Phish of the Month: June

An interesting and somewhat clever scam email recently made the rounds at University of Alaska. It arrived in UA inboxes using an assortment of emails:

"Lures" for this Phish

Earnings Statement

A fake personalized online compensation statement

Shared Document

A fake notice for Remote Work

image of an email threatening deactivation of your account

Deactivation Notice

Ominous but non-specific deactivation of your account

The Scam

The "login" link displayed in these emails is directs the victim to a Google Form. The fields in the form mimic login fields, but are actually simply text fields to collect and record the user's login information, including a request for a Duo MFA one-time passcode:

fraudulent form requesting login information

This passcode, which is only refreshed the next time it is requested, allows the user to login simply by entering the code into the Duo prompt, even if the user's preferred method is a push, hardware key, or other means. Every time the attackers gain control of an account, it is used to send out more phishing emails, this time from a "trusted" alaska.edu account.

How to Spot this Phish

While this particular phish is an impressive innovation in many ways, following a few safety guidelines can help you avoid becoming a victim:

Always verify the sender
- These phishes entered the UA system from a different .edu account, but claimed to be from UAA
- Check to make sure the sender is appropriate - in general, documents like these would likely be sent by a departmental account, not an unaffiliated individual
Look for forms masquerading as login pages
- If, when entered, your password is entered in viewable, plain text, it is likely fraudulent
- Look for oddly formatted elements, such as:
  - the UAA header is displayed on a purple background and is of poor quality
  - the label for the password field is written as "PAᏚᏚW0ᏒD" to prevent automatic fraud detection by Google
- Lastly, near the Submit button, there is a warning that you should never submit passowrds through Google Forms.

What Should You Do?

Did you encounter a message like the one described above? Please report it!

How to Report Phishing

If you use Google Mail in the web client, please report these emails as phishing (instructions here: https://support.google.com/mail/answer/8253?hl=en). Alerting Google in this manner helps keep emails like these out of inboxes, as well as sending a notice to the OIT Security Operations team for further investigation.

Outlook user? Submit a Junk > Phishing report to mark these emails as dangerous.

As always, contact your local Service Desk if you need assistance!

UAA

Report Security Issue
or call 907-786-4646

UAF & SW (OIT)

Report Security Issue
or call 907-450-8300

UAS

Report Security Issue
or call 907-796-6400

UA Security Matters

Security News