Auburn's Phish Tank

-A collection of phishing scams that have attempted to bait the Auburn community.

Auburn's Phish Tank Logo

 

 

PHISHING - Have you got a momentPHISHING - Have you got a moment<div class="ExternalClassCCE36CE138484F0F95D8CFC73476D4E3"><p><strong style="font-size:24px;background-color:#ffff00;">FIRST EMAIL:</strong><br></p><p>On Sep 17, 2018, at 5:37 PM, Andy Hacker <<a href="mailto:abh0014.auburn.edu@gmail.com">axh9999.auburn.edu@gmail.com</a>> wrote:</p><p>Are you available at the moment?<br></p><p><strong>REPLY:</strong><br></p><p>Yes<br></p><p><strong style="font-size:24px;"><span style="background-color:#ffff00;">Then the second email comes:</span><span style="font-size:17.3333px;"></span></strong><br></p><p><strong>From:</strong> Andy Hacker <ahx9999<a href="mailto:0014.auburn.edu@gmail.com" style="background-color:white;">.auburn.edu@gmail.com</a><span style="color:inherit;">> </span></p><p><strong>Sent:</strong> Monday, September 17, 2018 6:47 PM<br> <strong>To:</strong> Auburn User <Aubie9999<a href="mailto:FSS0006@auburn.edu">@auburn.edu</a>><br> <strong>Subject:</strong> Re: Follow Up<br></p><p>I'm in a meeting right now and that's why i'm contacting you through here. I should have call you, but phone is not allowed to be use during the meeting.I don't know when the meeting will be rounding up, And i want you to help me out on something very important right away.</p><p>i need you to help me get an iTunes gifts card from the store,i will reimburse you back when i get to the office.<br></p><p><br></p><p><span style="background-color:#caeedc;">It ended here as the receiver of the email follow the proper protocol and forwarded to phishing@auburn.edu</span><br></p><p><br></p><p><strong style="font-size:24px;"><span style="font-size:14px;"></span><br></strong></p></div>An email is sent asking if you have a minute, then a second email is sent which asks for your help in purchasing iTune gift cards. Notice in this email, the from email is not an auburn account (Gmail) and there are grammar errors)9/18/2018 5:00:00 AMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=24
Spam Email Spoofed as if From Dr. LeathSpam Email Spoofed as if From Dr. Leath<div class="ExternalClass8815E74F345244559E55C1CCF5CB15B0"><img src="file:///C:/Users/wmm0014/AppData/Local/Temp/msohtmlclip1/01/clip_image003.jpg" alt="" style="width:16px;margin:5px;" /><img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/Capture-Leath.JPG" alt="Capture-Leath.JPG" style="margin:5px;width:786px;" /></div>This particular email has been marked as Suspicious and also contains an Auburn Warning. Other clues include: **The From Address is clearly not from an Auburn Address **If you hover over the address it is not an Auburn Address **Grammar errors (Non-Capitalized words, sentence structure) 8/7/2018 6:50:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=23
SPAM EMAIL REGIONS BANK MESSAGE ALERTSPAM EMAIL REGIONS BANK MESSAGE ALERT<div class="ExternalClassDC916230FBEB4D7580604C3A949E5C20"><p>​If you receive an email purporting to be from Regions Bank (See sample below).  Do not click on the link.  It is an attempt to harvest your regions credentials.  If you did click on the link, you should change your passwords immediately.  </p><p><br></p><p><img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/Capture-REgions.JPG" alt="Capture-REgions.JPG" style="margin:5px;width:803px;" /><br></p><p></p></div>8/3/2018 9:00:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=22
Information Technology Services (CISCO VPN PHISHING)Information Technology Services (CISCO VPN PHISHING)<div class="ExternalClass59BC7121E2BC434AA01BD9E9ECA214D1"><p>A well-crafted phishing email went out to many Auburn students, faculty, and staff over the weekend. Our records indicate that you were one of the recipients of the email which originated from <a href="mailto:cheso2@ksu.edu">cheso2@ksu.edu</a>. This email requested that people enter credentials in order to reactivate their Cisco VPN access. <strong>If you entered your credentials, we urge you to change your Auburn password immediately.</strong> If you use that same password elsewhere, please consider changing those as well.</p><p>We would like to reiterate that this was a well-crafted email, but there are usually red flags in any phishing attack that you should be aware of. Here are some we spotted in this email:</p><ul><li><strong>Sending address – </strong>Official announcements such as changes in technology will always come from an auburn.edu email address or directly from the vendor.<strong> </strong></li><ul><li><strong style="color:inherit;">In this case it came from cheso2@ksu.edu</strong><br></li></ul><li><strong>Spelling & Syntax errors – </strong>This email was addressed to faculty, staff, and student (singular). This is a small error, but it's one that most official outlets would catch prior to sending. </li><li><strong>Links –</strong> The link included in the email is to a tinyurl.com address. Auburn University has a proprietary link shortening system called aub.ie, so official emails will most likely not use things like tinyurl.com or bit.ly. If you clicked through to the address, you can also see that the actual web address isn't truly affiliated with Auburn University or Cisco VPN. </li></ul><p>For more information on phishing attacks, go to the <a href="/admin/oit/CyberSecurityCenter/Pages/CSHome.aspx">OIT CyberSecurity Center Website</a>.</p><p><br></p><p><img src="/admin/oit/CyberSecurityCenter/phishtank/PublishingImages/Lists/PhishTank/AllItems/CISCO%20VPN.PNG" alt="CISCO VPN.PNG" style="margin:5px;" /><br></p></div>Phishing email sent which asked individuals to enter credentials to update their Cisco VPN. This was well crafted. 2/19/2018 4:45:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=21
Phish aimed at state employeesPhish aimed at state employees<div class="ExternalClassA5096A2C23554F15B9210A43FBE5FE6D"><p>​</p> <p class="MsoPlainText">Sent: Wednesday, February 14, 2018 5:36 AM</p><p class="MsoPlainText"><span>                                </span>Subject: STATE OF ALABAMA NEW HSE/SSA REGULATIONS</p><p class="MsoPlainText"><span>                                </span><span> </span></p><p class="MsoPlainText"> </p><p class="MsoPlainText"><span> </span></p><p class="MsoPlainText">Kelly Peterson sent you a completed document to review and sign</p><p class="MsoPlainText"><span> </span></p><p class="MsoPlainText">VIEW DOCUMENT<span>  </span><link removed> </p><p class="MsoPlainText"><span>                                </span><span> </span></p><p class="MsoPlainText">Powered by</p><p class="MsoPlainText"> </p><p class="MsoPlainText">Do Not Share This Email</p><p class="MsoPlainText">This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others.</p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText">Alternate Signing Method</p><p class="MsoPlainText">Visit DocuSign <<a href="http://docusign.com/">http://docusign.com/</a>> .com <<a href="http://docusign.com/">http://docusign.com/</a>> , click 'Access Documents', and enter the security code:</p><p class="MsoPlainText">14609D52C3DE43F59D880F2DD68FE7 B93</p><p class="MsoPlainText">About DocuSign</p><p class="MsoPlainText">Sign documents electronically in just minutes. It's safe, secure, and legally binding. Whether you're in an office, at home, on-the-go -- or even across the globe --<span>  </span>DocuSign provides a professional trusted solution for Digital Transaction Management™.</p><p class="MsoPlainText">Questions about the Document?</p><p class="MsoPlainText">If you need to modify the document or have questions about the details in the document, please reach out to the sender by emailing them directly.</p><p class="MsoPlainText"> </p><p class="MsoPlainText">If you are having trouble signing the document, please visit the Help with Signing <<a href="https://support.docusign.com/articles/How-do-I-sign-a-DocuSign-document-Basic-Signing">https://support.docusign.com/articles/How-do-I-sign-a-DocuSign-document-Basic-Signing</a>><span>  </span>page on ourSupport Center <<a href="https://www.docusign.com/support">https://www.docusign.com/support</a>> .</p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText"> </p><p class="MsoPlainText"><<a href="https://www.docusign.com/features-and-benefits/mobile">https://www.docusign.com/features-and-benefits/mobile</a>><span>  </span><<a href="https://www.docusign.com/features-and-benefits/mobile">https://www.docusign.com/features-and-benefits/mobile</a>> Download the DocuSign App <<a href="https://www.docusign.com/features-and-benefits/mobile">https://www.docusign.com/features-and-benefits/mobile</a>> </p><p class="MsoPlainText">This message was sent to you by Kamran Vaghee who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.</p></div>2/14/2018 3:00:00 PMhttps://sites.auburn.edu/admin/oit/CyberSecurityCenter/phishtank/Lists/PhishTank/DispForm.aspx?ID=20