Phish Tank

Phishing and scam emails

Phishing or scam emails are malicious communication attempts to obtain fraudulent payment, or obtain personal and sensitive information. These emails are usually easy to spot; they are typically poorly worded, ask for a username and password, or provide a link that does not lead to an official website address ending in mq.edu.au. They are almost always urgent or threaten a negative impact if action is not taken.

When criminals get access to valid usernames and passwords they may obtain access to confidential University information or even damage University systems.

When you receive a suspicious email:

  • Immediately forward the email to help@mq.edu.au.
  • Do not click on any links or attachments, or respond to the email.
  • Validate all requests for money transfer, vouchers or updates to bank details with an alternate contact method.
  • Do not provide your OneID login details. Never share your password.
  • If you have provided your login details, reset your password at the staff password portal and let the IT Service Desk know.

Recent phishing and scam email campaigns

 

May 2019 - Box Document Sharing

Description: This is a relatively unsophisticated email requesting that a user collect a document sent through Box.

How to spot it: This can be difficult to spot as the email can be sent from someone familiar who has had their mailbox compromised. The link does point to a Box file, but then links to a website that is malicious. This website then asks for the user credentials.

Action: Do not open the attachment or enter your username and password in a linked website. Report the email to the IT Service desk by sending the email as an attachment.

Volume: MQ IT has identified approximately 14 occurrences of this email in May 2019.

Example:

Malicious website example:

March 2019 - MS SharePoint Document Sharing

Description: This is a relatively unsophisticated email requesting that a user collect a document sent through SharePoint.

How to spot it: The email has some errors included and actually contains an attachment with a link in it.

Action: Do not open the attachment or enter your username and password. Report the email to the IT Service desk by sending the email as an attachment.

Volume: MQ IT has identified approximately 20 occurrences of this email in March 2019.

Example:

March 2019 - Fake Microsoft Account Verification

Description: This is a relatively unsophisticated email requesting that a user check their Microsoft account credentials.

How to spot it: The email is poorly worded and the link does not point to a microsoft.com domain.

Action: Do not click on the link or enter your credentials. Report the email to the IT Service desk by sending the email as an attachment.

Volume: MQ IT has identified approximately 15 occurrences of this email in March 2019.

Example:

February 2019 - Shared Payment/Quotation File

Description: This is a relatively sophisticated phishing attack that uses a staff member's or other University's Office 365 account to imitate legitimate file sharing.

How to spot it: There is no explanation or forewarning for the shared file. The PDF filename is a single word with no other descriptive features.

Response: When identified, a compromised account will be reset and the recipients of the email notified.

Action: Do not open the linked file. Report the email to the IT Service desk by sending the email as an attachment.

Volume: MQ IT has identified approximately 2000 occurrences of this email in February 2019.

Example:

December 2018 - Property destruction threat scam

Description: This is a low-effort blackmail style scam threatening the recipient with property destruction. The victim can avoid the threat to property by paying an amount to a bitcoin address. In this case $1200.

How to spot it: Poorly worded and difficult to understand. Offers to provide details of the person that has requested the destruction.

Response: Most of these emails are blocked at the email gateway. We have placed a block on the email address. The email has also been reported to out anti-spam service.

Action: Do not respond to the email. Report the email to the IT Service desk by sending the email as an attachment.

Volume: MQ IT has received approximately 200 occurrences of this email in December 2018.

Example:


December 2018 - CEO payment request

Description: This is a popular phishing technique commonly referred to as "CEO fraud". The scammers attempt to garner authority for payment by impersonating a CEO or the University Vice Chancellor in this case.

How to spot it: The email "From" address is not a Macquarie email address. This is a poorly worded and formatted email.

Response: Most of these emails are blocked at the email gateway. We have placed a block on the email address. The email has also been reported to out anti-spam service.

Action: Do not respond to the email. Report the email to the IT Service desk by sending the email as an attachment. Always verify any payment requests, or change of payment details with a trusted alternate communication channel (e.g', long standing phone number).

Volume: MQ IT has received under 100 occurrences of this email in December 2018.

Example:

December 2018 - Library account suspended, please provide username and password

Description: This phishing campaign is perpetrated by groups attempting to obtain University accounts to access the subscription to literatures services. Articles downloaded can then be on-sold. The criminals send an email attempting to coerce the victim into providing a login and password in a fake Macquarie University Library website.

How to spot it: The email "From" address is not a Macquarie email address. Poorly worded and formatted email. The domain of the website is not an Macquarie domain.

Response: Most of these emails are blocked either at the email gateway or by the URL scanning system.

Action: Do not click on the link Report the email to the IT Service desk by sending the email as an attachment. Once sent, the email can be deleted. Always validate requests for account confirmation with the IT Service Desk .

Volume: MQ IT has received approximately 100 of this phishing campaign in December 2018.

Example:

Phishing Email

Fake website

December 2018 - Head of department iTunes gift card scam

Description: This email is a low-effort impersonation style email. The scammer attempts to coerce a target into sending valid gift card details by impersonating an urgent request from a department head. This scam uses the publicly available staff directory to target the reporting lines of the University's senior staff. By impersonating a position of authority, the scammers hope to illicit a swift response from the victim.

How to spot it: The "From" address is typically a gmail address that includes the impersonated person's first and last name. There is always urgency in the request to manipulate the victim and reduce the possibility of the victim thinking about the request.

Response: Since the scammers use the same text for each campaign, IT is able to block subsequent emails one we are aware of the content.

Action: Do not respond to the scammer. Report the email to the IT Service desk by sending the email as an attachment. Once sent, the email can be deleted. Always validate requests of a financial nature via an alternate trusted email address or phone number.

Volume: MQ IT has received thousands of this style of email from October 2018 to December 2018.

Example: The example below shows how the conversation proceeds if responding to the scammer. There are regular reminders in the conversation about the urgency of the request.

 

 

December 2018 - I know your password, or I have infected your computer scam

Description: This email is a low-effort blackmail style email. The intention of the scammers is to scare the recipient into paying bitcoins to protect their account. The scammer attempts to gain legitimacy by using an old password obtained from a beach that might have happened years ago. Popular breaches are the LinkedIn breach or the MySpace breach. This can be intimidating for some users because the scammers have a password that the victim recognises and threatens to expose fictitious inappropriate online activity. However, the text is the same in all cases of this scam and there is no evidence of any access to personal equipment.

How to spot it: The email includes a past password, includes a threat and asks for a bitcoin payment.

Response: Since the scammers use the same text for each campaign, MQ IT is able to block subsequent emails once we are aware of the content.

Action: Do not respond to the scammer. Report the email to the IT Service desk by sending the email as an attachment. Once sent, the email can be deleted. If you are using the password, or similar, that features in the email, then it is recommended that your password is changed.

Volume: MQ IT has received thousands of this style of email from October 2018 to December 2018.

Example 1:

Example 2:

Example 3:

Example 4:


Example 5:


Example 6:

Previous Phishing Samples

September 2018 - Infected Bill or Payment PDF Attachment

July 2018 - CEO Fraud

May 2018 - Invoice Fraud

January 2018 - Fake Office 365 Account Notice


January 2018 - Fake Dropbox Message


September 2017 - Infected Bill or Payment PDF Attachment

 

 

  • No labels