Educause Security Discussion mailing list archives
Re: Active Phishing Attack Against EDUs
From: "Sargent, Joe E" <Joe.Sargent () WS EDU>
Date: Wed, 20 Jun 2018 23:39:15 +0000
All, I have had several requests for the original message so others could view the headers etc. It is attached minus the attachment. Thank you, Joe -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly Sent: Wednesday, June 20, 2018 7:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Active Phishing Attack Against EDUs Joe - Can you share content from the message that will allow us to potentially identify some key phrases to filter such messages here? Thanks. - ken On 6/20/18 3:35 PM, Sargent, Joe E wrote:
Earlier today most of our employees received a phishing email that appeared to be from our president. After some research we found that were able view the site structure where the link directed users. We were the only school in the list at that time. As the day has progressed more and more schools have been built into the structure. Some schools were there and then were modified to other schools. So, this is very active. They even have a certificate on the site to make it more legitimate. The PDF in the email did not have any active content but did contain the link to the website. Here are the schools we have seen so far and have not been able to contact (this appears to still be active with schools being added throughout the day)... Central Methodist University Columbia College in Missouri Champlain College Walla Walla Community College Waldorf University Middlebury College Texas A&M University San Antonio Many of these schools may have already had emails go to their users... Other maybe not. Below is the information we have gathered that may help you protect your users... Our initial email came from... (might be different for you) *From:* Robin Esparza [mailto:resparza () lbschools net] The link in the document directs you to one of these for your school... (however, we have seen the links change and it is possible that this is not your school now - see notes below) Your school will be represented by an abbreviation in the root of the web site Mokaortmdesm.club/<yourschool>/index.php Mokaortmdesm.club/<yourschoolhttps>/index.php IP address of web site: 89.36.213.44 The method used to ID schools was to go to the link and input fake information and click submit. This then sent us to a link at the target school that would make a user believe the original email was real because it is policy etc. We have seen this link change for some schools and later point to another school. So, if the link it not there now then look at the folders at the root of the web site to be sure that your school has not been moved to another folder. If you go to the top level of the website you can actually see the directory structure. To actually find out where each is pointing to you have to click the folder/file and then click download on the web site. Enter fake information and then it will take you to a linked page at the targeted school. It took us a while to figure this out. Again, this is active and they appear to have made changes to files and links. We have seen their processes change as they create more sites. I hope this helps you. Apologies if it turns out to be nothing but at least you can block your users from getting to the web site. Thank you, Joe _____________________________________________________________ Joe Sargent cid:image001.png@01CD9D7C.A1CFD430 Assistant Vice President for Information and Educational Technologies (IET) and CIO Walters State cid:image001.png@01CD9D7C.A1CFD430 Jack E. Campbell College Center Suite 314 cid:image001.png@01CD9D7C.A1CFD430 500 South Davy Crockett Parkway Morristown, TN 37813 cid:image001.png@01CD9D7C.A1CFD430 Voice (423) 585-6836 cid:image001.png@01CD9D7C.A1CFD430 Fax: (423) 585-2630 cid:image001.png@01CD9D7C.A1CFD430 E-mail: joe.sargent () ws edu <mailto:joey.sargent () ws edu> This transmission, regardless of modality, may contain confidential information and may be subject to protection under the law. If you are not the intended recipient, or an authorized agent for the intended recipient, you are hereby notified that use, such as but not limited to disclosure, copying, or distribution, is prohibited. Please destroy any and all copies immediately and notify the sender of this erroneous receipt.
-- - Ken ================================================================= Ken Connelly Director, Information Security Information Security Officer University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373 This transmission, regardless of modality, may contain confidential information and may be subject to protection under the law. If you are not the intended recipient, or an authorized agent for the intended recipient, you are hereby notified that use, such as but not limited to disclosure, copying, or distribution, is prohibited. Please destroy any and all copies immediately and notify the sender of this erroneous receipt.
--- Begin Message --- From: Robin Esparza <resparza () lbschools net>
Date: Wed, 20 Jun 2018 16:36:28 +0000
LETTER FROM THE PRESIDENT DR. TONY MIKSA Dear Colleagues: Due to our continued commitment to fostering an environment that is safe and secure, inclusive, and conducive to academic inquiry, student engagement and student success. Whether it’s improving safety and reliability, delivering better service for our students, or earning back their trust and confidence, all of us at this institution are working hard to ensure that our organization is on a solid foundation for the future. This Policy applies to all employees, as it aims to provide guidance and align our behaviors as we make great decisions that impact our daily operations. we rely on our values and this code as guidelines, as a breach of the Policy may result in disciplinary action against the Employee concerned. All employees, including all individuals on full-time or part-time employment with the Institution are required to go through the guidelines attached in this email. It is important that we all adhere to these guidelines so you will be helping to ensure a future success of this great institution Thank you for your ongoing commitment to delivering a better and reliable service. Sincerely DR. TONY MIKSA President Walters State Community College 500 South Davy Crockett Parkway Morristown, TN 37813-6899 phone: 423.585.2600Attachment: Zero-Hour Auto Purge - Malware Alert Text.txt
Description: Zero-Hour Auto Purge - Malware Alert Text.txt
--- End Message ---
Current thread:
- Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Shawn Shirley (Jun 20)
- Re: Active Phishing Attack Against EDUs Simanovich, Roman (Jun 20)
- Re: Active Phishing Attack Against EDUs Lee Weers (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Schroeder, Christopher (Jun 20)
- Re: Active Phishing Attack Against EDUs Lee Weers (Jun 20)
- Re: Active Phishing Attack Against EDUs Ken Connelly (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Steven Alexander (Jun 20)
- Re: Active Phishing Attack Against EDUs Manjak, Martin (Jun 21)
- Re: Active Phishing Attack Against EDUs Sargent, Joe E (Jun 20)
- Re: Active Phishing Attack Against EDUs Manjak, Martin (Jun 22)
- <Possible follow-ups>
- Re: Active Phishing Attack Against EDUs Bridges, Robert A. (Jun 22)
- Re: Active Phishing Attack Against EDUs Scott Finlon (Jun 22)
