2014.05.01: Phishing Attempt, "Documentations via Google"

Need to change your password?  Click here for directions!

Timeline

6:48AM: A student account was compromised and began sending out emails with the subject line "Documentations via Google".  This email contained a link that looked sufficiently legitimate to trick people into entering in their CalArts email addresses and passwords.  When email credentials were supplied the attacker began sending out the same message again from the new account.

8:31AM: A second account began sending out this message and inadvertently opened an IT ticket.  We immediately began investigating and notifying the community through Twitter.

10:30AM: CalArts IT adjusted internal DNS rules to capture that URL and redirect it to this article. This will only affect people on campus who attempt to go to the offending URL.

What To Look For

The offending message will come from a known account, someone who you've exchanged emails with previously.  The attacker is using that implicit trust to trick people to clicking the included link.

documentationsviagoogle-message.jpg

When the email message is opened Google helpfully tags it with a large red warning banner.

documentationsviagoogle-emailcontent.jpg

With a community such as ours sometimes these banners are inadvertently tagged on benign messages as they may come from international sources or individuals that speak English as a second language.  Oftentimes improper grammar or spelling can trigger notices such as this.

If the link contained within the page is clicked on it would bring you to the following page:

documentations_via_google.jpg

Google will only allow email logins through their standard login page.  Mockups such as this look sufficiently legitimate to those who aren't aware and can easily trick people into divulging their username and password.  When the Gmail option is selected the following "login" window is presented:

documentationsviagoogle-gmail.jpg

So far it appears as though credentials that are supplied are only used to propagate the email message.  These logins are valuable to sell to spammers and may result in very bad things in the future.  The good news is we don't see this affecting any computers, just the email accounts.

If you receive one of these messages please contact IT.  We need to know who sent it so we can contact them and make sure their password gets changed as quickly as possible.  Call us at x7887 or email us at cait@calarts.edu!

Have more questions? Submit a request

Comments

Please sign in to leave a comment.