Phish Tank

These are recent phishing examples The Office of Information Security has seen attacking the campus

These are recent Phishing examples The Office of Information Security and Privacy has seen attacking the campus.

 

Date: 9/2/2024

Subject: New Financial Support Program

Comments:

• External Tag, Unusual sender policy tip
• Not a TU sender
• Hyperlink goes to a external URL

 

Date: 8/31/2024

Subject: Parking Ticket

Comments:

• External Tag
• External Sender 
• Never click attachments or links from unknown senders

Date: 9/23/2024

Subject: Advanced Leadership Membership Membership Payment [PastDue]

Comments

• This is one continuous email, the attacker sends this email that is all made up to look like a chain of emails to trick you
• It tries to get your confidence up that this is legit.  The attached invoice could either be malware or trick you to enter your credentials
• Check with the user in the email thread to make sure it is legit, check sender address for validity of domain
• Check for spelling, punctuation and grammatical errors

 

 

 

Date: 8/27/2024

Subject: BANKMBOILE DISBURSEMENT- Your $9,436.00 from Towson University

Comments

• Towson University will not contact you via Gmail addresses
• The subject has spelling mistakes
• Policy Tips about you dont often get email from that address
• Most likely was in the junk folder
• Mouse over link was to a google form that was poorly formatted

Attachment: Towson University Finainace 

Malicious Form

 

Date: 7/11/2024

Subject: Critical Update: Health Exposure Incident Reported - Action Required

Comments:

• External Tag is on but it says its from the University
• Policy Tip that says you dont often receive email from the sender, which is another .edu
• Scare Tactics to get you to click
• External Link is to a law firm. Always check the UR!

Date: 5/27/2024

Multiple Subjects impersonating Bankmobile

Subject: Vibe Account; BMTX Services, BMTX Disbursements, BMTX Inc; Select Refund Option, Vibe Account; BankMobile Services, Refunds from BMTX

Comments:

• EXTERNAL TAG IS ON, UNUSUAL SENDER TAG IS ON
• Scam Impersonating Bankmobile, Attached document has a an external link to a fake bankmobile form that asks for login information
• PLEASE LOOK AT SENDER ADDRESS they are all random GMAIL ADDRESSES

Date: 5/21/2024

Subject: New messages are waiting for you in a Teams group chat

Comments:

• Display name is different than body message
• URL is bad
• Login Page is not TU

 

Date: 5/20/2024

Subject: Research Position Available

Comments:

• External Tag, Infrequent sender Policy tip
• Sender address is from another university or random gmail address but wants you to email some other domain
• Offer is to good to be true
• Malicious Actor sends you a fake check by email and wants you to print it out and mobile deposit it

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 4/26/2024

Subject: HR and Employment Relations Information Session

Comments:

• External Tag, Infrequent sender Policy tip
• Sender address is from another university but wants you to email some other domain
• Offer is to good to be true

Check out the "Fake Check Scam" on the FTC website

https://consumer.ftc.gov/articles/how-spot-avoid-report-fake-check-scams#Types

Date: 4/25/2024

Multiple Subjects:

Subject: S.R.A Remote

Subject: REMOTE JOB PLACEMENT

Subject: Notice for Towson students

Comments

• Please look at policy tips - this one said "You dont often get email from <senderaddress>
• External Tag is on
• Always be suspicious when emails pursuade you to move the conversation to text message
• The job offer tries to get you deposit money, then send money to the attacker using Zelle, Venmo, etc

 

Date: 3/24/2024

Subject: Dr. Mark R. Ginsberg shared a document with you

 

Comments:

• Fake sharing document from the President
• Sender is external
• External Tag is on 

Date: 3/22/2024

Multiple subjects like the ones below

Subject: Document form HP LaserJet ProScanner

Subject: Towson Signature Required"Cyrus Cronin" <Cyrus_Cronin4@hagenes-zulauf.com> - 3/25/2024

Subject: Scanned image from MX-M565N

Comments:

• External Tag
• Attachment is a document that tells you to click on a malicious link
• Sender is also external

Date: 2/12/2024 

Multiple Subjects and varieties like below

Subject: Notice of Portal Termination

Subject: Notice of Termination

Subject: Opportunity for All

Subject: Job Opening for All

Subect: Work at your convenience

Comments: 

• Compromised TU student sending the messages
• Link goes to a google form that is asking for email addresses, phone numbers, Words of Identification? (Passwords)
• You will then receive a text message if phone number is submitted

Date: 2/13/2024

Multiple Subjects and varieties like below

Subject: FTP Billing and Financial Aid Update 2/13/2014

Subject: Financial Aid Update

Comments:

• Compromised student sending the email
• attachment tells you to email an address and wait for more instructions

 

Date: 2/12/2024

Subject: You have got an urgent message from Towson University 

Comments:

• External Tag
• Generic greeting
• Attacker trying to move conversation off of TU resources

Date: 2/9/2024

Subject: TOWSON administrator has started the procedure. 

Comments:

• Compromised student account sending email so no external tag
• Link was to an external site

Date: 2/6/2024

Subject:  W: TOWNSON UNIVERSITY NEWSLETTER!!!

Comments:

• External Tag
• Subject has Towson spelled wrong
• Attachment has a link that is broken

Date: 2/6/2024

Subject: Introducing the 2024 Assistance Program: Secure Financial Support for Families and Employees

Comments:

• External Tag
• External Sender
• External Link brings up a fake login page and tells you to check for MFA prompts
•  
• 
• 

Date: 2/3/2024

Subject: Updated Pay Dates

Comments:

• Very Good Phish
• External Tag, Sender is from a different domain
• Link is to an external site that is a cloned Towson Page
• Asks for Duo Codes 

Date: 1/29/2024

Subject: Payroll schedule 2024!

Comments:

• External Tag External Sender
• Link has non standard characters
• link goes to a Non TU URL which then impersonates our login page and then a fake Duo MFA page
• Eventually you end up with a fake payroll calendar from 2022

Date: 1/11/2024

Subject: SCHOOL UPDATE

Comments:

• External Tag, external sender
• Offer too good to be true
• Link is to a form that requests personal information, see example below

 

 

Date: 1/07/2024

Subject: Total compensation statements for towson Staffs/Non-Staffs

Comments: 

• External Tag
• Sender Address is from another .edu
• Link is to a google form
• Grammar and Punctuation is incorrect

Date: 1/3/2024

Subject: MESSAGE FROM ADINM 

Comments:

• Sender address is a towson student, so why would official email to change something come from that
• No external tag because of student address
• Grammar and Spelling is bad

Date: 12/19/2024

Subject: Open Enrollment for 2024  for all Towson Employee

Comments:

• External Tag is on 
• Sender Address is not Towson
• PDF Attachment has a QR code with a link to a Russian URL that hosts a malicious Microsoft Credential Capturing form
• TU will never use a QR code for official communication

Date: 12/14/2023

Subject: Today@TU - 12/14/2023 | Release MessagesComments:

• This was a good one
• External Tag is on
• Sender Address is Random characters @ another .edu 
• link goes to a Non TU URL which then impersonates our login page
• If credentials are entered a duo page will appear
• 

Date: 12/11/2023 --Multiple Emails same tactics

Subject: YETI_30 OZ TRAVEL MUG Confirmation

Subject: Re: 2nd attempt for <Username>

Subject: Important for <Username>, congrats You Are Our <Month> Winner

Subject: Dicks Sporting Goods Surprise: You Are Our Today's Winner , You've been selected!

 

Comments:

• External Tag
• sending address is suspicious random characters @ randomcharacters.onmicrosoft.com YETI-Surprise <info_cIrOIHKUREp@xv917y1.onmicrosoft.com>
• Embedded link in the image to suspicious random characters.blob.core.windows.net/random characters https://sgqfdghqsfdtyzrt[.]blob[.]core[.]windows[.]net/sgqfdghqsfdtyzrt/url[.]html
• Random email giving away free items?
• We have seen this done with other giveaways but tactics are the same, random onmicrosoft.com sending address and random blob.core.windows.net URL and some sort of congratulations on winning something

 

Date: 11/6/2023

Subject: The Care Employment Opportunity

If you open the attachment

Comments: 

• Not from official TU Job boards
• Offer is too good to be true
• Body of the email tells you to move the communications to a personal email platform

Date: 10/19/2023

Subject: Banks, Sean shared "Faculty Application for Employment " with you

Comments:

• Sender shared the file, but the description has a different name.
• Link is not to TU SharePoint

Date: 10/19/2023

Subject: Document for Dr. Melanie Perreault

Comments:

• External Tag
• Google Sharing
• Sender and description have a different name
• Sender is not from Towson

Date: 10/13/2023

Subject:  PASSWORD RESET REMINDER

Comments:

• External Tag

Date: 9/20/2023

Subject: Attention: Re-authenticate 2 Factor Authentication (2Fa) for <USERNAME> on Friday-September-2023 11:28 AM

Comments: 

• OTS will not ask you to scan QR codes in emails
• External Tag is at the bottom
• Sender address is not Towson

Date: 9/19/2023

Subject: About Piano

Comments: 

• Offer is to good to be true
• There are various different versions of this email

Date: 9/6/2023

Subject: I Recorded You

Comments:

• Very common scam email, attackers send this to thousands and try to get one or two to send money
• The request is absurd
• Bitcoin is used all the time during scams
• If you think your account is compromised please reach out to phishing@Towson.edu

Date: 9/2/2023

Subject: Administrative Assistant/Project Coordinator

Comments:

• Offer is too good to be true
• Reply email is not associated with the University
• If you reply the attackers will try to move to another means of communication, like SMS or personal email

Date: 8/17/2023

Subject: Kindly provide your cell number that i can reach you at 

OR

Subject: Available, Cell Phone Number?

Comments:

• Email address does not match name of sender
• External Tag
• The main hook is to get this conversation to another means of communication where security controls do not exist
• 
• End game is for the user to go and buy gift cards and send the numbers to the malicious actor
• Grammar in the text message is poor

Date: 8/17/2023

Subject: Required | Towson Multi-Factor Auth

Comments: 

• This is a pretty good one, there is no external tag
• If you actually did scan the QR code there were multiple redirects that ultimately ended on a malicious credential capture page
• TU does not use Microsoft MFA

 

Date: 7/24/2023

Subject: Gary  Spencer shared "ATHLETICS INFORMATION REPORT SUMMARY" with you.

Comments

• Subject sharing name is different from the body of the email.  Urgency in the body of the email
• Punctuation in body of email
• URL when you mouse over the link. 

Date: 7/24/2023

Subject: Retirement Planning Sessions for the University System of Maryland Employees

Comments

• External Tag
• From Address