case western reserve university



New Phish Flavor-of-the-Month: Now Mentioning Password Changes!

June 9, 2009

Observe this recent adaptive technique used by the Phish scammers: mentioning recent campus events, e.g., the implementation of the maximum password age policy:

"" [] <--alert! Off-campus Reply-to address!
date Tue, Feb 3, 2009 at 2:45 PM
subject Important Notice

Dear User,

We have noticed an unauthorized attempt to change your password from a foreign IP. This was going to
result to your inability to access your account due to the
password change. If you know you are the authorized owner of
this account, kindly reply by providing your original
username (*******) and PASSWORD (*******) so as to protect
your ID and password from unauthorized access.

Failure to do this will violate the Case Western Reserve
University email terms & conditions.

Thanks for using Case Western Reserve University

The Case Western Reserve University® Help Support.
All content (c) Copyright Case Western Reserve University®

This phishing example is instructive, because it illustrates several of the ways phishers attempt to dress up their scams with trappings of authority and social-engineer their way past your Shenanigan detectors.

Specifically, any time a message demands that you enter a visible, clear-text password into the text of an email, that *always* indicates that the sender is up to no good. These requests should immediately activate your Delete-key trigger finger.

Any time a message claims to be an "official" communication from the University, yet the "Reply-To" field sends your response to an address outside of the Case domain, you should experience shivers of intuition that Something Is Not Right. Check the Reply-To field in this example, and do not be fooled: Even users provisioned for Case Google Apps will still have as their top-level domain.

No Case employee should ever ask you to share your username and password, and we will especially never ask users to transmit credential info in the clear text body of an email. Any such request for credential information should be met with deep suspicion, or at least scoffed at, and deleted at your earliest opportunity.

... Here is another example that illustrates the same Hallmarks of Bogosity:

This is to inform you that your Mailbox has been de-activated by your System Administrator due to an unusual activity detected in your mailbox. Hence, you may not be able to receive new mail until your mailbox is re-activated.

You are to contact your System Administrator with your Login Details which includes your mailbox User name and Password for them to re-activate your mailbox.

System Administrator E-mail:> <-- Why would we host a response email box outside our own domain?

If your mailbox remains de-activated for an extended period of time, it may result in further limitations or eventual closure of your mailbox.

The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained herein by any other person is not authorized.

With the transition to Case GoogleApps, we can empathize that users may think this language sounds plausibly close to an account notification from ITS - but do not be taken in. The University's Acceptable Use Policy states that sharing of account credentials, with ANYBODY, is explicitly prohibited. This means that ITS, the "WEBMail Team," or any other Case ITS body, does not want to know your password, and should never ask you for it.

If you have questions about the legitimacy of an email, please feel free to forward it to

Posted by Ruth Cannon at 03:24 PM

Powered by
Movable Type

Site Last Updated: Friday December 17, 2004 at 17:55:51