Language:
SEARCH

phishing

Phishing: Subject “Your Email Address Has Been Compromised”

Wednesday, November 15th, 2017

We’ve had a couple of reports from personnel and students about getting messages with a subject of “Your Email Address Has Been Compromised” (notice the capitalisation of every word, which is one of the signs of phishing)

The scammers have spoofed the recipient (your e-mail address to read info@verify.com) and the sender seems to come from a compromised university account in the USA (address end with an .edu)

The subject says: “Your Email Address Has Been Compromised” and a link Verify HERE is included which takes you to a website ending with a “weebly.com”. It looks already as if the website is offline or has already been blocked by Information Technology, but you should never click on links in mail if the sender is unknown.

Keep in mind, Information Technology will never send you such a mail, telling you that your e-mail address has been compromised. All IT’s communications are bilingual and will always address you personally.

If you get mail like this and you are not sure if it is legitimate or not, you should never click links or respond but rather contact IT telephonically at 808 4367 to verify. 

Information Technology will send you an automated mail IF you have changed your password on the network that is branded, is bilingual, and informs you of a password change, but it is always better to check and make sure especially if you HAVEN’T changed your password or don’t recall if you have changed your password.

Here is an example of the current phishing scam.

 

 

If you have received mail that looks like this please immediately report it to the Information Technology Security Team using the following method:

Send the spam/phishing mail to the following addresses

help@sun.ac.za

…and sysadm@sun.ac.za as well.

 Attach the phishing or suspicious mail on to the message if possible. There is a good tutorial on how to do this at the following link (Which is safe) : http://stbsp01.stb.sun.ac.za/innov/it/it-help/Wiki%20Pages/Spam%20sysadmin%20Eng.aspx

  1. Start up a new mail addressed to sysadm@sun.ac.za (CC: help@sun.ac.za)
  2. Use the Title “SPAM” (without quotes) in the Subject.
  3. With this New Mail window open, drag the suspicious spam/phishing mail from your Inbox into the New Mail Window. It will attach the mail as an enclosure and a small icon with a light yellow envelope will appear in the attachments section of the New Mail.
  4. Send the mail.

If you did click on the link of this phishing spam and unwittingly give the scammers your username, e-mail address and password you should immediately go to http://www.sun.ac.za/useradm and change the passwords on ALL your university accounts (making sure the new password is completely different, and is a strong password that will not be easily guessed.) as well as changing the passwords on your social media and private e-mail accounts (especially if you use the same passwords on these accounts.)

Phishing: Subject “Unusual Login Attempt”

Monday, October 30th, 2017

A new phishing attempt on staff and students of Stellenbosch University by means of a fake website was launched earlier this week. The website has been blocked by IT in the meantime so you will not be able to access it. 

The mail will be simple with a subject line of “Unusual Login Attempt”. 

The recipient field has been spoofed to hide the sender and recipient and the content of the mail is simply a link that says:

“For Details Verify” (with the Verify links to a website called “stellenboschuniversity.weebly.com”) (See example below)

If you suspect an email is a phishing attempt, please immediately report it to the Information Technology Security Team. With your help, we can block the malicious website as soon as possible and quarantine the compromised sun account from which the email is sent. If you are not sure how to recognise a phishing email, here are a few tips. Also have a look at examples of previous phishing attempts.

Instructions to report a phishing, spam or malware incident.

If you did click on the link of this phishing spam and unwittingly give the scammers your username, e-mail address and password you should immediately go to http://www.sun.ac.za/useradm and change the passwords on ALL your university accounts (making sure the new password is completely different, and is a strong password that will not be easily guessed.) as well as changing the passwords on your social media and private e-mail accounts (especially if you use the same passwords on these accounts.)

[ARTICLE BY DAVID WILES]

 

PHISHING: Absa Surecheck Profile App

Monday, October 16th, 2017

Over the weekend and as already reported by a number of Tygerberg colleagues & students, a variant of last week’s ABSA phishing scam has started flooding our email.

The tactics have changed slightly and the criminals are now using a South African domain name to launch their attack. Below is the example of the phishing email, with the forged “ABSA Bank” login page to attempt to convince you to give your bank details willingly to the scammers.

The subject of the email is “Absa Surecheck Profile App – Upgrade | FICA information” which is designed to say absolutely nothing. It is what is known in information technology circles as “techno-babble”

While the methods used to steal a your banking details may differ, the process followed by fraudsters to steal money from their victims in South Africa are nearly always the same:

  1. Get the person’s Internet banking details, typically through a phishing attack. (as shown below)
  2. Get a banking account/s to which money can be transferred to and withdrawn.
  3. Clone the SIM card used by the victim.
  4. Create beneficiaries (using the list of banking accounts) and transfer money to these beneficiaries.
  5. Withdraw the money from these accounts.

Here are the obvious warning signs:

  1. The sender is not an ABSA email account (in this case a “throwaway” German email account used to send millions of phishing e-mails)
  2. Vague and deceptive subject lines (Techno-babble)
  3. An attached file (.htm) that contains a web page that opens up in your browser and links in the background to the server in South Africa.
  4. Impersonal salutation. “Dear Valued Customer”. Banks will never address you like this. They have your money – so it stands to reason that they will know your name as well.
  5. “Online verification” has **** to convince you that the email is genuine, but university addresses end with ac.za, not co.za.

 

The web page that you are directed to is actually the .htm file based on your computer (as an attachment, but links directly to the phishing server in the background.)

In this case is iteron.co.za which is listed as “undergoing maintenance” but is fully functional in the background.

 

 

If you have received an email that looks like this please immediately report it to the Information Technology Security Team using the following method:

Send the spam/phishing email to the following addresses

help@sun.ac.za

…and sysadm@sun.ac.za as well.

 Attach the phishing or suspicious email on to the message if possible. There is a good tutorial on how to do this at the following link (Which is safe): http://stbsp01.stb.sun.ac.za/innov/it/it-help/Wiki%20Pages/Spam%20sysadmin%20Eng.aspx

  1. Start up a new email addressed to sysadm@sun.ac.za (CC: help@sun.ac.za)
  2. Use the Title “SPAM” (without quotes) in the Subject.
  3. With this New Mail window open, drag the suspicious spam/phishing email from your Inbox into the New Mail Window. It will attach the email as an enclosure and a small icon with a light yellow envelope will appear in the attachments section of the New Mail.
  4. Send the email.

If you did click on the link of this phishing spam and unwittingly give the scammers your username, e-mail address and password you should immediately go to http://www.sun.ac.za/useradm and change the passwords on ALL your university accounts (making sure the new password is completely different, and is a strong password that will not be easily guessed.) as well as changing the passwords on your social media and private e-mail accounts (especially if you use the same passwords on these accounts.)

[ARTICLE BY DAVID WILES]

PHISHING: Confirm your email account”

Wednesday, October 11th, 2017

The latest phishing attempt uses a rather obtuse message about “confirming your email account” to prevent a shutdown of your account. It also used your email address in the salutation, which might fool some people, thinking it is genuine.

Information Technology would never send out an email like this, lacking personal salutations, direct contact via telephone, and threatening to close your account down. 

Here is the phishing e-mail example below with the dangerous parts removed. Do not click on the link or provide any personal information. Luckily the phishing email and the server comes from the Far East, so it should be rather obvious that it is a scam:

This is what the phishing website looks like. 

If you have received mail that looks like this please immediately report it to the Information Technology Security Team by sending an email to help@sun.ac.za.

 Attach the phishing or suspicious mail on to the message if possible. There is a good tutorial on how to do this at the following link (Which is safe) : http://stbsp01.stb.sun.ac.za/innov/it/it-help/Wiki%20Pages/Spam%20sysadmin%20Eng.aspx

  1. Start up a new mail addressed to sysadm@sun.ac.za (CC: help@sun.ac.za)
  2. Use the Title “SPAM” (without quotes) in the Subject.
  3. With this New Mail window open, drag the suspicious spam/phishing mail from your Inbox into the New Mail Window. It will attach the mail as an enclosure and a small icon with a light yellow envelope will appear in the attachments section of the New Mail.
  4. Send the mail.

If you did click on the link of this phishing spam and unwittingly give the scammers your username, e-mail address and password you should immediately go to http://www.sun.ac.za/useradm and change the passwords on ALL your university accounts (making sure the new password is completely different, and is a strong password that will not be easily guessed.) as well as changing the passwords on your social media and private e-mail accounts (especially if you use the same passwords on these accounts.)

[ARTICLE BY DAVID WILES]

 

PHISHING: ABSA account statement

Monday, October 9th, 2017

Please be wary of receiving so-called “Bank Account Statements” or alleged payment/transaction notifications that arrive in your mailbox from one of South Africa’s banks. In most cases, they are phishing scams designed to fool you into willingly giving the criminals your bank account details and password/PIN code.

The warning signs are obvious, but the amount of email that we all get every day and the day-to-day stress of the workday, often make us miss the warning signs. 

Below is a typical phishing scam some university accounts received this morning. It could just as well be FNB or Standard Bank, therefore it’s important that you note the warning signs:

  1. Do you have a bank account with the bank? If not why are they sending you an account statement?
  2. Unless you are directly responsible for your department’s finances and your department has a bank account with ABSA or your official university e-mail account is the contact address for your bank correspondence, you shouldn’t be getting emails from any bank.
  3. There is no personal salutation. Banks have your contact details and they will always address you personally, never as “Dear Customer”.
  4. The grammar and spelling are usually poor. This is because the scammers are often from countries where English isn’t the main language.
  5. There is always an attached file or link you should click on or open and type in your details including passwords to “verify” your identity. Email is NOT secure and revealing any details with this medium is very risky.
  6. Branding (e.g. logos and templates) of banks can easily be copied from the bank websites and forged. Just because the bank’s logo is in the e-mail it doesn’t make the mail is official.
  7. The website you are taken to will not be the official address. Often these are compromised websites which have been hacked by criminals and used for identity theft. See the example below. The address in the address bar is clearly not ABSA’s address.

The phishing website looks like this – very similar to the login page of the ABSA website:

[ARTICLE BY DAVID WILES]

 

 

 

 

© 2013-2017 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.