Phishing Attempt of the Day

On Tuesday, after much anticipation, Fordham University migrated its staff and faculty from Lotus Notes to Gmail. Although I am not thrilled about having to depend on yet another Google product, I welcome this transition as Lotus Notes was simply unusable if you used a Mac or an iOS device:

  1. I would often find that messages would not appear in my mail program for as long as thirty minutes after they were sent.
  2. When trying to access via the web, Lotus Notes supported none of my web browsers, even the latest versions of Safari, Firefox, and Chrome, although I could get around.
  3. Using Lotus Notes with iOS through an Exchange connection worked as if I were using POP. Messages deleted, read, or replied on one device would not synchronize to any other devices.

It appears that migrations such as these trigger scam attempts. Today, one day after we migrated to Gmail, we find a password phishing attempt disguised as a password protection service. Here’s the message:

Subject: Password Review

IMPORTANT SECURITY NOTICE

Due to a recent rise in security breaches in our industry, Congress has mandated higher information security standards. As passwords are the primary mechanism of defense against unauthorized access, we are being required to check the complexity of all employees’ passwords and recommend changes if they fall short of the standards.

Please assist us in being compliant and visit https://www.Fordham.edu/PasswordCheck to test the strength of your passwords.

Thank you for your co-operation,

Corporate Security

Fordham Information Security

The link above takes you to a legitimate-looking page on a verifytoken.com site. It is clearly a site designed to fool Fordham users to enter their usernames and passwords and to steal their security credentials.

When I visited the site and shorted the URL to http://fordham.edu.verifytoken.com/passupload/6715ed/, which is where the link in the email took me, I saw that this was a simulated phishing attempt. I entered my actual username and some password consisting of pounding on keystrokes. It gave me a “fooled ya” message, indicating that this was merely a test and that no passwords were collected.

Well played, @FordhamSecureIT. Well played.

Leave a Comment