INFORMATION SECURITY ALERT: RISK LOW - Private message from Amit Chakma

By: Jeffrey Gardiner

November 3, 2016

RISK: Low (loss of credentials, low level identity theft)

Many people within the Western community have reported receiving an email purported to have originated from President Chakma. I’ve attached a slightly modified copy below. The President’s office is also getting bounces because their email address was used in the attack as a consequence. These bounces are called “back scatter”.

https://en.wikipedia.org/wiki/Backscatter_(email)

THIS EMAIL WAS NOT SENT BY PRESIDENT CHAKMA.

How can you be sure?

1. The envelope says it is From: Amit Chakma <amit.chakma@uwo.ca <mailto:amit.chakma@uwo.ca> > but the reply to address is actually Georgia Tech (ds9@gatech.edu <mailto:ds9@gatech.edu> ).

2. Examining the headers we see the email originated from Microsoft’s IP 104.43.237.102

3. Georgia Tech uses Microsoft’s Office365 (like Western) -- http://it.iac.gatech.edu/office365

4. Hovering over the ‘Click Here’ link redirects you to some place other than where it is claiming (NOTE: For this email I’ve removed the original link and replaced it so that no one is victimized).

5. The Phishers have made some effort to make the email seem real by personalizing it by making the greeting the email address (Hello western.user@uwo.ca <mailto:western.user@uwo.ca> )

6. This phishing attempt is quite good but there is no other assurance such as a digital signature 7. Official Emails ITS sends on behalf of anybody can be viewed here: http://www.uwo.ca/its/email/account/official_account_emails_from_its/index.html

WHAT TO DO

A. Forward a copy of the email to ‘phishing@uwo.ca’ including the headers: http://www.uwo.ca/its/email/spam_phishing/forwarding_emails_with_full_headers.html

B. Delete the message.

C. Visit Cybersmart for additional tips on recognizing phishing: https://cybersmart.uwo.ca/secureemail/phishing/index.html

D. Pat yourself on the back for recognizing a phising message and avoiding it.

IF You’ve clicked on the link and provided your credentials please CHANGE YOUR PASSWORD NOW http://www.uwo.ca/its/identity/changepw.html  Any questions to your local Faculty or ITS Helpdesk: http://www.uwo.ca/its/helpdesk/

How can you tell this email is not phishing?

1. I’ve digitally signed it

2. It will be posted to ITS official email pages shortly

The FAKE email appears as follows:

<-=-=-=-=-=-=-=-=- EXAMPLE PHISHING EMAIL -=-=-=-=-=-=-=-=->
From: "Amit Chakma <amit.chakma@uwo.ca <mailto:amit.chakma@uwo.ca> >" <ds9@gatech.edu <mailto:ds9@gatech.edu> >
Date: Thursday, November 3, 2016 at 1:02 AM
To: Western User <western.user@uwo.ca>
Subject: Private message from Amit Chakma Hello western.user@uwo.ca

You have received a secure private message from the A Chakma, Click here <https://cybersmart.uwo.ca/secureemail/phishing/index.html> to view the message now.

Regards, Amit Chakma Office of the President, President and Vice-Chancellor of Western University.
<-=-=-=-=-=-=-=-=- EXAMPLE PHISHING EMAIL -=-=-=-=-=-=-=-=->


Published on  and maintained in Cascade CMS.