SUNY Polytechnic Institute Information Technology Services have become aware of a credential harvesting “Help Desk” themed phishing campaign targeting several universities in late 2016 and dating as far back as December 2014. The phishing email asks users to validate their email address and links to a credential harvesting website designed to look like a targeted university’s website. Once harvested, these emails are used to send additional phishing messages from within the university network to other internal university addresses. The malicious actors also configured compromised accounts to forward emails to multiple unauthorized addresses. Forwarded messages were not retained in the original account, limiting the ability to determine what information was compromised.

A comparison of emails identified in the forensic analysis and other reports of this campaign confirmed the use of the same email templates and source address (info@helpdesk[.]edu). Examples of the two phishing emails are below:

********** Dear [targeted university] E-mail user, This message is from [targeted university] IT Helpdesk, We are currently upgrading our [targeteduniversity domain] database and e-mail account center i.e homepage view, enhance security installations of new 2016 anti-spam and anti-virus software, large mailbox space.

Kindly verify your email within 24 hours or your email will be temporarily suspended. click on the Administrator link below to verify your e-mail.

AND

Your email account was LOGIN today by [IP address], click on the Administrator link below to validate your e-mail account or your account will be temporary block within 24 hours for sending more messages. 

Click below:

**********

Some ways to protect against email phishing scams include:

• Be wary of emails asking for confidential information.
• Don’t get pressured into providing sensitive information through scare tactics.
• Make sure you familiarize yourself with SUNY Polytechnic Institute’s privacy policy and recognizable email footers.
• Watch out for generic-looking requests for information.
• Never submit confidential information via forms embedded within email messages.
• Never use links in an email to connect to a website unless you are absolutely sure they are authentic.

Please be aware that these potentially malicious emails have been coming from the address info@helpdesk[.]edu

Cyber criminals exploit compromised credentials in several ways, including using them to impersonate individuals online, gain access to work and personal accounts, sign online service agreements or contracts, engage in financial transactions, or change account information.