LISTSERV 16.0 - MSUNAG Archives

Hmm, OK, so if I get a legitimate looking e-mail from an MSU address 
that says someone with an IP address in Cairo tried to log in to my 
account (that is what my message said), and it has a link that goes to 
msu-itservices.com (instead of msu.edu), am I supposed to follow the 
link or not?  Or just phone the Help Desk, like I did?  What exactly is 
MSU ITS trying to train us to do?

-- dkm


On 2016-10-27 5:01 PM, Kim Geiger wrote:
> It's a redirect to MSU:
>
> http://www.drlinkcheck.com/results/ab7fb5
>
>
>
>
>>>> "Plemmons, Steve" <[log in to unmask]> 10/27/2016 3:44 PM >>>
> The one that someone in my department alerted me to sounds to be almost exactly like yours, but the link was not to an ITS address.  It was a link that included the domain msu-itservices.com.  Are you suggesting that this IS an MSU ITS domain or does it forward to itservices.msu.edu?  I'm not interested in clicking on it to find out.
>
> Thanks,
>
> Steve Plemmons
> Director of IT
> Department of Mathematics
> Michigan State University
> [log in to unmask]
> 517-353-4673
>
> -----Original Message-----
> From: Kim Geiger [mailto:[log in to unmask]]
> Sent: Thursday, October 27, 2016 3:28 PM
> To: [log in to unmask]
> Subject: Re: [MSUNAG] Email Phishing
>
> Well, it does seem like someone at MSU decided to see how many suckers they could catch on campus.
> I pay so little attention to such messages that I barely noticed that I received one that said, "Someone attempted to sign into your email account ([log in to unmask]) with random incorrect passwords from (IP: 207.73.216.41 in Cairo, Egypt)"  and that I should click on a link.  The rest of the message seemed like it was trying to pretend to use weird spammy syntax, but didn't really succeed in the fakery.
> The link was to an ITS page.  Email headers show it to be from an ITS address and a campus ip number Am I the only one who thinks this is just  ....uncool?  For one thing, it caused some user consternation, and at least one person was unproductive while we scanned her machine for potential nasties because she reported she'd clicked on a phishing link ("because this one looked so real").
> Second, it makes everyone who received it experimental subjects without our permission.  A no no no.
> Third, it's ITS again doing something without telling us about it and making life harder for reasons that, in this instance, are hard to fathom -- So, they found out that some people will click on phishing links?  My, what a unique insight.
>
>
> Kim Geiger
> WKAR Radio & Television, WKAR.org
> East Lansing, Michigan
> 517-884-4766
>
>
>
>>>> Kim Geiger <[log in to unmask]> 10/26/2016 2:09 PM >>>
> I also had a user fall for this one.  How do you know the link is "benign"??
>
> Kim Geiger
> WKAR Radio & Television, WKAR.org
> East Lansing, Michigan
> 517-884-4766
>
>
>
>>>> Gary Schrock <[log in to unmask]> 10/26/2016 11:10 AM >>>
> I had someone forward me one yesterday that it turns out when I go back and
> check the link out it indeed takes one to a page along those lines.  I
> thought it was a little interesting that by the time I had responded to my
> user about it that it wasn't being blocked by msu yet, since they normally
> start blocking things pretty quick.
>
> Not sure I'm a big fan of this myself.  Not the least of which at the
> minimum, it ultimately means more work for me, since I invariably will get
> people forwarding the various phishing emails to me asking if they're
> legit.  And of course, if that link was personalized to the recipient
> (which is quite possible considering the long string of seemingly random
> characters in it), they'll now think that that person followed it, when it
> was actually me when investigating.
>
> On Wed, Oct 26, 2016 at 10:59 AM, James Sprague <[log in to unmask]> wrote:
>
>> Just a thought here, but has anyone else seen an increase in email
>> phishing from MSU related domains? My friend had a user click on it the
>> other day and said when you went the link it showed an MSU page saying
>> something along the lines of you've been phished and was completely benign.
>> Additionally, he looked at the root of site and it went to some Symantec
>> login page. I'm wondering if campus is using https://www.symantec.com/
>> services/cyber-security-services/cyber-skills-
>> development/phishing-readiness and just hasn't told the rest of the IT
>> community.