Phishing Example: Spear Phishing Attack "Articles"

January 2, 2016

What makes this a Phishing message?

This fairly sophisticated spear phishing attack was specifically targeted to academic staff.  The link to the first article directed the recipient to a counterfeit CalNet login page.  Fortunately, the recipients noticed some discrepancies:

  • The sender's address is suspicious (e.g., "ualberta.com" is misspelled "ulberta.com")
  • The subject line indicates the message is a response to a previous message with no subject line - that is pretty strange, considering the sender-initiated the conversation
  • In the link to the first article, the URL address to the CalNet login page is wrong in many, many ways (visit the "How to Detect the Authentic CalNet Login Page" to learn more)

The bad guys who sent this message made some effort to make it appear to be authentic:

  • The original name of the email sender (aka "John Doe") was an actual faculty member at the University of Alberta
  • The second article links to a real research paper

Original Message:

Date: Sat, 2 Jan 2016 09:58:07 GMT
Message-Id: <201601020958.u029w7xs013139@prohost17.34sp.com>
To: <recipient's name removed>@ce.berkeley.edu
Subject: Re:
X-PHP-Originating-Script: 1336:NPS.php
From: "john.doe@ulberta.ca" <john.doe@ulberta.ca>
X-Mailer: PHP/5.5.29

Dear Dr. <recipient's name removed>;

I recently read your last article and it was very useful in my field of research. I wonder, if possible, to send me these articles to use in my current research:

1- http://auth.berkeley.eduh.in/<link removed>

2- http://www.sciencedirect.com/science/article/pii/S1644966515000825

Thanks for you Cooperation in Advance.
John Doe
Department of Civil and Environmental Engineering University of Alberta
Phone: (XXX) XXX-XXXX
--21878cacb2d3a784678d12d61f1136d7--

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu (link sends e-mail) (link sends e-mail).  Be sure to include the entire text of the message, including the email header.