Auburn's Phish Tank

-A collection of phishing scams that have attempted to bait the Auburn community.

Auburn's Phish Tank Logo

 

 

Spam Email Spoofed as if From Dr. LeathSpam Email Spoofed as if From Dr. Leath<div class="ExternalClass8815E74F345244559E55C1CCF5CB15B0"><img src="file:///C:/Users/wmm0014/AppData/Local/Temp/msohtmlclip1/01/clip_image003.jpg" alt="" style="width:16px;margin:5px;" /><img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/Capture-Leath.JPG" alt="Capture-Leath.JPG" style="margin:5px;width:786px;" /></div>This particular email has been marked as Suspicious and also contains an Auburn Warning. Other clues include: **The From Address is clearly not from an Auburn Address **If you hover over the address it is not an Auburn Address **Grammar errors (Non-Capitalized words, sentence structure) 8/7/2018 6:50:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=23
SPAM EMAIL REGIONS BANK MESSAGE ALERTSPAM EMAIL REGIONS BANK MESSAGE ALERT<div class="ExternalClassDC916230FBEB4D7580604C3A949E5C20"><p>​If you receive an email purporting to be from Regions Bank (See sample below).  Do not click on the link.  It is an attempt to harvest your regions credentials.  If you did click on the link, you should change your passwords immediately.  </p><p><br></p><p><img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/Capture-REgions.JPG" alt="Capture-REgions.JPG" style="margin:5px;width:803px;" /><br></p><p></p></div>8/3/2018 9:00:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=22
Information Technology Services (CISCO VPN PHISHING)Information Technology Services (CISCO VPN PHISHING)<div class="ExternalClass59BC7121E2BC434AA01BD9E9ECA214D1"><p>A well-crafted phishing email went out to many Auburn students, faculty, and staff over the weekend. Our records indicate that you were one of the recipients of the email which originated from <a href="mailto:cheso2@ksu.edu">cheso2@ksu.edu</a>. This email requested that people enter credentials in order to reactivate their Cisco VPN access. <strong>If you entered your credentials, we urge you to change your Auburn password immediately.</strong> If you use that same password elsewhere, please consider changing those as well.</p><p>We would like to reiterate that this was a well-crafted email, but there are usually red flags in any phishing attack that you should be aware of. Here are some we spotted in this email:</p><ul><li><strong>Sending address – </strong>Official announcements such as changes in technology will always come from an auburn.edu email address or directly from the vendor.<strong> </strong></li><ul><li><strong style="color:inherit;">In this case it came from cheso2@ksu.edu</strong><br></li></ul><li><strong>Spelling & Syntax errors – </strong>This email was addressed to faculty, staff, and student (singular). This is a small error, but it's one that most official outlets would catch prior to sending. </li><li><strong>Links –</strong> The link included in the email is to a tinyurl.com address. Auburn University has a proprietary link shortening system called aub.ie, so official emails will most likely not use things like tinyurl.com or bit.ly. If you clicked through to the address, you can also see that the actual web address isn't truly affiliated with Auburn University or Cisco VPN. </li></ul><p>For more information on phishing attacks, go to the <a href="/admin/oit/CyberSecurityCenter/Pages/CSHome.aspx">OIT CyberSecurity Center Website</a>.</p><p><br></p><p><img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/CISCO%20VPN.PNG" alt="CISCO VPN.PNG" style="margin:5px;" /><br></p></div>Phishing email sent which asked individuals to enter credentials to update their Cisco VPN. This was well crafted. 2/19/2018 4:45:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=21
Phish aimed at state employeesPhish aimed at state employees<div class="ExternalClassA5096A2C23554F15B9210A43FBE5FE6D"><p>​</p> <p class="MsoPlainText">Sent: Wednesday, February 14, 2018 5:36 AM</p><p class="MsoPlainText"><span>                                </span>Subject: STATE OF ALABAMA NEW HSE/SSA REGULATIONS</p><p class="MsoPlainText"><span>                                </span><span> </span></p><p class="MsoPlainText"> </p><p class="MsoPlainText"><span> </span></p><p class="MsoPlainText">Kelly Peterson sent you a completed document to review and sign</p><p class="MsoPlainText"><span> </span></p><p class="MsoPlainText">VIEW DOCUMENT<span>  </span><link removed> </p><p class="MsoPlainText"><span>                                </span><span> </span></p><p class="MsoPlainText">Powered by</p><p class="MsoPlainText"> </p><p class="MsoPlainText">Do Not Share This Email</p><p class="MsoPlainText">This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others.</p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText">Alternate Signing Method</p><p class="MsoPlainText">Visit DocuSign <<a href="http://docusign.com/">http://docusign.com/</a>> .com <<a href="http://docusign.com/">http://docusign.com/</a>> , click 'Access Documents', and enter the security code:</p><p class="MsoPlainText">14609D52C3DE43F59D880F2DD68FE7 B93</p><p class="MsoPlainText">About DocuSign</p><p class="MsoPlainText">Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe --<span>  </span>DocuSign provides a professional trusted solution for Digital Transaction Management™.</p><p class="MsoPlainText">Questions about the Document?</p><p class="MsoPlainText">If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly.</p><p class="MsoPlainText"> </p><p class="MsoPlainText">If you are having trouble signing the document, please visit the Help with Signing <<a href="https://support.docusign.com/articles/How-do-I-sign-a-DocuSign-document-Basic-Signing">https://support.docusign.com/articles/How-do-I-sign-a-DocuSign-document-Basic-Signing</a>><span>  </span>page on ourSupport Center <<a href="https://www.docusign.com/support">https://www.docusign.com/support</a>> .</p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText"><<a href="https://www.docusign.com/features-and-benefits/mobile">https://www.docusign.com/features-and-benefits/mobile</a>><span>  </span><<a href="https://www.docusign.com/features-and-benefits/mobile">https://www.docusign.com/features-and-benefits/mobile</a>> Download the DocuSign App <<a href="https://www.docusign.com/features-and-benefits/mobile">https://www.docusign.com/features-and-benefits/mobile</a>> </p><p class="MsoPlainText">This message was sent to you by Kamran Vaghee who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.</p></div>2/14/2018 3:00:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=20
Spear Phishing aimed at Auburn UsersSpear Phishing aimed at Auburn Users<div class="ExternalClassDE3DF526E2CA4A20BC2F537FFDD7C929"> <p class="MsoPlainText">From:  Auburn University Mail Admin <gsl_04@optusnet.com.au></p><p class="MsoPlainText">To: me@auburn.edu</p><p class="MsoPlainText"><br></p><p class="MsoPlainText">Subject: Pending Messages<br></p><p class="MsoPlainText"><br></p><p class="MsoPlainText"><br></p><p class="MsoPlainText">Dear User,</p><p class="MsoPlainText"> </p><p class="MsoPlainText">You have 3 pending messages.</p><p class="MsoPlainText"> </p><p class="MsoPlainText">Click here <Link removed> to view messages.</p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText">Auburn University Mail Admin</p><p class="MsoPlainText"> </p><p class="MsoPlainText">________________________________</p><p class="MsoPlainText"> </p><p class="MsoPlainText">Email sent using Optus Webmail</p><p>​</p></div>The link leads to a well designed page that looks similar to an Auburn login page.2/8/2018 6:00:00 AMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=19