Category: Faculty-Written New Articles

Click Here to Validate Your Credentials…

by Guillermo J. Rosas, Faculty, Information Technology, Metropolitan Community College

General Disclaimer

This write-up has been provided for informational and educational purposes only.I strongly discourage students and staff from attempting the same exploration.

The exploratory tasks discussed in this write-up were performed on a virtual machine hosted on a physical machine separated from other computers on my home network. The host machine is scheduled to be rebuilt during quarter break and it is not used aside from experimenting. It’s important to note, the destination website could have potentially hosted malware and my machine could have become infected in the process of this write-up.

In other words, enjoy the write-up but don’t try this at home, kids.

Introduction

Many of us have been the recipients of a large number of phishing emails over the past few weeks. Figure 1 (below) shows one of the many emails I received earlier this week.

An onslaught of phishing emails!
Figure 1

As shown in Figure 1, the email directs the recipient to verify their email by clicking on a link provided in the body of the email.

If you hover over the link (without clicking on it), Outlook will display the destination URL (or where the link will take you if you click on it), which is mailmcnebedu.weebly.com (Figure 2).  This should be a huge red flag — Weebly is a web-hosting service that provides a simple drag-and-drop interface building to help small organizations quickly and easily build websites. The important thing is, this URL is pointing to a site that is not MCCNEB.EDU.

Hovering over the link (without clicking on it), Outlook will display the linked URL, which is mailmcnebedu.weebly.com
Figure 2

The browser-based version of Outlook (and other email services such as GMail) will also display a link’s destination URL when hovered over; however, the destination URL will appear at the bottom of the browser window – as shown in Figure 3.

A view of the destination URL displayed at the bottom of the browser window.
Figure 3

Consider for a moment, the websites you browse to access school resources:

  • www.mccneb.edu will take you to the school’s webpage
  • https://myway.mccneb.edu/ will take you to MyWay, where you can access your student email, OneDrive, Blackboard, etc.
  • https://blackboard.mccneb.edu/ will take you to the Blackboard home page.

The one common thread amongst the websites listed above, is that they all end with mccneb.edu — in no instance does a school website end with .com or with weebly.com

So, What Happens If I Click On The Link?

I thought you’d never ask . . .

I suspect a number of students have clicked on the links in the phishing emails. My suspicion stems from the fact that the emails are coming from internal addresses.

Out of curiosity, let’s see what happens when we browse to one of the links in a phishing email….

Browsing to mailmcnebedu.webly.com took me to the page shown in Figure 4 (below). What a nice page.

The page that appears when we click on a link in a phishing email.
Figure 4

Note the information being collected by the form shown in Figure 3: First and Last Name, Email Address and Password.

The page does contain Metropolitan Community College branding – note the use of the school’s logo.

Let’s scroll down to the bottom of the page (Figure 5).

The bottom of the page hosted at mailmcnebedu.weebly.com
Figure 5

A big red flag, in my mind (aside from the abhorrent look of the page and the fact that the page is hosted on weebly.com) are:

  • the giant Create a free website button; and,
  • the Powered by Weebly graphic

Let’s take a quick look at the source code of the webpage (Figure 6).

 

Viewing the source code of the page hosted at mailmcnebedu.weebly.com
Figure 6

In Figure 6 (above), I’ve highlighted the HTML that defines the initial part of the form shown in Figure 4.

Without getting too technical, when a visitor fills out the form and clicks Submit, the information contained in the form will be sent to www.weebly.com/weebly/apps/formSubmit.php — basically, when the user clicks Submit, the information in the form will be sent to a script on the server.  I do not have insight into that script but I suspect the script simply collects the information and writes it into a database, collecting usernames and passwords from users who clicked on the link in the phishing email and subsequently provided their credentials.

Now this guy has someone’s credentials.

Hacker Image from Wikimedia Commons
Figure 7 – By Chinna98 (Own work) CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0), via Wikimedia Commons

So What?

So, a hacker has my MCC credentials — so what!?

Consider what you have access to at the school. Even if you’re a student, you have access to:

  • Your email account;
  • Your classes via Blackboard;
  • Your academic record;
  • Your financial information;
  • Your demographic information including home address, telephone number, etc.; and,
  • Your contacts

And so forth and so on.  The key thing in that list is your information. At MCC, nobody should have access to your information but you, some staff, and your instructors.

How Do I Stay Safe?

Healthy skepticism.

  • Be wary of any links contained in email even if the email comes from a known or trusted contact. Consider, the phishing attacks of late are coming from MCC user accounts.
  • Preview links contained in emails by hovering over them in Outlook to display the destination URL (where the link will take you if you click on it).
  • MCC will never ask you to provide your username or password
  • Change your password frequently. The school will make you change your password every 90 days, but why wait?

Help! I Clicked A Link!

If you happen to click on a suspicious link and if you think your credentials may be compromised, change your password by visiting the MCC password station at https://www.mccneb.edu/Current-Students/Student-Tools/Password-Station.aspx

 

Guillermo J. Rosas is a full-time faculty member in the Business and Information Technology Department at Metropolitan Community College (MCC). He has over 18 years of experience in the field of Information Technology. Prior to joining MCC’s faculty, Guillermo worked as a Network Defense technician at the USSTRATCOM Network Operations Center.

Guillermo holds a BS in Information Systems from Bellevue University, and a MBA from Bellevue University. His professional certifications include: A+, Security+, Network+, Linux+, Certified Ethical Hacker, and Certified Information System Security Professional (CISSP).

 

Happy Holidays – Now Click Here . . .

by Guillermo J. Rosas, Faculty, Information Technology, Metropolitan Community College

As faculty, we’re always receiving SPAM email of one sort or another; however, this evening I received an email from “Wallmart” informing me I was the recipient of a generous $3.66 eGift Card for Walmart as part of an “Online DVD Rental Settlement” (Figure 1).

Figure 1

I hope you notice the fact that I surrounded “Wallmart” in quotation marks in my previous paragraph. Let’s take a closer look at this email (Figure 2). Notice how the email is coming from egiftcards@wallmart.com – did you catch that second “L” in the sender’s email domain? It’s interesting because Walmart is spelled with one “L.” The sender includes a Walmart logo at the top of the email – note how the logo is spelled correctly, with one “L.” Although Figure 2 doesn’t point it out, the subject of the email also spells Walmart correctly, with the single “L” – the sender’s domain is the only item that is “misspelled” in this email.

Figure 2

These are red flags. Why would I be receiving an email from Walmart from a sending domain of “Wallmart.com”?

Interesting. Let’s not click on anything, though. Microsoft Outlook will display the linked URL when we hover our mouse over a hyperlink. Let’s use this feature to find out a little more about our email.

When I hover my cursor over the button, View My eGift Card, a popup appears (Figure 3). Note the URL that appears in the label that appears  - secure.payment-gatteway.microransom.us – doesn’t sound like a Walmart-type website. It also doesn’t sound like a very nice URL to visit.

Figure 3

Let’s hover over the URL at the bottom of the page, the text of which says it will take us to, getegiftcard.walmart.com – that’s sounds legit. Plus I want my $3.66

Placing my mouse over the getegiftcard.walmart.com link shows the linked text will actually take us to secure.payment-gateway.microransom.us — it’s not looking as though I’m going to get my $3.66 any time soon 🙁

Figure 4

Grrrr… I want my $3.66. Let me check that Help Center link at the bottom of the page. I hover my mouse of the text our Help Center and the linked URL appears…. and it also leads to secure.payment-gateway.microransom.us … alas, it doesn’t look like I’m going to get my $3.66 eGift Card… oh the things I could buy with that.

Figure 5

So what do I do now? Panic? That’s usually fun, but it’s not really a good option. The solution to this is simple:

  • Always be skeptical about the links in any email message; don’t just click on a link, even if it comes in an email from a person you know.
  • If you are tempted to click on a link, or if you have to click on a link, examine the link to make sure it’s going to direct you to where it says it’s going to direct you. In this example, the link looks like it’s going to take us to a Walmart.com-hosted resource, but when we examine the link, we see we’re actually going to get taken to a resource hosted on a site named microransom.us
  • If you receive a suspicious email from someone you know (a student, a teacher), call that person or go visit them and ask them if they sent the email. Email can be spoofed and it may look like someone you know is sending an email with a malicious link.
  • If you receive an external email from someone like Walmart (as shown in this article), simple mark the email as Junk/SPAM – this will help your email software’s filters learn what emails are unwanted. In Microsoft Outlook (desktop and webapp), you can mark an email as Junk by right-clicking (CTRL+Click in macOS) and then clicking Junk > Block Sender
Figure 6

With the holidays right around the corner, we’ll probably see more emails like these in our MCC inboxes. Generally, there’s nothing to worry about – criminals cast wide nets hoping to catch a few people. Don’t be one of the few – act smart,  be suspicious, and don’t fall for scams.

Guillermo J. Rosas is a full-time faculty member in the Business and Information Technology Department at Metropolitan Community College (MCC). He has over 18 years of experience in the field of Information Technology. Prior to joining MCC’s faculty, Guillermo worked as a Network Defense technician at the USSTRATCOM Network Operations Center.

Guillermo holds a BS in Information Systems from Bellevue University, and a MBA from Bellevue University. His professional certifications include: A+, Security+, Network+, Linux+, Certified Ethical Hacker, and Certified Information System Security Professional (CISSP).