Auburn's Phish Tank

-A collection of phishing scams that have attempted to bait the Auburn community.

Auburn's Phish Tank Logo

 

 

Phishing Email Titled "OIT HelpDesk - Important update for"Phishing Email Titled "OIT HelpDesk - Important update for"<div class="ExternalClass75CD5F1A12E5455FAD2F8065F4C88761"><p>The following phishing email was sent to a large number of Auburn email addresses.  </p><p>​<img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/OIT%20HelpDesk%20-%20Important%20update%20for%20username@auburn.edu.PNG" alt="OIT HelpDesk - Important update for username@auburn.edu.PNG" style="margin:5px;" /></p><p>A few points that help determine the URL is not legit:</p><ol><li>OIT will never email a link and ask a person to update their account or password.</li><li>The From address is different than the name of the sender.  The name is OIT HelpDesk <helpdesk@auburn.edu>, but the sender is albut@newschool.edu.</li><li>The link is hxxp://appid.saborearpizzaparty.com/cas.auburn.edu/&owa/auth/logon-aspx which is not an Auburn website.</li></ol><div><br></div><div>An easy way to tell if a link is legit is to locate the top-level domain (TLD).  This is usually the first occurance of .com, .net, .edu, or etc. in the URL when reading from the left to right.  Read the text to the left of the TLD to find the domain name and sub-domain if it exists as shown below:</div><div><img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/URL%20Domain%20Name.PNG" alt="URL Domain Name.PNG" style="margin:5px;" /><br></div><div><br></div><div>The part highlighted in green is the true URL.  The text cas.auburn.edu is a directory on this website and attempts to trick a person into thinking they are visiting cas.auburn.edu.  </div><div><br></div><div>If you click on a suspicious link and submit your Auburn credentials, immediately change your password.  Report the phishing email and link to abuse@auburn.edu by forwarding the email as an attachment (don't forward it in-line, but use the "Forward as Attachment" option in most email clients). This provides more information for analysis.  </div><div><br></div></div>A phishing email was sent to a large number of Auburn email addresses. 8/24/2017 5:00:00 AMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=12
Sad attempt at PhishingSad attempt at Phishing<div class="ExternalClass7733FF412A234A6AA44386641F1F5088"><p>________________________________</p><p>From: Sankoh, Marie</p><p>Sent: Wednesday, August 23, 2017 8:13 AM</p><p>To: Sankoh, Marie</p><p>Subject: EmailAlert#1818 !!</p><p> </p><p> </p><p>EmailAlert#1818</p><p> </p><p>We have sent you a message.</p><p> </p><p>Your e-mail account was LOGIN today by Unknown IP address: 103.240.180.228, click on the Administrator<<a href="https://princealwheedfoundation20.000webhostapp.com/">hts://princealwhedfoundation2000webhostapp.com/</a>> to validate and verify your e-mail account to avoid temporary block.</p><p> </p><p> </p><p> </p><p> Help Desk</p><p> </p><p>    @2017</p><p>​</p></div>Good gosh almighty I hope no one fell for this.8/23/2017 4:00:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=11
Dropbox phishing aimed at Auburn usersDropbox phishing aimed at Auburn users<div class="ExternalClass5F635625EB7E47B18206C3E3BAAB354F"><p>​From: Auburn University <ailigarcia@embarqmail.com></p><p>To:<br></p><p><br></p> <p class="MsoPlainText"> </p><p class="MsoPlainText"><span>                </span>Auburn shared with you an important documents using Dropbox.</p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText">Click here to view <<a href="https://goo.gl/WDcBms">ht://gobbledeegookgoo.gl/WDcBms</a>> </p><p class="MsoPlainText"><span>          </span>Sign in to access shared documents.</p><p class="MsoPlainText"> </p><p class="MsoPlainText"><span>                </span></p><p class="MsoPlainText">If you prefer not to receive Dropbox newsletters, please go here <<a href="https://onedrive.live.com/redir?page=survey&resid=808A5A3ADC7E55E5%21112&authkey=%21AGn4Y-vR6Yb8ZTc&ithint=file%2cxlsx">ht://moregobbledeegook.nedrive.live.com/redir?page=survey&resid=808A5A3ADC7E55E5%21112&authkey=%21AGn4Y-vR6Yb8ZTc&ithint=file%2cxlsx</a>> .</p><p class="MsoPlainText">Dropbox, Inc., PO Box 77767, San Francisco, CA 94107<span>     </span></p><p><br></p></div>Please remember: DO NOT click a link in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser. Notice the From field says "Auburn University" but the actual sender address is <ailigarcia@embarqmail.com>8/10/2017 2:35:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=10
Phishing Alert! "Payroll schedule message."Phishing Alert! "Payroll schedule message."<div class="ExternalClass3A9BE9622665490695CDB2AECCF3F729"><p>​From: "Auburn University Support.  <w304828@usm.edu></p><p>Subject: Payroll schedule message.</p><p><br></p> <p class="MsoPlainText">You have 1 new Important Schedule message</p><p class="MsoPlainText"> </p><p class="MsoPlainText">Click here to read <<a href="http://www.moveartis.com/AHJIDU02/blackB/Blackboard-Learn.htm">htp://www.moveartis.com/AHJIDU02/blackB/Blackboard-Learn.htm</a>> </p><p class="MsoPlainText"> </p><p class="MsoPlainText">Auburn University | Team.</p></div>8/4/2017 9:00:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=9
Phishing Alert: E-mail VerificationPhishing Alert: E-mail Verification<div class="ExternalClass8C24B687130A412AAD3C285C85519F31"><p>​</p><p class="MsoPlainText">Hello</p><p class="MsoPlainText"> <span> </span></p><p class="MsoPlainText">This is to notify, all Students and Staffs of Auburn University we are validating active accounts.</p><p class="MsoPlainText"></p><p class="MsoPlainText">Kindly confirm that your account is still in use by clicking the validation link below:</p><p class="MsoPlainText"></p><p class="MsoPlainText"></p><p class="MsoPlainText">Validate Email Account<<a>htp://autofocusasia.com/css/new/msoffice/</a>> <span>             </span> <span> </span></p><p class="MsoPlainText"></p><p class="MsoPlainText"></p><p class="MsoPlainText"></p><p class="MsoPlainText"></p><p class="MsoPlainText">Sincerely</p><p class="MsoPlainText"></p><p class="MsoPlainText">IT Help Desk</p><p class="MsoPlainText">Auburn University</p><p class="MsoPlainText"></p></div>We are seeing a large increase in phishing attempts within the Tigermail email system. DO NOT click a link in an unsolicited email message. If you have reason to believe the request is real, type the web address for the company or institution directly into your web browser. DO be equally cautious when reading email on your phone. It may be easier to miss telltale signs of phishing attempts when reading the email on a smaller screen.8/4/2017 3:00:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=8