[CCoE Notice] FW: For Your Situational Awareness: Active DocuSign spoofing phishing campaign [CORRECTION]

Luong, Kiet A KDLuong at Central.UH.EDU
Mon Mar 19 09:48:48 CDT 2018 

Good morning,

I wanted to forward this email to make you aware of phishing emails propagating throughout state agencies.  PLEASE READ the entire forwarded email from DIR.  Details are below describing pdf attachments that are spoofed (fake) and direct recipients to an external website (which then asks for credentials to different systems/websites).  I don't think we should question every PDFs that we receive, but please follow these quick tips in addition to the ones mentioned in the forwarded email:

-be aware of attachments or links that take you other than where you're expecting.
-hovering the cursor over the links will correctly identify destinations instead of what is written.
-always make sure you call or email the sender (from your address book or Skype for business directory) if an attachment or email was not expected from them.
-emails from UH senders that you don't normally communicate with should also be deemed suspicious and not automatically accepted as legitimate.

There are many more SPAM/phishing strategies that I've mentioned in the past, so please keep them in mind as well.  For new employees, please follow this useful link from the University Information Technology (UIT) website: http://www.uh.edu/infotech/security/secure-data/spam-phishing

Thanks,

Kiet Luong
Director of Engineering Computing
College Information Security Officer
Cullen College of Engineering
University of Houston
Email: KietL at uh.edu<mailto:KietL at uh.edu>
Voice: 713.743.9974



3/19/2018

The original notification contained a typo in the domain.  The domain the phishing URL attempted to redirect users to is the following:  logistihg.org/amy

Thank you,

[cid:image002.png at 01D3BF61.45AFFA10]



3/16/2018

State organizations have seen an increased volume of phishing attempts observed over the last several days.  State agencies and institutions of higher education should stress users maintain a high level of vigilance when opening attachments or links via email, even if the sender is from within the organization or the email appears to come from a legitimate source.

The OCISO has been made aware of multiple incidents at separate state agencies using the same phishing method of masquerading as legitimate DocuSign requests.  Variants of the attack are self-propagating and are also seeking to steal common web and social media login credentials.
One phishing attempt concerned an email containing a .pdf file via a spoofed DocuSign request that appeared legitimate.  As the user opened the .pdf file, the message was propagated to all the user's outlook contacts. Additional users then clicked the message as it appeared legitimate and came from an internal email address.

Another phishing attempt occurred through a compromised organizational account. The account was used to send phishing messages stemming from a legitimate organizational email address to both internal and external recipients.  The phishing message also appeared to contain a legitimate DocuSign request, with the compromised user account's name in the subject line. The phishing site requested users enter various credentials in an apparent attempt to gain access to a variety of accounts.
The phishing messages attempted to redirect users to the following domain and IP:

  *   Domain = logistihg.org/army
  *   External IP = 132.148.153.113

Users should be cognizant of URLs that do not match hover-text, misleading domain names, poor spelling and grammar, and unexpected requests for action particularly from an apparent DocuSign request.
______________________________________________________
[cid:image003.jpg at 01D3BF65.B850EDF0]DIR Security
Office of the Chief Information Security Officer
Texas Department of Information Resources
dirsecurity at dir.texas.gov<mailto:dirsecurity at dir.texas.gov>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20180319/7a901e97/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 6824 bytes
Desc: image001.jpg
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20180319/7a901e97/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 16188 bytes
Desc: image002.png
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20180319/7a901e97/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 2170 bytes
Desc: image003.jpg
Url : http://Bug.EGR.UH.EDU/pipermail/engi-dist/attachments/20180319/7a901e97/attachment-0003.jpg

More information about the Engi-Dist mailing list