Phish Tank

Summary

These are recent phishing examples The Office of Information Security has seen attacking the campus

Body

These are examples of recent Phishing emails the Office of Information Security and Privacy has seen attacking the campus.

Date: 11/25/2024

Subject: EMAIL CONFIRMATION

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • Sender address is not a TU address
  • QR code goes to a Wixsite to enter username and password

Date: 11/25/2024

Subject:  Various Subjects - towson

edu.towson

Microsoftoffice365

Uploaded Image (Thumbnail)

Comments:

  • Sender is Gmail Address
  • No body to the emails only the external tag and the exchange policy tip that you dont often get email from this person
  • Attachment
  • Uploaded Image (Thumbnail)
  • Tells you to click a link to a wordpress site.  
  • Uploaded Image (Thumbnail)

Date: 11/1/2024

Subject:  Various Subjects all relating to docusign

***Test Document***Thank you for your order

Complete with Docusign: Thank You for Your Subscription Payment

Complete with Docusign: Order Reference 764803 : Payment Successfully Processed

Excellent work! Your subscription has been successfully renewed!: Invoice # 857805854.pdf

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Comments

  • Docusign is being leveraged to carry out this attack
  • The text in docusign email is trying to get you call a phone number
  • The to address is usually something odd

Date: 9/2/2024

Subject: New Financial Support Program

Uploaded Image (Thumbnail)

Comments:

  • External Tag, Unusual sender policy tip
  • Not a TU sender
  • Hyperlink goes to a external URL

Uploaded Image (Thumbnail)

 

Date: 8/31/2024

Subject: Parking Ticket

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • External Sender 
  • Never click attachments or links from unknown senders

Date: 9/23/2024

Subject: Advanced Leadership Membership Membership Payment [PastDue]

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Comments

  • This is one continuous email, the attacker sends this email that is all made up to look like a chain of emails to trick you
  • It tries to get your confidence up that this is legit.  The attached invoice could either be malware or trick you to enter your credentials
  • Check with the user in the email thread to make sure it is legit, check sender address for validity of domain
  • Check for spelling, punctuation and grammatical errors

 

Date: 11/19/2024

Subject: LinkedIn Notification

Comments:

  • Sender address is similar to linkedin but isn't
  • Suggests a personal connection
  • Mouse over link, leads to a third-party website (not LinkedIn)

 

Date: 8/27/2024

Subject: BANKMBOILE DISBURSEMENT- Your $9,436.00 from Towson University

Uploaded Image (Thumbnail)

Comments

  • Towson University will not contact you via Gmail addresses
  • The subject has spelling mistakes
  • Policy Tips about you dont often get email from that address
  • Most likely was in the junk folder
  • Mouse over link was to a google form that was poorly formatted

Attachment: Towson University Finainace 

Uploaded Image (Thumbnail)Malicious Form

Uploaded Image (Thumbnail)

 

Date: 7/11/2024

Subject: Critical Update: Health Exposure Incident Reported - Action Required

Uploaded Image (Thumbnail)

Comments:

  • External Tag is on but it says its from the University
  • Policy Tip that says you dont often receive email from the sender, which is another .edu
  • Scare Tactics to get you to click
  • External Link is to a law firm. Always check the UR!

Date: 5/27/2024

Multiple Subjects impersonating Bankmobile

Subject: Vibe Account; BMTX Services, BMTX Disbursements, BMTX Inc; Select Refund Option, Vibe Account; BankMobile Services, Refunds from BMTX

Uploaded Image (Thumbnail)

Comments:

  • EXTERNAL TAG IS ON, UNUSUAL SENDER TAG IS ON
  • Scam Impersonating Bankmobile, Attached document has a an external link to a fake bankmobile form that asks for login information
  • Uploaded Image (Thumbnail)PLEASE LOOK AT SENDER ADDRESS they are all random GMAIL ADDRESSES

Date: 5/21/2024

Subject: New messages are waiting for you in a Teams group chat

Uploaded Image (Thumbnail)

Comments:

  • Display name is different than body message
  • URL is bad
  • Login Page is not TU

 

Date: 5/20/2024

Subject: Research Position Available

Uploaded Image (Thumbnail)Comments:

  • External Tag, Infrequent sender Policy tip
  • Sender address is from another university or random gmail address but wants you to email some other domain
  • Offer is to good to be true
  • Malicious Actor sends you a fake check by email and wants you to print it out and mobile deposit it

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 4/26/2024

Subject: HR and Employment Relations Information Session

Uploaded Image (Thumbnail)Comments:

  • External Tag, Infrequent sender Policy tip
  • Sender address is from another university but wants you to email some other domain
  • Offer is to good to be true

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 4/25/2024

Multiple Subjects:

Subject: S.R.A Remote

Subject: REMOTE JOB PLACEMENT

Subject: Notice for Towson students

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)Comments

  • Please look at policy tips - this one said "You dont often get email from <senderaddress>
  • External Tag is on
  • Always be suspicious when emails pursuade you to move the conversation to text message
  • The job offer tries to get you deposit money, then send money to the attacker using Zelle, Venmo, etc

 

Date: 3/24/2024

Subject: Dr. Mark R. Ginsberg shared a document with you

 

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)Comments:

  • Fake sharing document from the President
  • Sender is external
  • External Tag is on 

Date: 3/22/2024

Multiple subjects like the ones below

Subject: Document form HP LaserJet ProScanner

Subject: Towson Signature Required"Cyrus Cronin" <Cyrus_Cronin4@hagenes-zulauf.com> - 3/25/2024

Subject: Scanned image from MX-M565N

Uploaded Image (Thumbnail)Comments:

  • External Tag
  • Attachment is a document that tells you to click on a malicious link
  • Sender is also external

Date: 2/12/2024 

Multiple Subjects and varieties like below

Subject: Notice of Portal Termination

Subject: Notice of Termination

Subject: Opportunity for All

Subject: Job Opening for All

Subect: Work at your convenience

Uploaded Image (Thumbnail)Uploaded Image (Thumbnail)Comments: 

  • Compromised TU student sending the messages
  • Link goes to a google form that is asking for email addresses, phone numbers, Words of Identification? (Passwords)
  • You will then receive a text message if phone number is submitted

Date: 2/13/2024

Multiple Subjects and varieties like below

Subject: FTP Billing and Financial Aid Update 2/13/2014

Subject: Financial Aid Update

Uploaded Image (Thumbnail)Comments:

  • Compromised student sending the email
  • attachment tells you to email an address and wait for more instructions

 

Date: 2/12/2024

Subject: You have got an urgent message from Towson University 

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • Generic greeting
  • Attacker trying to move conversation off of TU resources

Date: 2/9/2024

Subject: TOWSON administrator has started the procedure. 

Uploaded Image (Thumbnail)Comments:

  • Compromised student account sending email so no external tag
  • Link was to an external site

Date: 2/6/2024

Subject:  W: TOWNSON UNIVERSITY NEWSLETTER!!!

Uploaded Image (Thumbnail)Comments:

  • External Tag
  • Subject has Towson spelled wrong
  • Attachment has a link that is broken

Date: 2/6/2024

Subject: Introducing the 2024 Assistance Program: Secure Financial Support for Families and Employees

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • External Sender
  • External Link brings up a fake login page and tells you to check for MFA prompts
  •  
  • Uploaded Image (Thumbnail)
  • Uploaded Image (Thumbnail)

Date: 2/3/2024

Subject: Updated Pay Dates

Uploaded Image (Thumbnail)Comments:

  • Very Good Phish
  • External Tag, Sender is from a different domain
  • Link is to an external site that is a cloned Towson Page
  • Asks for Duo Codes 

Date: 1/29/2024

Subject: Payroll schedule 2024!

Uploaded Image (Thumbnail)Comments:

  • External Tag External Sender
  • Link has non standard characters
  • link goes to a Non TU URL which then impersonates our login page and then a fake Duo MFA page
  • Eventually you end up with a fake payroll calendar from 2022

Date: 1/11/2024

Subject: SCHOOL UPDATE

Uploaded Image (Thumbnail)Comments:

  • External Tag, external sender
  • Offer too good to be true
  • Link is to a form that requests personal information, see example below

Uploaded Image (Thumbnail)

 

 

Date: 1/07/2024

Subject: Total compensation statements for towson Staffs/Non-Staffs

Uploaded Image (Thumbnail)Comments: 

  • External Tag
  • Sender Address is from another .edu
  • Link is to a google form
  • Grammar and Punctuation is incorrect

Date: 1/3/2024

Subject: MESSAGE FROM ADINM 

Uploaded Image (Thumbnail)

Comments:

  • Sender address is a towson student, so why would official email to change something come from that
  • No external tag because of student address
  • Grammar and Spelling is bad

Date: 12/19/2024

Subject: Open Enrollment for 2024  for all Towson Employee

Uploaded Image (Thumbnail)

Uploaded Image (Thumbnail)

Comments:

  • External Tag is on 
  • Sender Address is not Towson
  • PDF Attachment has a QR code with a link to a Russian URL that hosts a malicious Microsoft Credential Capturing form
  • TU will never use a QR code for official communication

Date: 12/14/2023

Subject: Today@TU - 12/14/2023 | Release MessagesUploaded Image (Thumbnail)Comments:

  • This was a good one
  • External Tag is on
  • Sender Address is Random characters @ another .edu 
  • link goes to a Non TU URL which then impersonates our login page
  • Uploaded Image (Thumbnail)If credentials are entered a duo page will appear
  • Uploaded Image (Thumbnail)

Date: 12/11/2023 --Multiple Emails same tactics

Subject: YETI_30 OZ TRAVEL MUG ConfirmationUploaded Image (Thumbnail)

Subject: Re: 2nd attempt for <Username>

Uploaded Image (Thumbnail)

Subject: Important for <Username>, congrats You Are Our <Month> Winner

Subject: Dicks Sporting Goods Surprise: You Are Our Today's Winner , You've been selected!

Uploaded Image (Thumbnail)

 

Comments:

  • External Tag
  • sending address is suspicious random characters @ randomcharacters.onmicrosoft.com YETI-Surprise <info_cIrOIHKUREp@xv917y1.onmicrosoft.com>
  • Embedded link in the image to suspicious random characters.blob.core.windows.net/random characters https://sgqfdghqsfdtyzrt[.]blob[.]core[.]windows[.]net/sgqfdghqsfdtyzrt/url[.]html
  • Random email giving away free items?
  • We have seen this done with other giveaways but tactics are the same, random onmicrosoft.com sending address and random blob.core.windows.net URL and some sort of congratulations on winning something

 

Date: 11/6/2023

Subject: The Care Employment Opportunity

Uploaded Image (Thumbnail)If you open the attachment

Uploaded Image (Thumbnail)Comments: 

  • Not from official TU Job boards
  • Offer is too good to be true
  • Body of the email tells you to move the communications to a personal email platform

Date: 10/19/2023

Subject: Banks, Sean shared "Faculty Application for Employment " with you

Uploaded Image (Thumbnail)

Comments:

  • Sender shared the file, but the description has a different name.
  • Link is not to TU SharePoint

Date: 10/19/2023

Subject: Document for Dr. Melanie Perreault

Uploaded Image (Thumbnail)

Comments:

  • External Tag
  • Google Sharing
  • Sender and description have a different name
  • Sender is not from Towson

Date: 10/13/2023

Subject:  PASSWORD RESET REMINDER

Uploaded Image (Thumbnail)

Comments:

  • External Tag

Date: 9/20/2023

Subject: Attention: Re-authenticate 2 Factor Authentication (2Fa) for <USERNAME> on Friday-September-2023 11:28 AM

Uploaded Image (Thumbnail)

Comments: 

  • OTS will not ask you to scan QR codes in emails
  • External Tag is at the bottom
  • Sender address is not Towson

Date: 9/19/2023

Subject: About Piano

Uploaded Image (Thumbnail)

Comments: 

  • Offer is to good to be true
  • There are various different versions of this email

Date: 9/6/2023

Subject: I Recorded You

Comments:

  • Very common scam email, attackers send this to thousands and try to get one or two to send money
  • The request is absurd
  • Bitcoin is used all the time during scams
  • If you think your account is compromised please reach out to phishing@Towson.edu

Date: 9/2/2023

Subject: Administrative Assistant/Project Coordinator

Uploaded Image (Thumbnail)

Comments:

  • Offer is too good to be true
  • Reply email is not associated with the University
  • If you reply the attackers will try to move to another means of communication, like SMS or personal email

Date: 8/17/2023

Subject: Kindly provide your cell number that i can reach you at 

OR

Subject: Available, Cell Phone Number?

Uploaded Image (Thumbnail)

Comments:

  • Email address does not match name of sender
  • External Tag
  • The main hook is to get this conversation to another means of communication where security controls do not exist
  • Uploaded Image (Thumbnail)
  • End game is for the user to go and buy gift cards and send the numbers to the malicious actor
  • Grammar in the text message is poor

Date: 8/17/2023

Subject: Required | Towson Multi-Factor Auth

Uploaded Image (Thumbnail)

Comments: 

  • This is a pretty good one, there is no external tag
  • If you actually did scan the QR code there were multiple redirects that ultimately ended on a malicious credential capture page
  • TU does not use Microsoft MFA

 

Date: 7/24/2023

Subject: Gary  Spencer shared "ATHLETICS INFORMATION REPORT SUMMARY" with you.

Uploaded Image (Thumbnail)

Comments

  • Subject sharing name is different from the body of the email.  Urgency in the body of the email
  • Punctuation in body of email
  • URL when you mouse over the link. 

Date: 7/24/2023

Subject: Retirement Planning Sessions for the University System of Maryland Employees

Uploaded Image (Thumbnail)

Comments

  • External Tag
  • From Address

Details

Details

Article ID: 146599
Created
Mon 7/24/23 1:06 PM
Modified
Mon 11/25/24 12:44 PM