Phishing Review

Phishing Overview

We will be looking at a phishing attempt that hit EIU this week.

In this case someone from outside EIU was pretending to be from Amazon.com and the attacker attempted to get the users credentials.

Were there any clues that this was a phishing email?

Questions to ask:

  • Was I expecting this email?
  • Generic use of “Dear Customer” and not my name?
  • Use of urgency?
  • Why is it from Amazon but the email is to supporte@updateamazon.com.
  • Why does Hovering over the link goes to jakorposeutation.com?
  • Why is détails used instead of “Details”?

Reviewing the email

Notice if you hover over “Update now” goes to https://jakorposeutation.com and not amazon.com

The word: “détails”  a way to avoid spam/phishing filters

They want you to panic and react without thinking

  • “If you do not update your account within 24 hours (from opening this email) will be officially permanently disabled.”

They put (Open from this email) because they know if I go to Amazon directly, you would see nothing and not get phished

The red flags are starting to add up. At this point, I would delete this email and login to amazon.com directly to see if there are any message for me. Another option is to forward the email to the EIU phishing group at phishing@eiu.edu. ITS will review the email and let me know if it is OK.

Phishing Review 02/27/2020

Phishing Overview

We will be looking at a phishing attempt that hit EIU this week.

In this case someone from outside EIU was pretending to be from EIU and the attacker attempted to get you to give up your credentials.

Were there any clues that this was a phishing email?

Questions to ask:

  • Was I expecting this email?
  • Does the link match the company who it is for?
  • Does it ask me to do something out of the ordinary?
  • Why does it say [SPAM]
  • The link forwards to a non-eiu page but looks like EIU.
  • Is there an EIU verification link?

Reviewing the email

Notice [SPAM] has been added to the subject line. Office 365 is noticing something is not right with this message.

Look at the from address, it shows info@nicomu-butsuryu.com, this is not Eastern Illinois University (example@eiu.edu).

Improper grammar: There is no punctuation within the email, every letter is capitalized and the email ends with a pipe symbol.

Why is “EIU” linked to a stanford.edu address, without explaining it?

In this email there is a link. If you put your cursor over the link on the bottom left of your browser, it will show where the link will take you. You can see that the page shows sanookpark.com.com not standford.edu.

There is no EIU email verification link at the bottom, you can always check, https://www.eiu.edu/verify for official emails.

*Tip: If you have the option, go the website directly, do not click links within email.

Sadly, this website does a good job of mimicking our EIU page. There are some clues if we look for them. In the address bar of the browser, eiu.edu is not listed, it shows sanookpark.com. Never put your username and password in when the URL is not eiu.edu and does not start with https://.

The red flags are add up. At this point, I may call payroll directly. Another option is to forward the email to the EIU phishing group at phishing@eiu.edu. ITS will review the email and let me know if it is OK.

Aaron B. Allison, GSEC – IT Technical Associate
Information Technology Services | Eastern Illinois University
217.581.1939 | Office365 Teams: aballison | www.eiu.edu/panthertech

 

Phishing Review

Phishing Overview

We will be looking at a phishing attempt that hit EIU this recently.

In this case someone at EIU was compromised, and the attacker use their account to try and trick other EIU users.

Were there any clues that this was a phishing email?

Questions to ask:

  • Was I expecting this email?
  • Do I usually get this type of request from this person?
  • Does the link match the company who it is for?
  • Does it ask me to do something out of the ordinary?
  • Is there an EIU verification link?

Reviewing the email

In this email there is a link. If you put your cursor over the link on the bottom left of your browser it will show were the link will take you. You can see that the page shows googleapis.com not DocuSign.

The link does not match. The email says DocuSign but the link says googleapi.com.

The link took me to a page that didn’t look familiar to login and the web browser address bar does not show eiu.edu. Never put your username and password into a place you are not familiar.

*Tip: If you have the option, go the website directly, try not to click links within email.

The red flags are starting to add up. At this point, I may call the person directly. Another option is to forward the email to the EIU phishing group at phishing@eiu.edu. ITS will review the email and let me know if it is OK.

Aaron B. Allison, GSEC – IT Technical Associate
Information Technology Services | Eastern Illinois University
217.581.1939 | Office365 Teams: aballison | www.eiu.edu/panthertech

 

Safeguarding EIU Data

At Eastern Illinois University, we must be aware and safeguard the information of our students, employees, and future Panthers.

Sensitive information can be stored in many ways: on a website, in a database, on paper copies, or within an electronic document. Information that is considered sensitive can include: name, date of birth, social security numbers, grades, bank routing number,
credit card number, insurance, health information or tax information. All of it must be protected.

Tips for safeguarding our data

  • Be mindful of what you throw away in a trash can. Always shred documents containing sensitive information in alignment with our retention policy.  Additional information regarding the retention policy can be found at https://www.eiu.edu/recordsmanagement.
  • Never share or request sensitive information via unencrypted sources, such as email.
  • Only use EIU-supported platforms to store sensitive information. Do not copy sensitive information to personal devices or services such as Google Drive or Dropbox.
  • Do not store information on unencrypted devices (flash drives, portable hard drives, or cell phones).
  • Be aware and report phishing emails to phishing@eiu.edu.
  • Lock your office door when you leave.
  • Lock your computer when leaving your desk.
  • File away papers containing sensitive information when leaving your desk; do not leave them visible or accessible.
  • Be attentive to employee changes and let ITS know if an employee no longer requires access to systems, places, or information by emailing itshelp@eiu.edu.
  • Do not reuse passwords or write them down and store them in easily accessible locations such as on your monitor, under your keyboard or under your mouse pad.

Thank you,
Aaron B. Allison, EIU Panthertech Security
Information Technology Services | Eastern Illinois University
217.581.1939 | Office365 Teams: aballison |
www.eiu.edu/panthertech