PhishWire - Aug 19 2024

Phish Wire

In the first weeks of back to school, PhishID saw a huge surge in malicious phishing targeting students and staff. Here are a few examples.

learnmath4kids[.]smathis[.]com

put-anything-here-and-it-works[.]learnmaths[.]fun

multiplicatino[.]com

postal-office[.]shop

national-filing-service[.]com

onetfedsusa[.]azurewebsites[.]net

Surge in Student Targeting

In one district, Phish ID detected over 100 malicious clicks during the first week of back to school, mostly targeting students. These include numerous sites using proxy tools that promise students access to gaming, social media and other websites outside their prescribed educational websites. The domains contain content like ‘learnmaths’, ‘learnmath4kids’, and ‘multiplicatino’ so that they evade content filters and otherwise appear classroom appropriate. These are now confirmed as malicious and containing malware by BitDefender, G-Data and Webroot. Further, untrusted third party proxy sites have been known to harvest credentials used by students to access their gaming and social media services.

Post Office and Public Entity Phishing

Over the same period, Phish ID picked up multiple phishing sites impersonating the postal service and other government entities.

postal-office[.]shop

The above UPS phishing attack was clicked by a staff member on August 11th, likely in their personal mailbox, a common attack vector discussed in other Phish Wire posts.

national-filing-service[.]com

On August 9th, PhishID protected a staff member who clicked on the above ‘national filing service’ link. The fraudulent site is soliciting compliance documents for organizations regulated by the Corporate Transparency Act. According to the financial crimes network (https://fincen.gov/boi), in addition to theft of sensitive organization data, these scams use QR codes and request fraudulent payments. Fortunately, because PhishID protects users in the browser, it can also protect users from links opened via QR codes.

onetfedsusa[.]azurewebsites[.]net was clicked by a school business systems analyst on Aug 4th. While the site has since been taken down, it has been marked malicious by Fortinet, Webroot, and Google as likely impersonating a federal government website.

Actions

Remember to add these domains to your block lists, and deploy PhishID to your students as well as your staff. Stolen student identities can have long term negative impacts, as criminals make use of fresh credit scores while students and their families can be unaware for many years. 

Remember to educate staff about scams targeting public sector organizations and soliciting compliance documents, particularly in the context of filing deadlines. Remember that staff should remain cautious when clicking on links in their personal email as well as their district mailboxes.