{"id":257,"date":"2021-01-28T12:48:05","date_gmt":"2021-01-28T20:48:05","guid":{"rendered":"http:\/\/blogs.pugetsound.edu\/infosec\/?p=257"},"modified":"2021-02-04T10:55:47","modified_gmt":"2021-02-04T18:55:47","slug":"phishing-from-1-28-2021-paperwork","status":"publish","type":"post","link":"https:\/\/blogs.pugetsound.edu\/infosec\/the-phish-tank\/257","title":{"rendered":"Phishing from 1\/28\/2021: &#8220;PaperWork&#8221;"},"content":{"rendered":"\n<p class=\"has-large-font-size\"><em>Update  &#8211; 2\/4\/2021<\/em><\/p>\n\n\n\n<p>Similar phishing message from ppalomar[@]usa[.]edu with subject line &#8220;PaperWorks&#8221; has been reported. Read further for more information. <\/p>\n\n\n\n<p class=\"has-large-font-size\">Original Phishing Message<\/p>\n\n\n\n<p><em>Note: If you received this email, please simply delete the message. If you clicked on any links, please immediately contact the Service Desk for assistance. Always use caution before clicking links or opening attachments in emails you are not expecting. <\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"835\" height=\"725\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-phish-1.png\" alt=\"\" class=\"wp-image-259\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-phish-1.png 835w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-phish-1-300x260.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-phish-1-768x667.png 768w\" sizes=\"auto, (max-width: 835px) 100vw, 835px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Where Did the Link Lead?<\/p>\n\n\n\n<p>The &#8220;View Document&#8221; hyperlink (<em>https:\/\/docs[.]google[.]com\/uc?export=download&amp;id=1ItMUs2ynoGWJ_5RU2RMmpCUuqpH6UME9<\/em>) does not look immediately suspicious as it leads to docs.google.com. However, you&#8217;ll notice that the link contains &#8220;<em>=download<\/em>&#8221; which triggers an immediate download of the file to your computer. Use caution whenever you see this in a URL. <\/p>\n\n\n\n<p>The downloaded file was a .html file which would open in your browser like a webpage. It masquerades as a locked PDF file requiring you to sign in to view the document.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-1-1024x436.png\" alt=\"\" class=\"wp-image-260\" width=\"580\" height=\"246\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-1-1024x436.png 1024w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-1-300x128.png 300w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-1-768x327.png 768w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-1-1536x654.png 1536w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-1-1440x613.png 1440w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-1.png 1924w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/figure>\n\n\n\n<p>Any of the three options to sign in would then open a new dialog window to enter your email address and password. If you click &#8220;Login&#8221;, your credentials would be immediately sent to the attacker and your account would be compromised. <em><strong>Note: if you entered credentials, please immediately contact the Service Desk for assistance.<\/strong><\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"489\" height=\"466\" src=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-2.png\" alt=\"\" class=\"wp-image-261\" srcset=\"https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-2.png 489w, https:\/\/blogs.pugetsound.edu\/infosec\/files\/2021\/01\/1-28-21-paperwork-html-2-300x286.png 300w\" sizes=\"auto, (max-width: 489px) 100vw, 489px\" \/><\/figure>\n\n\n\n<p class=\"has-large-font-size\">Text of Phishing Message<\/p>\n\n\n\n<p>From: Ryan.Youell[@]Seattlecolleges[.]edu<br>Subject: PaperWork<\/p>\n\n\n\n<p>Attention [<em>username<\/em>]@pugetsound.edu :<\/p>\n\n\n\n<p>You have a secured and encrypted document waiting for you tagged &#8220;PaperWork&#8221; by Ryan Youell<\/p>\n\n\n\n<p>View Document<\/p>\n\n\n\n<p>Let me know your insights regarding the document. I appreciate your feedback.<\/p>\n\n\n\n<p>Sincerely,<\/p>\n\n\n\n<p>Ryan Youell<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update &#8211; 2\/4\/2021 Similar phishing message from ppalomar[@]usa[.]edu with subject line &#8220;PaperWorks&#8221; has been reported. Read further for more information. Original Phishing Message Note: If you received this email, please simply delete the message. If you clicked on any links, please immediately contact the Service Desk for assistance. Always use caution before clicking links or [&hellip;]<\/p>\n","protected":false},"author":521,"featured_media":260,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[3,4],"class_list":["post-257","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-phish-tank","tag-phishing","tag-phishtank"],"_links":{"self":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/users\/521"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/comments?post=257"}],"version-history":[{"count":2,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/257\/revisions"}],"predecessor-version":[{"id":269,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/posts\/257\/revisions\/269"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media\/260"}],"wp:attachment":[{"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/media?parent=257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/categories?post=257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.pugetsound.edu\/infosec\/wp-json\/wp\/v2\/tags?post=257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}