University IT
Recent Examples of Phishing
These are some examples of phishing emails seen on campus. Do NOT assume a suspect email is safe, just because it is not listed here. There are many variants of each, and new ones are being sent out each day.
Email with Attached PDF
Note the inaccurate email address in the "From:" field.
From: Marc Tessier-Lavigne <jcerqueira@nafcs.org>
Subject: NEW DEVELOPMENT FILE TO ACCESS [DOCX.11] 31.01.12.2017
Date: January 31, 2017 at 8:30:41 AM PST
To: undisclosed-recipients:;
I am pleased to inform you that there will be a new development at the
Stanford University that will benefit all of it's members. You can read pdf
attached file for more information.
Thanks
Marc Tessier-Lavigne
Office of the President
Building 10
Stanford University
Stanford, CA 94305-2061
phone:(650) 723-2481
fax:(650) 725-6847
president@stanford.edu
Request for W-2 Forms and Earnings Summary
Note the inaccurate, non-Stanford email address for Marc Tessier-Lavigne in the "From:" field.
From: Marc Tessier-Lavigne <marctessier-lavigne@execs.com>
Date: January 20, 2017 at 7:45:30 AM PST
To: <kelly.wright@stanford.edu>
Subject: Imperative
Hi Kelly,
Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our staff for a quick review. Prepare the lists and email them to me asap.
Best regards
Marc Tessier-Lavigne
Provost and President
Email Account Update
From: <mailadmin@stanford.edu >
Sent: Friday, Sept. 30, 2016 10:31 AM
To: <employee name>
Subject: Email Account Update
Due to migration to a new Open Source Email Collaboration Solution (SunsetGates), it is mandatory that you update your Stanford University information immediately, using the update link below:
http://update.sunsetgates.com/update/server/admindesk/index.htm
Failure to update, will result to closure of your account.
Thanks for your Co-Operation.
Email Admin Desk
Request
True sending account is: alabman566@gmail.com not jhennessay@stanford.edu.
President Hennessy's name is spelled incorrectly.
From: John Hennessay <jhennessay@stanford.edu>
Sent: Monday, May 2, 2016 11:31 AM
To: <employee name>
Subject: Request
<Name>,
Are you at your desk? I need you to send me an email attachment with the individual 2015 W-2 (PDF) and earnings summary of all the employees
Thank You
Sent from my iPhone
[email-campaign] Stanford Webmail UPDATE 2016
Mon 2/1/2016 9:35 AM
From: email-campaign <email-campaign-bounces@lists.stanford.edu>
Sent: Sat 1/30/2016 10:02 AM
To: email-campaign@lists.stanford.edu;
Checkout the new Stanford webmail and know if it has started working for you, its secured, faster and easy, you can give it a try by signing with your correct user and password.
click here to sign in: http://soconnectzm.voici.org/
Thanks
Stanford Mail Service
_______________________________________________
email-campaign mailing list
email-campaign@lists.stanford.edu
https://mailman.stanford.edu/mailman/listinfo/email-campaign
Invoice Attached
A Trojan malware email attachment is affecting computers Stanford-wide. The subject of the email is 2 Invoices Attached. The symptoms of an infected machine are the browsers continually crashing; otherwise, there are no additional signs.
University IT Computer Resource Consulting (CRC) has received guidance from the Information Security Office that if the attachment is opened on a Windows machine (not just previewed in Outlook/Office 365) a complete rebuild of the machine is required. Macs, phones, and Chromebooks are not affected.
Please advise your users NOT to open the attachment. If they have opened the attachment, please advise them to submit a HelpSU request so CRC or the appropriate IT team can remediate their machine.
More information on the malware can be found at: http://sanesecurity.blogspot.com/2015/11/2-invoices-attached-invoices17080258doc.html
Good morning,
Please see the attached invoices and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Thank you!
"Subject: update" (to CS students, at least)
This example is pretty flagrant in many respects. The grammar is very bad (note the first sentence is not even a complete sentence). It does not come from a Stanford address (what is telkomsa.net?) It is signed "Standford". The email is addressed to "info@cs.stanford.edu". Even if that is a legitimate address, it would clearly go to a very large number of people, but the email itself suggests that the individual recipient's account has been compromised. And, of course, the email includes a link to click where the recipient is supposed to "update settings". Do not trust links like this, especially when they do not even pretend to go to a stanford.edu site.
From: Help Desk <online2793774@telkomsa.net>
Date: June 20, 2015 at 7:57:55 AM PDT
To: info@cs.stanford.edu
Subject: update
It had been detected that your cs-stanford-edu email account. Mail delivery system had been affected with virus. Your email account had been sending virus included with your mail to recipient's account and as such a threat to our database. You'll need to update the settings on your cs-stanford-edu email account by clicking on this link: http://forms.logiforms.com/formdata/user_forms/66949_9366478/321793
From
CS. Standford
ITS Helpdesk
Your Email Account
Stanford University Email Account
Security info replacement
Someone started a process to replace all of the security info for your Email Account.
If this was you, you can safely ignore this email. Your security info will be replaced with 15623535981 when the 5-day waiting period is up.
If this wasn't you, someone else might be trying to take over your email account. Click here to fill in details and verify your current information in our servers and we'll help you protect this account.
Thanks,
Barker Ashton
For: Standford University Email Team
Phone: 650-723-2300
Email: alert@stanford.edu
Weblogin Phishing Attempt
The reply-to address is a non-Stanford address: Stanford University <donotreply@asiatrans.com.ph>
When you hover over the icons they reveal non-Stanford links.
Subject: Stanford University WebLogin Updates
