Phish Tank

These are recent Phishing examples The Office of Information Security has seen attacking the campus.

Date: 5/27/2024

Multiple Subjects impersonating Bankmobile

Subject: Vibe Account; BMTX Services, BMTX Disbursements, BMTX Inc; Select Refund Option, Vibe Account; BankMobile Services, Refunds from BMTX

Uploaded Image (Thumbnail)

Comments:

  • EXTERNAL TAG IS ON, UNUSUAL SENDER TAG IS ON
  • Scam Impersonating Bankmobile, Attached document has a an external link to a fake bankmobile form that asks for login information
  • Uploaded Image (Thumbnail)PLEASE LOOK AT SENDER ADDRESS they are all random GMAIL ADDRESSES

Date: 5/20/2024

Subject: Research Position Available

Uploaded Image (Thumbnail)Comments:

  • External Tag, Infrequent sender Policy tip
  • Sender address is from another university or random gmail address but wants you to email some other domain
  • Offer is to good to be true
  • Malicious Actor sends you a fake check by email and wants you to print it out and mobile deposit it

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 4/26/2024

Subject: HR and Employment Relations Information Session

Uploaded Image (Thumbnail)Comments:

  • External Tag, Infrequent sender Policy tip
  • Sender address is from another university but wants you to email some other domain
  • Offer is to good to be true

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 4/25/2024

Multiple Subjects:

Subject: S.R.A Remote

Subject: REMOTE JOB PLACEMENT

Subject: Notice for Towson students

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)Comments

  • Please look at policy tips - this one said "You dont often get email from <senderaddress>
  • External Tag is on
  • Always be suspicious when emails pursuade you to move the conversation to text message
  • The job offer tries to get you deposit money, then send money to the attacker using Zelle, Venmo, etc

 

Date: 3/24/2024

Subject: Dr. Mark R. Ginsberg shared a document with you

 

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)Comments:

  • Fake sharing document from the President
  • Sender is external
  • External Tag is on 

Date: 3/22/2024

Multiple subjects like the ones below

Subject: Document form HP LaserJet ProScanner

Subject: Towson Signature Required"Cyrus Cronin" <Cyrus_Cronin4@hagenes-zulauf.com> - 3/25/2024

Subject: Scanned image from MX-M565N

Uploaded Image (Thumbnail)Comments:

  • External Tag
  • Attachment is a document that tells you to click on a malicious link
  • Sender is also external

Date: 2/12/2024 

Multiple Subjects and varieties like below

Subject: Notice of Portal Termination

Subject: Notice of Termination

Subject: Opportunity for All

Subject: Job Opening for All

Subect: Work at your convenience

Uploaded Image (Thumbnail)Uploaded Image (Thumbnail)Comments: 

  • Compromised TU student sending the messages
  • Link goes to a google form that is asking for email addresses, phone numbers, Words of Identification? (Passwords)
  • You will then receive a text message if phone number is submitted

Date: 2/13/2024

Multiple Subjects and varieties like below

Subject: FTP Billing and Financial Aid Update 2/13/2014

Subject: Financial Aid Update

Uploaded Image (Thumbnail)Comments:

  • Compromised student sending the email
  • attachment tells you to email an address and wait for more instructions

 

Date: 2/12/2024

Subject: You have got an urgent message from Towson University 

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • Generic greeting
  • Attacker trying to move conversation off of TU resources

Date: 2/9/2024

Subject: TOWSON administrator has started the procedure. 

Uploaded Image (Thumbnail)Comments:

  • Compromised student account sending email so no external tag
  • Link was to an external site

Date: 2/6/2024

Subject:  W: TOWNSON UNIVERSITY NEWSLETTER!!!

Uploaded Image (Thumbnail)Comments:

  • External Tag
  • Subject has Towson spelled wrong
  • Attachment has a link that is broken

Date: 2/6/2024

Subject: Introducing the 2024 Assistance Program: Secure Financial Support for Families and Employees

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • External Sender
  • External Link brings up a fake login page and tells you to check for MFA prompts
  •  
  • Uploaded Image (Thumbnail)
  • Uploaded Image (Thumbnail)

Date: 2/3/2024

Subject: Updated Pay Dates

Uploaded Image (Thumbnail)Comments:

  • Very Good Phish
  • External Tag, Sender is from a different domain
  • Link is to an external site that is a cloned Towson Page
  • Asks for Duo Codes 

Date: 1/29/2024

Subject: Payroll schedule 2024!

Uploaded Image (Thumbnail)Comments:

  • External Tag External Sender
  • Link has non standard characters
  • link goes to a Non TU URL which then impersonates our login page and then a fake Duo MFA page
  • Eventually you end up with a fake payroll calendar from 2022

Date: 1/11/2024

Subject: SCHOOL UPDATE

Uploaded Image (Thumbnail)Comments:

  • External Tag, external sender
  • Offer too good to be true
  • Link is to a form that requests personal information, see example below

Uploaded Image (Thumbnail)

 

 

Date: 1/07/2024

Subject: Total compensation statements for towson Staffs/Non-Staffs

Uploaded Image (Thumbnail)Comments: 

  • External Tag
  • Sender Address is from another .edu
  • Link is to a google form
  • Grammar and Punctuation is incorrect

Date: 1/3/2024

Subject: MESSAGE FROM ADINM 

Uploaded Image (Thumbnail)

Comments:

  • Sender address is a towson student, so why would official email to change something come from that
  • No external tag because of student address
  • Grammar and Spelling is bad

Date: 12/19/2024

Subject: Open Enrollment for 2024  for all Towson Employee

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Comments:

  • External Tag is on 
  • Sender Address is not Towson
  • PDF Attachment has a QR code with a link to a Russian URL that hosts a malicious Microsoft Credential Capturing form
  • TU will never use a QR code for official communication

Date: 12/14/2023

Subject: Today@TU - 12/14/2023 | Release MessagesUploaded Image (Thumbnail)Comments:

  • This was a good one
  • External Tag is on
  • Sender Address is Random characters @ another .edu 
  • link goes to a Non TU URL which then impersonates our login page
  • Uploaded Image (Thumbnail)If credentials are entered a duo page will appear
  • Uploaded Image (Thumbnail)

Date: 12/11/2023 --Multiple Emails same tactics

Subject: YETI_30 OZ TRAVEL MUG ConfirmationUploaded Image (Thumbnail)

Subject: Re: 2nd attempt for <Username>

Uploaded Image (Thumbnail)

Subject: Important for <Username>, congrats You Are Our <Month> Winner

Subject: Dicks Sporting Goods Surprise: You Are Our Today's Winner , You've been selected!

Uploaded Image (Thumbnail)

 

Comments:

  • External Tag
  • sending address is suspicious random characters @ randomcharacters.onmicrosoft.com YETI-Surprise <info_cIrOIHKUREp@xv917y1.onmicrosoft.com>
  • Embedded link in the image to suspicious random characters.blob.core.windows.net/random characters https://sgqfdghqsfdtyzrt[.]blob[.]core[.]windows[.]net/sgqfdghqsfdtyzrt/url[.]html
  • Random email giving away free items?
  • We have seen this done with other giveaways but tactics are the same, random onmicrosoft.com sending address and random blob.core.windows.net URL and some sort of congratulations on winning something

 

Date: 11/6/2023

Subject: The Care Employment Opportunity

Uploaded Image (Thumbnail)If you open the attachment

Uploaded Image (Thumbnail)Comments: 

  • Not from official TU Job boards
  • Offer is too good to be true
  • Body of the email tells you to move the communications to a personal email platform

Date: 10/19/2023

Subject: Banks, Sean shared "Faculty Application for Employment " with you

Uploaded Image (Thumbnail)

Comments:

  • Sender shared the file, but the description has a different name.
  • Link is not to TU SharePoint

Date: 10/19/2023

Subject: Document for Dr. Melanie Perreault

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • Google Sharing
  • Sender and description have a different name
  • Sender is not from Towson

Date: 10/13/2023

Subject:  PASSWORD RESET REMINDER

Uploaded Image (Thumbnail)

Comments:

  • External Tag

Date: 9/20/2023

Subject: Attention: Re-authenticate 2 Factor Authentication (2Fa) for <USERNAME> on Friday-September-2023 11:28 AM

Uploaded Image (Thumbnail)

Comments: 

  • OTS will not ask you to scan QR codes in emails
  • External Tag is at the bottom
  • Sender address is not Towson

Date: 9/19/2023

Subject: About Piano

Uploaded Image (Thumbnail)

Comments: 

  • Offer is to good to be true
  • There are various different versions of this email

Date: 9/6/2023

Subject: I Recorded You

Comments:

  • Very common scam email, attackers send this to thousands and try to get one or two to send money
  • The request is absurd
  • Bitcoin is used all the time during scams
  • If you think your account is compromised please reach out to phishing@Towson.edu

Date: 9/2/2023

Subject: Administrative Assistant/Project Coordinator

Uploaded Image (Thumbnail)

Comments:

  • Offer is too good to be true
  • Reply email is not associated with the University
  • If you reply the attackers will try to move to another means of communication, like SMS or personal email

Date: 8/17/2023

Subject: Kindly provide your cell number that i can reach you at 

OR

Subject: Available, Cell Phone Number?

Uploaded Image (Thumbnail)

Comments:

  • Email address does not match name of sender
  • External Tag
  • The main hook is to get this conversation to another means of communication where security controls do not exist
  • Uploaded Image (Thumbnail)
  • End game is for the user to go and buy gift cards and send the numbers to the malicious actor
  • Grammar in the text message is poor

Date: 8/17/2023

Subject: Required | Towson Multi-Factor Auth

Uploaded Image (Thumbnail)

Comments: 

  • This is a pretty good one, there is no external tag
  • If you actually did scan the QR code there were multiple redirects that ultimately ended on a malicious credential capture page
  • TU does not use Microsoft MFA

 

Date: 7/24/2023

Subject: Gary  Spencer shared "ATHLETICS INFORMATION REPORT SUMMARY" with you.

Uploaded Image (Thumbnail)

Comments

  • Subject sharing name is different from the body of the email.  Urgency in the body of the email
  • Punctuation in body of email
  • URL when you mouse over the link. 

Date: 7/24/2023

Subject: Retirement Planning Sessions for the University System of Maryland Employees

Uploaded Image (Thumbnail)

Comments

  • External Tag
  • From Address
Print Article

Details

Article ID: 146599
Created
Mon 7/24/23 1:06 PM
Modified
Tue 5/28/24 8:04 AM