- 26 Aug 2024
- 1 Minute to read
- Print
- DarkLight
Phish Wire - Aug 19 2024
- Updated on 26 Aug 2024
- 1 Minute to read
- Print
- DarkLight
Phish Wire
In the first weeks of back to school, PhishID saw a huge surge in malicious phishing targeting students and staff. Here are a few examples.
learnmath4kids[.]smathis[.]com
put-anything-here-and-it-works[.]learnmaths[.]fun
multiplicatino[.]com
postal-office[.]shop
national-filing-service[.]com
onetfedsusa[.]azurewebsites[.]net
Surge in Student Targeting
In one district, Phish ID detected over 100 malicious clicks during the first week of back to school, mostly targeting students. These include numerous sites using proxy tools that promise students access to gaming, social media and other websites outside their prescribed educational websites. The domains contain content like ‘learnmaths’, ‘learnmath4kids’, and ‘multiplicatino’ so that they evade content filters and otherwise appear classroom appropriate. These are now confirmed as malicious and containing malware by BitDefender, G-Data and Webroot. Further, untrusted third party proxy sites have been known to harvest credentials used by students to access their gaming and social media services.
Post Office and Public Entity Phishing
Over the same period, Phish ID picked up multiple phishing sites impersonating the postal service and other government entities.
postal-office[.]shop
The above UPS phishing attack was clicked by a staff member on August 11th, likely in their personal mailbox, a common attack vector discussed in other Phish Wire posts.
national-filing-service[.]com
On August 9th, PhishID protected a staff member who clicked on the above ‘national filing service’ link. The fraudulent site is soliciting compliance documents for organizations regulated by the Corporate Transparency Act. According to the financial crimes network (https://fincen.gov/boi), in addition to theft of sensitive organization data, these scams use QR codes and request fraudulent payments. Fortunately, because PhishID protects users in the browser, it can also protect users from links opened via QR codes.
onetfedsusa[.]azurewebsites[.]net was clicked by a school business systems analyst on Aug 4th. While the site has since been taken down, it has been marked malicious by Fortinet, Webroot, and Google as likely impersonating a federal government website.
Actions
Remember to add these domains to your block lists, and deploy PhishID to your students as well as your staff. Stolen student identities can have long term negative impacts, as criminals make use of fresh credit scores while students and their families can be unaware for many years.
Remember to educate staff about scams targeting public sector organizations and soliciting compliance documents, particularly in the context of filing deadlines. Remember that staff should remain cautious when clicking on links in their personal email as well as their district mailboxes.