We see lots of phishing attempts for email credentials. This one is a quite common one and is only being mentioned because it does come from a compromised .edu account.
The other very important mention is the hosting company for this phishing scam, 000webhostapp.com who are a division of Hostinger They have a totally zero tolerance policy for any abuse. It was reported at 14.16 and removed by 14.25. That is how all abuse teams should work. One simple report and immediate action taken. Unfortunately any free service will attract more than its fair share of abusers and criminals.
They use email addresses and subjects that will shock, scare, entice or persuade a user to read the email and open the attachment.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
The email looks like:
From: Hale, Carly <Carly.Hale@frontrange.edu>
Date: Thu 12/10/2017 13:46
Subject: RE: Help Desk Support Team
From: Hale, Carly Sent: Thursday, October 12, 2017 6:41 AM Subject: Help Desk Support Team
Welcome to the new outlook web app for Staff
Migrate to The new Outlook Web app for Staff is the new home for online self-service and information.
Click on GATEWAY and login to:
- Access the new staff directory
- Access your pay slips and P60s
- Update your ID photo
- E-mail and Calendar Flexibility
- Connect mobile number to e-mail for Voicemail Everyone is advise to migrate immediately. Help Desk Support Team
If you follow the link inside the email you see a webpage looking like this: http://wbmail.000webhostapp.com/
We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.
|188.8.131.52||smtpdr01.cccs.edu||Denver||Colorado||US||AS14737 Colorado Community College and Occupational Education System|
Received: from irondr01.cccs.edu ([184.108.40.206]:3809)
by knight.knighthosting.co.uk with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
for derek@[redacted]; Thu, 12 Oct 2017 13:46:54 +0100
Received: from cccsdna71.cccs.ccofc.edu ([10.246.14.21])
by IRONDR01.CCCS.EDU with ESMTP/TLS/DHE-RSA-AES256-SHA; 12 Oct 2017 06:46:54 -0600
Received: from CCCSDNA73.cccs.ccofc.edu ([169.254.1.162]) by
CCCSDNA71.cccs.ccofc.edu ([10.246.14.21]) with mapi id 14.03.0319.002; Thu,
12 Oct 2017 06:46:05 -0600
From: “Hale, Carly” <Carly.Hale@frontrange.edu>
To: “Hale, Carly” <Carly.Hale@frontrange.edu>
Subject: RE: Help Desk Support Team
Thread-Topic: Help Desk Support Team
Date: Thu, 12 Oct 2017 12:46:04 +0000
x-originating-ip: [10.246.14.5] Content-Type: multipart/alternative;