Phishing Example

Introduction

The following recounts an actual phishing attack launched against the College's email users on March 16, 2016. Unfortunately a couple hundred users fell for the attack because of some clever social engineering on the part of the phishers. The takeaway? Don't automatically trust any message you receive on any electronic device, and know how to distinguish between a legitimate Amherst login page and a phony one.

Note
If you suspect that you have received a phishing email, please forward it to phishing@amherst.edu. We track all phishing attempts and actively block links to fraudulent websites.

Instructions

Instructions: 

On March 16, 2016 just about all mailboxes on the Amherst mail server received the following message:

phishing message

The message has the From: address of noreply@amherst.edu, which fooled many people. This is an example of a spoofed email address, where the From: address isn't really the address of the sender. You should be aware that spoofing an email address is trivially easy.

And the message itself should set off alarms. You're reading your email, and you get a message to go elsewhere to actually read the message. That doesn't make sense.

If you use your computer to read your mail and have suspicions about a link you can move your mouse pointer over the link and read what pops up. In this case, you would have seen the following:

mouse over url

The link is to a strange, non-Amherst address and should have raised more red flags. Be careful, however; like the From: address, the mouse-over can be spoofed. So if you see a strange address here it is evidence that the email is bogus, but seeing an Amherst address here doesn't mean the message is genuine.

At this point, many people clicked the "Enter here" link and were presented with the following login page:

phishing login page

It looks like the login page to Amherst's Outlook Web Access service--in fact, it was "scraped" from our login page. Many people took it for the OWA login and entered their Amherst username and password, despite the fact that they were already logged into their Amherst email accounts.

But once landing on this page, it isn't hard to tell that this is not a legitimate Amherst login page. The key is the URL in the address bar. If you know what the address of a legitimate Amherst login page looks like, you would never enter your credentials on the above page. Note that if you are using your phone, you may have to drag your browser screen downward to see the URL.

The address of a legitimate Amherst login page has the following format:

(lock icon) https://<variable text>.amherst.edu/<variable text, possibly including other slash marks>

and all the following characteristics:

  • must begin with a lock icon

  • first text must be https//; not http// or anything else

  • text between the initial double slashes (//) and the first single slash (/) must end with .amherst.edu

As you can see in the screenshot above the URL of the phishing login page had none of the characteristics of a legitimate Amherst login page. 

Please read the article "Know Where You are Logging In" to learn more about how to tell a legitimate login page from an illegitimate one.

 

 

Service Categories

Service Categories: 
Security

Audience

Audience: 
Students
Faculty
Staff
Alumni
Five College Students
Applicants

Tags

Tags: 
phishing
spear phishing
login
security