The Phish Tank

Welcome to the "Phish Tank".  This page highlights recent examples of phishing emails received on campus.  There are many variations of the types of scams listed here, this is only a small sampling of new ones received every day. 

This list is intended for the purpose of educating students and staff to spot a phish, do not assume an email is safe because it is not listed here.

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu (link sends e-mail) (link sends e-mail).  Be sure to include the entire text of the message, including the email header.

Phishing Example: Google Doc Phishing Message

May 3, 2017

Why is this a Phishing message?

What appears to be a global wide-spread Internet worm hit the campus in the form of a phishing email message.  The message slipped through normal spam filters as the worm virus spread to email accounts in the "berkeley.edu" domain, so that receipt of the message to campus mailboxes was also widespread.

The message was a forgery of the common message notification received when a Google Doc is shared, but there are a couple of obvious indicators that this message is a fake:

  • The recipient address in the message is very suspicious:  hhhhhhhhhhhhhhhh@mailinator.com
  • The actual recipient's address is included in the "Bcc" line - why would a notification about a shared Google Doc be blind-carbon-copied to someone?

The following announcement was posted to campus concerning this incident:  Global Google Phishing Alert

Please contact Campus Shared Services IT by calling 510-664-9000 or itcsshelp@berkeley.edu if you have questions about this incident.

Original Message:

From:  XXX@berkeley.edu
Subject:  XXX has shared a document on Google Docs with you
To:  hhhhhhhhhhhhhhhh@mailinator.com
Bcc:  Me

XXX has invited you to view the following document:

Open in Docs





Phishing Example: Message from human resources

April 13, 2017

What makes this a Phishing Message?

The cyber criminal responsible for this phishing scam put some effort into making this email message appear to be legitimate.  The sender email address has been faked to appear to come from the campus HR department and the document link led to a fake Calnet login page.  There is one clue that the message is a forgery:

  • If you hold your mouse cursor over the "Click here" link, you can see that the destination is not the real Calnet login page (https://auth.berkeley.edu).

Two things to remember in this situation:

Original Message:

From: "HR@berkeley.edu" <HR@berkeley.edu>
Subject: Message from human resources
Date: April 13, 2017 at 9:29:54 PM PDT
To: XXXXX@berkeley.edu

Dear XXXXX@berkeley.edu

An information document has been sent to you by the Human Resources Department.

Click here to Login to view the document.  Thank you!

Berkeley University Of California HR Department
© 2017 The Regents of the University of California.  All rights reserved.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This email and any attachments may contain confidential information that is protected by law and is for the sole use of the individuals or entities to which it is addressed. If you are not the intended recipient, please destroying all copies of the communication and attachments. Further use, disclosure, copying, distribution of, or reliance upon the contents of this email and attachments is strictly prohibited.

Phishing Example: Library Account

April 1, 2017

What makes this a Phishing message?

This email message was well crafted to fool recipients into logging into a forged CalNet authentication site to steal their credentials.  It appeared to come from an authentic campus email address, and the instructions are clearly written, without the tell-tale typos or grammatical errors usually found in phishing messages.

The link to the fake CalNet site is made to appear to be the real site (https://auth.berkeley.edu), but if you hover your cursor over the link, the actual hidden URL address is for a site registered in Mali.

Keep in mind when receiving emails like this that cyber criminals can easily forge an email address to appear to come from someone else, or disguise a link so it appears to be safe.

Original Message:

From: <NAME REMOVED>
Date: Sat, Apr 1, 2017 at 2:09 PM
Subject: Library Account
To: xxxxx@berkeley.edu


Dear Student,

Your access to your library account is expiring soon due to inactivity. To
continue to have access to the library services, you must reactivate your
account. For this purpose, click the web address below or copy and paste it
into your web browser. A successful login will activate your account and
you will be redirected to your library profile.

https://auth.berkeley.edu/cas/login?service=https%3a%2f%


If you are not able to login, please contact <Name Removed> at
xxxxx@berkeley.edu for immediate assistance.

Sincerely,

<Name Removed>
University Library
University of California Berkeley

Phishing Example: Your Dropbox File

January 30, 2017

What makes this a Phishing message?

A recent spate of phishing messages have been received on campus purporting to be Dropbox notifications.  The link in the email message to "View File" is a ruse to capture CalNet passphrase credentials.

  • The return address of the sender is from the network domain for Texas A&M Health Sciences Center (@tamhsc.edu), not Dropbox.
  • If you hold your cursor over the "View File" link, you will see that the URL address is a forgery of the real CalNet login address (https://auth.berkeley.edu).

Visit the How to Detect the Authentic CalNet Login Page to learn how to protect yourself from these kind of scams.

Original Message:

From:  "Sass, Bradley" <sass@tamhsc.edu>
Subject:  Your Dropbox File
Date:  Mon, 30 Jan 2017

Dropbox logo


Hello,
 
You just received a file through Dropbox Share Application.
Please click below and log in to view file.
 
 
Every time a friend installs Dropbox, we'll give both of you 1 GB of
space for free! Need even more space? Upgrade your Dropbox and get 1 TB
(1,000 GB) of space.
 
Happy Dropboxing.
 
- The Dropbox Team
 
 
 
 
Dropbox, Inc., PO Box 77767, San Francisco, CA 94107 © 2017 Dropbox

Phishing Example: bCourses Expiration Notice

January 25, 2017

What makes this a Phishing message?

This phishing message attempted to trick recipients into entering CalNet credentials into a fake CalNet authentication page to prevent access to bCourses from expiring.

The main clue that this is a phishing message is the inordinately long URL address link to bCourses.  If you hold your cursor over the link, you will see that the underlying destination address is not the real bCourses site.


Original Message:

Dear User,

This message is to inform you that your access to bCourses will soon expire. You will have to login to your account to continue to have access to this service.
You need to reactivate it just by logging in through the following URL. A successful login will activate your account and you will be redirected to your bCourses page.

http:/bcourses.berkeley.edu/login_0DZvfIrGID322o0ki22F0IZotK3lPfYHa62pNgFo4Oh4B40FO4WFMbL4BeL22BMCB8yNmkrd1qJSMjMmbphO9TsF3jX2LqgZijDXGuwEM8fb8yNE7xdTJSMBNYpD4cemhm/

If you are not able to login, please contact Danielle Patel at dapatel@berkeley.edu for immediate assistance.

Sincerely,

Danielle Patel
Berkeley Security
University of California, Berkeley
510-643-6957
dapatel@berkeley.edu

Phishing Example: First 2017 Tax Season Phish

January 24, 2017

What makes this a Phishing message?

This was the first tax season related phishing message reported on campus this year.  The message contains a common ploy to trick the recipient into clicking on a link to download their W2 Form.  In this case, the link went to a forged site for "MyADP" with account login fields.  CalNet credentials entered into this page would be intercepted by the scammers and compromised.

The formatting in this message is very poor, and both the sender address and download URL link are highly suspicious, so this phish should be pretty easy to spot.  UC Berkeley does not utilize ADP for payroll services, another hint that this is a phishing message.


Original Message:

Toxxxxxx@berkeley.edu
From:  ADP PORTAL <director.stics@boyaca.gov.co>
Date:  Tue, 24 Jan 2017 13:31:49
Subject:  Update Portal

The Human Resources/Payroll Department has completed the final paystub
changes for 2017 tax year.
To view the changes to your paystub information and view/download your W-2
forms (2014 - 2016 tax years), go to: Adp Portal

We hope you find the changes to your paystub information useful and welcome
any comments you may have.
Yours Sincerely,
Danielle Carrel.

Phishing Example: FedEx Shipment Update

January 3, 2017

What makes this a Phishing message?

This very simple phishing message that appeared to be sent from FedEx was effective in convincing several campus recipients to download the PDF attachment.  The file contained a link that required password authentication, allowing the attacker to capture these user credentials for future use.  Note the following clues that this is not a valid message from FedEx:

  • The sender address is from a "berkeley.edu" address.
  • The recipient address is blank, indicating the message was sent as a "blind carbon-copy" to a larger audience.
  • The grammar is very simple, but poorly stated.
  • There is no message signature other than "Thanks".


Original Message:

From:  "FedEx." <xxxxxx@berkeley.edu>
To:
Date:  Tue, Jan 3, 2017

FedEx

Dear Customer,

We could not deliver your item.

You can review and print complete details of shipping duty on your order.

Thanks


PDF Attachment:  update_Form.pdf

Phishing Example: Important Announcement from Chancellor Dirks

December 14, 2016

What makes this a Phishing message?

A large number (2000+) campus email accounts received a phishing email which appeared to come from Chancellor Dirks.  This malicious email contained a PDF attachment, which contained a link to a site for providing personal information, including username and password, to the attacker.  As far as we can tell, the attachment was not infected with malware, but out of caution please delete any copies of this email without opening the attachment.

Please note a couple of suspicious indicators in the message:

  • The return address for Chancellor Dirks is for a mysterious email account from a domain outside of "berkeley.edu".
  • There is no recipient address in the "To:" field, indicating the message was "blind carbon-copied" to the intended victims.

If you or anyone you support opened the attachment, followed the link and provided the requested information, please contact security@berkeley.edu for assistance.


Original Message:

From: Nicholas B. Dirks <penweltm@miamioh.edu>
Date: Wed, Dec 14, 2016 at 8:55 AM
Subject: Important Announcement from Chancellor Nicholas B. Dirks
To:


Good Morning Berkeley Family,

Please read attached for an important announcement from Chancellor Nicholas B. Dirks
 
Thanks,

Nicholas B. Dirks

Chancellor

1 attachment: shared Document.pdf

Phishing Example: Email Account Upgrade

October 28, 2016

What makes this a Phishing message?

This message is a somewhat clever attempt to fool the recipient, claiming that there may have been some unauthorized account access from Thailand.  The sender address has been forged to appear to come from CSS-IT.  Without looking at this message closely, the following clues could be missed:

  • The subject line "Email Account Upgrade" has nothing to do with the warning contained in the message.
  • The generic greeting "Dear User" is suspicious - a notification concerning unauthorized account access should be directed to a person by name, and the term "Dear" is inappropriate.
  • A campus account is referred to as a "CalNet ID", not a "Berkeley ID".
  • The "Click Here" short URL link is highly suspicious - never trust a short link that obfuscates the true link destination.

A recipient who read this message in haste could easily click on the link, which likely leads to a site that silently transfers malware to their computer.


Original Message:

Subject: Email Account Upgrade
Date10/28/2016 4:38 PM


Dear User,

Someone else was trying to use your Berkeley ID to sign into iCloud via a web browser.

Date and Time: 28 October 2016, 1:38 PM
Browser: Firefox
Operating System: Windows
Location:Thailand


If the information above looks familiar, you can disregard this email.
If you have not recently and believe someone may be trying to access your account, you should Click Here <http://goo.gl/rk87KW>.

Sincerely,
Technical Support Team

Phishing Example: Irregular Activity

October 20, 2016

Why is this a Phishing message?

This phishing message is a little unusual.  It contains multiple threats to the recipient:

  • The message contains file attachments from an unknown sender that may contain malware.  Never open file attachments unless you are expecting them and they are from a reliable source.
  • The account sign-in fields in the message are intended to capture the recipient's login credentials.


Original Message:

From: BankOfAmerica
Subject: Irregular Activity
Date: 10/20/2016 7:27 AM

We have detected irregular activity on your account on the date 10/20/2016. For your protection, we have temporary limited your account.
In order to regain full access to your account, you must verify this activity before you can continue using your account. We have sent you an attachment , open it and follow the steps to verify your account. Once completed, please allow up to 48h to update.

Copyright © 2016 BankOfAmerica, All rights reserve


IrregularActivityFile.html

   
 
Home Client access Update Authentication  
 
 
 

Sign On to View Your Accounts
Enter your Online ID and Passcode to securely update or manage your Bank Of America account .

Online ID
Passcode


About Bank Of America | Careers | Privacy, Security & Legal | Report Email Fraud | Sitemap | Home

© 1995 - 2016 Bank Of America. All rights reserved.NMLSR ID 399801

 

Phishing Example: Messages containing Locky malware

August 24, 2016

What makes this a Phishing message?

There has been a recent spate of email messages to campus containing the Locky ransomware virus in file attachments.  The format of the message content and style is very similar:

  • Note the suspicious email addresses - the formats are identical.  The first is from a domain site in Brazil.
  • Similar to spam messages generated by spambots, these messages have generic greetings and are not directed to a specific person.
  • Both have the same signature, with the same spelling mistake ("King regards").

Opening the attachment would result in encryption of all files on the computer (and possibly network shared drives) and a ransom message would appear on the screen.  The best way to recover from Locky is to restore the files from a clean backup.


Original Messages:

From: Curtis.8271@brasiltelecom.net.br
Date: Wed, 24 Aug 2016 20:29:58 -0700

Hello,

Please sign the attached contract with our technical service company for 2016 � 2017.
We would appreciate your quick response.


King regards,
Cynthia Curtis

(Digital-Signature: f0a0e01386d19b03736165288026cc97e325560c78700e95)

From: Richmond.87413@ontheriverwoodstock.com
Date: Wed, 24 Aug 2016 08:44:09 -0700

Hi,

The monthly financial statement is attached within the email.
Please review it before processing.



King regards,
Pete Richmond

(Topic-ID: b0b82053c611db43b3a1a568c0660cd72365964cb8b04ed5)

Phishing Example: Vital Info

May 23, 2016

What makes this a Phishing message?

This message has been forged to appear to come from a real staff member in the Office of the Registrar, which, along with the "CONFIDENTIALITY NOTICE",  gives it the appearance of a valid official message.  There are a few strange items that stand out however:

  • There is no recipient name in the "To:" field.  That usually indicates that the message was "blind carbon-copied" to recipients and the sender is trying to hide something.
  • The message is not specific about what "vital info" is being shared, this should seem very suspicious to the recipient if they were not expecting a message from the Office of the Registrar.
  • Hold your cursor over the URL link and you will see that it is not really directed to Google Docs - it is actually a link to a fake Calnet login page where the user's account name and password can be intercepted.

(Nice touch adding the "consider the environment" note at the end of the message - very convincing coming from an @berkeley.edu address).


Original Message:

From: <sender's name removed>
Date: Mon, May 23, 2016 at 2:56 PM
Subject:  Vital Info
To:

Hello,  Please refer to the vital info I've shared with you using Google Drive.  Click https://www.google.com/drive/docs/file0116 and sign in to view details..

Regard

--
<sender's name removed>
Readmission Representative
Office of the Registrar

CONFIDENTIALITY NOTICE:  This e-mail and any transmitted files are private and confidential and are solely for the use of the recipient(s)  to whom it is addressed.  Any unauthorized review, use, disclosure, distribution or copying of this communication is strictly forbidden.  If you have received this communication in error, please delete and immediately notify the sender via the e-mail return address.  Thank you for your compliance.

Please consider the environment before printing this e-mail

For more examples of Phishing messages, please visit the Phishing Examples Archive.