with this, too.

You have a 50 Gigabyte mailbox

One of the most common types of phishing attacks contains the warning that you’ve exceeded your mailbox limit. This is highly unlikely. Each BMC community member has a 50 Gigabyte mailbox. A typical 80-word email is around 10 Kilobytes. This means you’d need about 5 million emails before you exceeded your mailbox’s limit. Visit LITS Tech Docs for more information on file size: http://techdocs.blogs.brynmawr.edu/5523

If you’re interested in checking your mailbox usage, follow these steps.

  1. Click on the Settings button (gear icon)

2. In the Settings menu, click on Mail

3. Under General, click on My Account

4. Your mailbox usage is listed towards the bottom of the screen

Links: Hover to Discover

It’s never wise to click on links in emails received from unknown people or organizations. Even if you do know the sender, it’s best practice to closely examine links in emails before you click on them.

It’s a bit odd that the message doesn’t describe where the link leads. It says, “CLICK HERE,” but where exactly is “here?” That being said, just because an email describes where the link supposedly goes does not mean you should proceed without caution. For example, a phishing message could contain this text: “Visit the BMC Webmail log in page to verify your account: webmail.brynmawr.edu

 

Hovering over the CLICK HERE text in our example email reveals the following destination:

aboutus.in/admin/notice/brynmawr/brynmawr/Sign In.html

Does the link look legitimate? aboutus.in is a website registered in India. The attackers added “brynmawr” and “Sign In” to make the link appear genuine.

That’s it for this edition of SCAMALOT! Learn more about how to recognize scams by completing the College’s Information Security Education Program: http://lits.blogs.brynmawr.edu/7100

Contact the Help Desk with any questions (x7440, help@brynmawr.edu). Please feel free to call if you’d like help determining the legitimacy of a message.

 

SCAMALOT! Part IV

Welcome back to SCAMALOT! In this spring 2017 edition, we continue to closely examine aspects of scam emails to help you identify similar attacks in the future. There is usually more than one way to determine if a message is legitimate or not, and by taking the time to look for phishy evidence in your Inbox, you’ll help yourself and the College stay safe from Information Security threats. In today’s adventure, we look at a classic case of a phishing email, with the attacker using a variety of elements to build enough trust for unsuspecting readers to fall victim. This post won’t be a list of every way to determine if an email is legitimate, but will help raise your awareness of common phishing tactics.

First Things First

If you haven’t yet completed the College’s Information Security Education program, all BMC community members are responsible for doing so. Learn how to recognize and respond to common information security threats. For more details, including instructions on how to access and complete the program, visit the LITS blog: http://lits.blogs.brynmawr.edu/7100

Take a minute to review the email below. Do you see anything scammy?

Be Email Defenders: Don’t Trust Unknown Senders

First and foremost, let’s figure out who Robyn Banks is. Clicking on their name in the Outlook Web App will open up a profile card, showing their email address.

OK, it looks like Robyn Banks is a BMC community member. However, even if the message appears to come from an individual or organization you trust, there is always a chance the address is spoofed (forged so the message appears to come from someone other than the actual source) or their account was compromised and is now sending phishing attacks.

What’s the best way to verify if the sender is who they say they are? Pick up the phone and call the individual at a known, trusted number.

Subject Lines

Cyber criminals will attempt to lure you in with an urgent call to action or other “important” notifications in subject lines. Take a moment to ask yourself, “Who is BMC Admin, and what important information would they need to tell me?”

LITS will always contact you directly via phone or email; you’ll never have to log in to another site to access a message from us (unless it’s a voicemail!).

Accurate Logo Doesn’t Mean Good to Go!

Don’t let a familiar logo fool you into letting your guard down. Cyber criminals can easily get their hands on images like the official College wordmark, which they can easily obtain via an internet search or on the College’s website

.

Dear User?

Scammers will send messages to a large number of people hoping a few will take their bait, and what better way to greet everyone than with a vague salutation like “Dear User”?

While a message that addresses you by name is not guaranteed to be legitimate, being addressed as “user” should be setting off your phishing detector.

The Danger Zone

Opening and reading an email is usually innocuous in and of itself. The real danger lies in the action the message asks you to take. In this case, the scammers want you to click on the button to “Sign In” and read the message from “BMC Web Admin.” In reality, clicking on this button will lead to a fake website (that may closely resemble one you’re familiar with). Logging in to this fake website will hand over your BMC credentials to the baddies.

Be cautious when clicking on any links in an email. It’s very simple for anyone to create a hyperlink that leads to somewhere different than what it seems. See for yourself; hover over this link to see the true destination: https://www.webmail.brynmawr.edu (it’s also safe to click on, but contains sound!).

Rather than clicking on links within emails to sign into services such as your email, your bank, or even social media tools such as Facebook or LinkedIn, type in the known URL into your browser.

Where does this button lead?

Hovering over the button reveals its true destination in the lower left hand corner of your browser window. The button in this message is particularly clever, with a different link depending on where your cursor is hovering:

URL 1

If we place our cursor over the left side of the button, it links to www-personal.umich.edu/~mkd/moodle.brynmawr.edu/login/.

URL 2

Moving the cursor to the right side reveals a link to myweb.nmu.edu/~chrbaker/passport.pitt.edu/idp/profile/SAML2/POST/SSO/execution/

Odd, right? Why would there be two URLs within one button? Cyber criminals will sometimes build this redundancy into their attacks in hopes that if one of the links is blocked or the fake site taken down, the other will continue to work.

Examining the URLs

Let’s take a look at the first URL again:

There’s a good chance that you’re familiar with the BMC Moodle URL, moodle.brynmawr.edu. However, what’s the deal with the front half of this one?

www-personal is the name of a server at the University of Michigan. Scam alert: It’s possible that the cyber criminals compromised an account at the U of M and were using it to host a fake website designed to look like BMC’s Moodle page. Sound downright devious? You bet!

Other Things:

An email without a signature is another key indicator of a phishing message, and this email isn’t signed by anyone. All communications from LITS will be signed by a LITS staff member; we encourage all community members to also sign their emails.

Lastly, while the text at the very bottom of the email might seem to lend the message credibility and add a comforting touch, Bryn Mawr College does not have a “School Help Center.”

Contact the Help Desk with any questions (x7440, help@brynmawr.edu). Please feel free to call if you’d like help determining the legitimacy of a message.

SCAMALOT! Part III

Welcome back to SCAMALOT!, the series where you can learn to be a better spam detective. In Part II, our heroes dove into two messages claiming to be from popular shipping companies and found a treasure trove of scam. This time, we explore a false message claiming to be from within our institution — those scoundrels!

Let’s take a look! MsgList

Well, at first glance that looks ok.  I’m accustomed to messages coming from the Help Desk, Information Services, or directly from a person, so “Bryn Mawr Support” is kind of weird.  But it says it’s important, I’d better open it up!

Important_Notice

Wow, this has the official Bryn Mawr seal, the wordmark I see on the Web site, and the College’s real address and phone number right across the bottom.  Must be real, right?

Let’s keep looking.

The Header

So who is “Bryn Mawr Support”? We hover our mouse over the From: and….oh no!from

That doesn’t seem right.  It doesn’t look like the address for a support desk I’ve ever heard of, and it’s not a Bryn Mawr address or even from Haverford.

The reply address says “no-reply@brynmawr.edu”.  That’s not very friendly.  Usually I can rely to the Help Desk and ask a question…

What else?

The Format

Let’s take a closer look at the message as a whole.  This doesn’t look like a usual IS message.

Sure, maybe it’s a new format….but upon closer examination, the images are oddly sized and misaligned.  The background of the seal doesn’t match the background of the message itself.  The blue of the bar at the bottom is not one of the official Bryn Mawr blue colors.  And why use two different Bryn Mawr logos?   I didn’t think the seal was being used for communications any more.  Isn’t there a page about that? And the wrapping in the footer is odd as well.  Certainly less professional than one might expect…

The Text

text

When we take a careful read, this doesn’t sound very much like a message crafted for our community.  It addresses me as a “subscriber” and is signed by “Webmail Management” — who the heck is that?  I’m quite sure IS has told me that they will always sign with someone’s name.  The grammar and capitalization also has more than a few problems.  There’s no contact information either.

Let’s keep going!

The Links

Ok, so it says “Click Here” in the middle of the message.  If I click, where will I go?

clickhere

That doesn’t look like someplace I want to go!

DO NOT TRY THIS AT HOME — in order to completely investigate, I clicked on the link on an isolated test computer.  My browser gave me this message — another sure sign of badness!  If you get this kind of message when moving around the Internet, proceed with extreme caution.

forgery

What about all those graphics?  Where do they go?

graphics

None of those are links at all!  Why would one add Facebook, Twitter and Email icons if they don’t go anywhere?

Hey!  There’s some links down in that blue bar.  Where do those go?

footerbar

(Huh, what’s “ISLC Home”?)

islc

Both of these go to islc.net….which seems to be an Internet provider in South Carolina.  What does that have to do with Bryn Mawr?  Sounds sketchy to me.

Are there other ways to know?

Not enough for you?  Ok, let’s get down to brass tacks.  Since this is a message claiming to be from Bryn Mawr and is about technology, there’s a few more ways you would know.  If we take a look at what our friends in LITS have said about how they format messages there are some Bryn Mawr specific clues including the message being signed by an IS person and using terminology and service names that are consistent with what we use here at Bryn Mawr.

It’s also good to know that if a message is sent out about a major technology change, you will also find information about that change on http://lits.blogs.brynmawr.edu.  There’s nothing there about a change to Webmail.

The End. OR IS IT!?

This concludes today’s lesson in fake email detection. You can read more about common online scams at OnGuardOnline.gov. And stay safe!

SCAMALOT! Part II

Welcome to SCAMALOT!  In Part I, our heroes explored the anatomy of a scamtastic message claiming to be from Facebook.  In our continuing adventures, we will take a closer look at two messages which claim to be from popular shipping companies.

Example 1

Let’s start with an easy one.  In our first example, we will look at this somewhat weak attempt to impersonate a FedEx message:

What’s wrong with that, you ask? Let’s take a closer look…

  1. It has an attachment which is a .doc file (not a .pdf).  The document does not reference in its name a tracking number or other specific information.  It is possible for some files, including .doc, .zip, and .exe files, to contain viruses.
  2. It’s from a Mr. Ashley Sherlock, not from a FedEx alert address.  If I hold my mouse over Mr. Sherlock’s name, I see the address is “Mr Ashley Sherlock” <weboffinvsxxx@btinternet.com>.  Oooh! By the way…there is no To: line, meaning it was not sent directly to me.  Suspicious!
  3. The reply-to address is different and does not appear to be official either.  Holding my mouse over this address, I see it is “fast deliveryservice002” <fast_deliveryservice002@yahoo.com.hk>.
  4. The body of the email is odd — it has little information, no logo, is in all caps, and doesn’t look very professional.  It does not reference anything on Fedex’s Web site, and has no specific link for package tracking information.  It also has no specific information about the contents of the attached file.

Ok, so that one was pretty easy.  However these scams are so common that FedEx has set up a whole fraud prevention site containing examples of the most common scams. They would like to remind their customers that “FedEx does not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords or personal information.” and offer this advice:

Common Warning Signs of Online Scams

  • Unexpected requests for money in return for delivery of a package, often with a sense of urgency.
  • Requests for personal and/or financial information.
  • Links to misspelled or slightly altered Web-site addresses (fedx.com, fed-ex.com, etc.)
  • Spelling and grammatical errors or excessive use of capitalization and exclamation points.
  • Claims that you have won a large sum of money in a lottery or settlement.
  • Certificate errors or lack of SSL for sensitive activities.

Example 2

Now let’s try something challenging!

Well, that looks pretty good.  What’s wrong?

Let’s start at the top.

Woah!  This message is titled as if from UPS, but the address claims to be from USPS.com.  The letters might be close, but those are *not* the same. That’s one sign. Let’s see what else we can find.

That’s an awful lot of addressees, and they seem to be a random, alphabetically ordered list of Bryn Mawr addresses.  This is not directed to me, or even to me and several colleagues with similar roles.

In fact, this message is about UPS invoices for “my” account.  Wait!  Do I even have a UPS account that should be invoicing me?

Ok, let’s look at one more thing.  The text at the bottom seems pretty legit, but let’s take a look at some of the links.  I’ll hover my mouse over the link and…hey!

That’s not a UPS site.  In fact, all of the links in this email go to the same site, which is not UPS.

I guess it really is a fake.  Time to hit that spam button in the toolbar.

Well, that’s all the time we have today, kids.  Tune in next time to see more scams uncovered in….SCAMALOT!

SCAMALOT!! Part I

Welcome to SCAMALOT!  This is part I of an ongoing series of posts devoted to helping you (yes, you!) become better email scam detectives.

Scammers are clever, and some of them are pretty good at making an email look like the real thing, at least on the surface.

So how do we distinguish a fake email from a real one?

Let’s start by comparing this fake Facebook notification to a real one. Names and addresses have been censored to protect the innocent. And the guilty. And you, because you should definitely not go to whichever questionable website this scammer wanted me to visit.

Fake:

fake facebook notification

Real:

 

They look pretty similar, right?

Now, we should always be careful about clicking links in emails, even if they look really legitimate. But there are a few clues that the first one is definitely a fake.

Do I even use this service?

First, let’s look at where this email went. This appeared in the spam filter for webmaster@brynmawr.edu. That email address doesn’t even have a Facebook, so that’s an easy one! FAKE! You may also get messages about banks you don’t use, packages you haven’t ordered, and suspiciously cheap Rolexes you don’t want.

But it gets a little trickier if you do have a Facebook account, or the bank in question, or you did order something online (hopefully not Rolexes that fell off the back of a truck, though).

Who sent this message?

So next, we look at the headers. A really good email scammer can make an email look like it’s coming from someone else– remember that! But this one didn’t bother. This email from “Facebook” is clearly coming from an AOL address. And it’s going to someone who isn’t me either! Probably because they emailed everyone at Bryn Mawr the same thing. BUSTED.

But just to be thorough, let’s look at the other red flags in this fake message.

Is the message suspiciously vague?

body of fake facebook message

 

The body of the message is pretty incriminating, too. I’ve blanked out the name, but trust me, I don’t know this guy, so I definitely shouldn’t be getting Facebook messages about him. It’s also really generic (it’s not telling me he posted a specific photo or message), and there’s no profile photo or anything. Though this does look like Facebook’s image for users who don’t have a profile photo. TRICKY!

But if we look back at the real message, it’s much more specific– I see the name of one of my actual Facebook friends, their profile photo, and an actual comment that they would make.

real facebook message body

 

Where are they trying to send me?

Another good thing to do is to see where these oh-so-clickable buttons would take us, WITHOUT CLICKING ON THEM. I can do this by hovering my mouse over the button to display the address it links to.

Sir or Madam Scams-A-Lot would like us to go to some Polish website (the .pl tells me it’s Polish) that is definitely not Facebook! Nie, dziękuję! No thank you!

If I hover over the real message’s button, it does actually appear to go to facebook.com , but if I want to be really safe, I will go to Facebook myself and check my messages there, rather than trusting any of these notification emails.

What happens if I push the (metaphorical) big red button?

But you want to know what would happen if I did click that scammer link, don’t you? Well, probably the website would make some attempt to look like Facebook in order to get you to log in with your Facebook username and password. Once you’d entered those, scammers would have control of your Facebook account, and use it to spread their scamminess to all of your friends! Yuck. The best case scenario at this point is that you have to change your Facebook password, apologize to all of your friends, frantically warn them not to click those scam links, and maybe tell them to change their passwords too. If you use your Facebook account to log into other sites, or if you’ve used your Facebook username and/or password for other sites, it gets… uglier.

The End. OR IS IT!?

That concludes today’s lesson in fake email detection. Try your new detective skills on the next notification email you get. You can read more about common online scams at the Federal Trade Commission’s online security page. And stay safe!