November 2023 Phish Scam
A successful phishing attack on November 21st posed as an urgent IT notice requesting email account closure. This attack was set to trick recipients into entering their passwords and Duo two-factor codes into a web form, allowing the attacker to compromise their UD account and spread the phish internally. The University of Dayton and UDit will NEVER ask for your password or Duo code. Take note of the red flags to better prepare yourself for potential future attacks.
September 2023 Phish Scam
On September 14th one of our campus users fell victim to a sophisticated phishing attempt. The user received an email with an encrypted attachment from “Payroll Department" - outside the University of Dayton:
The user then opened the attachment (a PDF redirecting to a Google form) purportedly from the university, requesting sensitive user information:
Similar to the phishing attack this summer, one of our members provided their personal information into the Google Form, unknowingly providing access to their UD account, which resulted in a new and separate phishing campaign targeting students, sent directly from the victim’s UD email account:
Avoid this and future Phishing Scams:
Protect your Password: UDit will NEVER ask for your password or DUO code via email or form. If you receive an unsolicited email or text asking for such information, it's a scam.
Be Skeptical of Urgent Requests: Scammers often create a sense of urgency to pressure you into making hasty decisions. If you receive a message demanding immediate action or threatening consequences, take a step back and verify its authenticity.
Verify the Sender: Check the sender's email address closely. Cybercriminals often use consumer Gmail accounts (ending with @gmail.com) or official-sounding email addresses but with slight variations or misspellings. Do not be fooled by descriptive names like udcio@gmail.com, “Help Desk,” or “udayton” anywhere besides the “@udayton.edu”
Beware of attachments: The body of the message should contain context and a signature block. Cyber attackers often share a message's body or text as an attachment to get it past our spam filters. If you open an attachment asking for your username or password information or receive a warning within Microsoft Office, stop and report it to UDit.
Report Suspicious Activity: If you received either of the emails above AND entered your data, contact the IT Service Center immediately (937-229-3888, itservicecenter@udayton.edu), and we will work with you to change your password and secure your account.
If you received a suspicious email other than those we shared here, please share that email with the IT Service center (937-229-3888, itservicecenter@udayton.edu), and we will take measures to stop its delivery.
August 2023 Phish Scam
This August 8th phish scam attempted to trick the recipient into replying to further a social engineering ploy around fake Covid relief money. The vigilant recipient did not bite. Notice the red flags below and utilize this resource for tips on spotting and avoiding similar scams in the future:
7 Ways to Avoid Employee Retention Credit Scams
July 2023 Compromised Google Account
This July 24th attack email went to a student’s personal account with the goal of compromising his UD account. He clicked the link and ended up giving them enough Personally Identifiable Information (PII) via the web form below to be able to answer password reset challenge questions. The bad guy got the help desk to reset his password, but not to reset his DUO device.
When the user clicked on the Click to apply link this page appears and is attempting to harvest PII (it's displayed in two columns due to the length of the page):
July 2023 Compromised Google Account
This July 18th attack used a compromised Google account by the bad guys trying to collect usernames and passwords. Note the red flags to help spot future attacks like this one:
June 2023 Fake Job Offer - Check Fraud Scam
This June 16th phish is attempting to get recipients to hit their malicious web site and / or submit personal information via a resume. Those who bit on this phish were then sent a check and asked to spend what they needed and return the rest electronically before the check bounced. The attacker would get money "back" while the victim was on the hook for funds that didn't exist. This was sent from an internal account which had been compromised earlier to make it seem more official and get past external flagging. Note the red flags which indicate it's an attack:
June 2023 Credential Harvesting Scam Attack
This scam attack happened between 6/8/23 and 6/14/23 and attempted to get users to go to a fake site with UD branding and enter in their credentials to compromise their accounts. Notice the red flags called out in the screenshot of the email:
Malicious Credential Harvesting
This is a malicious credential harvesting site. The red flags are called out here as well:
May 2023 Malicious Document Attack
This phish attack occurred 5/19/23 sent to multiple users in an attempt to get them to download a malicious document to infect their systems. Note the red flags below indicating why it's suspicious:
April 2023 Fraudulent HR Tax Document Scam
This phishing attempt happened 4/24/23 and attempted to trick the recipient into going to a malicious site to compromise their system under the guise of fixing "tax forms" sent from "HR". Note the red flags below:
