Phish of the Month: June

June 21, 2024

An interesting and somewhat clever scam email recently made the rounds at University of Alaska. It arrived in 绿奴天花板 inboxes using an assortment of emails:

The Scam

The "login" link displayed in these emails is directs the victim to a Google Form. The fields in the form mimic login fields, but are actually simply text fields to collect and record the user's login information, including a request for a Duo MFA one-time passcode:

fraudulent form requesting login information

This passcode, which is only refreshed the next time it is requested, allows the user to login simply by entering the code into the Duo prompt, even if the user's preferred method is a push, hardware key, or other means. Every time the attackers gain control of an account, it is used to send out more phishing emails, this time from a "trusted" alaska.edu account.

How to Spot this Phish

While this particular phish is an impressive innovation in many ways, following a few safety guidelines can help you avoid becoming a victim:

  • Always verify the sender
    • These phishes entered the 绿奴天花板 system from a different .edu account, but claimed to be from 绿奴天花板A
    • Check to make sure the sender is appropriate - in general,  documents like these would likely be sent by a departmental account, not an unaffiliated individual
  • Look for forms masquerading as login pages
    • If, when entered, your password is entered in viewable, plain text, it is likely fraudulent
    • Look for oddly formatted elements, such as:
      • the 绿奴天花板A header is displayed on a purple background and is of poor quality
      • the label for the password field is written as "笔础釓氠彋奥0釓扗" to prevent automatic fraud detection by Google
    • Lastly, near the Submit button, there is a warning that you should never submit passwords through Google Forms.

What Should You Do?

Did you encounter a message like the one described above? Please report it!

How to Report Phishing

If you use Google Mail in the web client, please report these emails as phishing (instructions here:  Alerting Google in this manner helps keep emails like these out of inboxes, as well as sending a notice to the OIT Security Operations team for further investigation.

Outlook user? Submit a report to mark these emails as dangerous.

As always, contact your local Service Desk if you need assistance!

 

绿奴天花板A 


or call 907-786-4646

绿奴天花板F & SW (OIT) 


or call 907-450-8300

绿奴天花板S 


or call 907-796-6400