Click Here to Validate Your Credentials…

by Guillermo J. Rosas, Faculty, Information Technology, Metropolitan Community College

General Disclaimer

This write-up has been provided for informational and educational purposes only.I strongly discourage students and staff from attempting the same exploration.

The exploratory tasks discussed in this write-up were performed on a virtual machine hosted on a physical machine separated from other computers on my home network. The host machine is scheduled to be rebuilt during quarter break and it is not used aside from experimenting. It’s important to note, the destination website could have potentially hosted malware and my machine could have become infected in the process of this write-up.

In other words, enjoy the write-up but don’t try this at home, kids.


Many of us have been the recipients of a large number of phishing emails over the past few weeks. Figure 1 (below) shows one of the many emails I received earlier this week.

An onslaught of phishing emails!
Figure 1

As shown in Figure 1, the email directs the recipient to verify their email by clicking on a link provided in the body of the email.

If you hover over the link (without clicking on it), Outlook will display the destination URL (or where the link will take you if you click on it), which is (Figure 2).  This should be a huge red flag — Weebly is a web-hosting service that provides a simple drag-and-drop interface building to help small organizations quickly and easily build websites. The important thing is, this URL is pointing to a site that is not MCCNEB.EDU.

Hovering over the link (without clicking on it), Outlook will display the linked URL, which is
Figure 2

The browser-based version of Outlook (and other email services such as GMail) will also display a link’s destination URL when hovered over; however, the destination URL will appear at the bottom of the browser window – as shown in Figure 3.

A view of the destination URL displayed at the bottom of the browser window.
Figure 3

Consider for a moment, the websites you browse to access school resources:

  • will take you to the school’s webpage
  • will take you to MyWay, where you can access your student email, OneDrive, Blackboard, etc.
  • will take you to the Blackboard home page.

The one common thread amongst the websites listed above, is that they all end with — in no instance does a school website end with .com or with

So, What Happens If I Click On The Link?

I thought you’d never ask . . .

I suspect a number of students have clicked on the links in the phishing emails. My suspicion stems from the fact that the emails are coming from internal addresses.

Out of curiosity, let’s see what happens when we browse to one of the links in a phishing email….

Browsing to took me to the page shown in Figure 4 (below). What a nice page.

The page that appears when we click on a link in a phishing email.
Figure 4

Note the information being collected by the form shown in Figure 3: First and Last Name, Email Address and Password.

The page does contain Metropolitan Community College branding – note the use of the school’s logo.

Let’s scroll down to the bottom of the page (Figure 5).

The bottom of the page hosted at
Figure 5

A big red flag, in my mind (aside from the abhorrent look of the page and the fact that the page is hosted on are:

  • the giant Create a free website button; and,
  • the Powered by Weebly graphic

Let’s take a quick look at the source code of the webpage (Figure 6).


Viewing the source code of the page hosted at
Figure 6

In Figure 6 (above), I’ve highlighted the HTML that defines the initial part of the form shown in Figure 4.

Without getting too technical, when a visitor fills out the form and clicks Submit, the information contained in the form will be sent to — basically, when the user clicks Submit, the information in the form will be sent to a script on the server.  I do not have insight into that script but I suspect the script simply collects the information and writes it into a database, collecting usernames and passwords from users who clicked on the link in the phishing email and subsequently provided their credentials.

Now this guy has someone’s credentials.

Hacker Image from Wikimedia Commons
Figure 7 – By Chinna98 (Own work) CC BY-SA 4.0 (, via Wikimedia Commons

So What?

So, a hacker has my MCC credentials — so what!?

Consider what you have access to at the school. Even if you’re a student, you have access to:

  • Your email account;
  • Your classes via Blackboard;
  • Your academic record;
  • Your financial information;
  • Your demographic information including home address, telephone number, etc.; and,
  • Your contacts

And so forth and so on.  The key thing in that list is your information. At MCC, nobody should have access to your information but you, some staff, and your instructors.

How Do I Stay Safe?

Healthy skepticism.

  • Be wary of any links contained in email even if the email comes from a known or trusted contact. Consider, the phishing attacks of late are coming from MCC user accounts.
  • Preview links contained in emails by hovering over them in Outlook to display the destination URL (where the link will take you if you click on it).
  • MCC will never ask you to provide your username or password
  • Change your password frequently. The school will make you change your password every 90 days, but why wait?

Help! I Clicked A Link!

If you happen to click on a suspicious link and if you think your credentials may be compromised, change your password by visiting the MCC password station at


Guillermo J. Rosas is a full-time faculty member in the Business and Information Technology Department at Metropolitan Community College (MCC). He has over 18 years of experience in the field of Information Technology. Prior to joining MCC’s faculty, Guillermo worked as a Network Defense technician at the USSTRATCOM Network Operations Center.

Guillermo holds a BS in Information Systems from Bellevue University, and a MBA from Bellevue University. His professional certifications include: A+, Security+, Network+, Linux+, Certified Ethical Hacker, and Certified Information System Security Professional (CISSP).


Phishing Campaigns at MCC

Contributed by Christopher Wagner, Cybersecurity Major

Phishing is just what it sounds like, but with a different spelling.  A fisherman places bait on their hook and hopes that fish will come along and bite it.  The bait in this analogy often takes form of an email, text message, or even a Facebook message and at times they can claim to be friends, relatives, or even the MCC Help Desk.  The fish, being the individual who received the message, is often directed to click on a link or provide credentials (username and/or password).  These emails are made to appear authentic and to trick the user into giving up information.

With the holiday season coming up phishing emails will be on the rise appearing from legitimate companies.  The best way to be able to spot a phishing email is to look for key indicators on where the email is from, what the email is asking you to do, and what incentives there are for opening the email.  In the example below from my own email address, I have a phishing email claiming to be from Amazon about an order and an opportunity to a $50.00 reward as a promotion.

Highlighted in the red boxes are indicators that alert me to this email is in fact a phishing attempt.  Although the email says it is from Amazon, 1st red box, we can tell upon further inspection that it is not from Amazon.  Looking at the email address of the sender and ensuring that it is from the actual website itself and not a suspicious chunk of text is the first red flag.  Going onto the 2nd red box we can see that I’m entitled to a $50.00 reward for my latest activity.  This however is the bait to entice me to clicking the link that will either install malicious software on my computer (malware) or direct me to a website that is designed to appear just as Amazon’s login page looks like and steal my personal information.  Upon hovering over the link with the cursor we can see 3rd red box which is a URL shortener.  Amazon does not use these and being aware of where links are directing the user to is important.  The key part in this is identifying the web address.  Some phishing emails attempt to mask the address as such:  Did you notice the missing M in the link?  By thoroughly reading the website address you can determine if the email is legit.

The main objective of a phishing campaign is to gain personal information by getting unsuspecting users to click on links or provide user credentials, credit card information, or personal information to the attacker.  Phishing emails are designed to entice the user into opening them with the promise of a reward or by creating a sense of urgency such as your password needs updated, or you will not be able to access your MCC account.  By being proactive in looking for indicators in all emails, social media messages, and text message you can help combat phishing and keep your personal information safe from attackers.  Should you receive a phishing email mark it as spam and do not follow the instructions or simply just delete it.

One important note to remember is that the MCC Help Desk will never ask for credentials or provide links for you to reset your password or update your information.  They will simply provide a step by step guide on how to access the Password Station or how to change your password when logged onto campus computers as seen below.  This email is from my personal account at MCC stating that my password will soon expire and contains no links whatsoever, in addition to having the correct MCC Help Desk email address.

Christopher Wagner is a computer enthusiast and enjoys learning about InfoSec.  At age 10 he was given his first computer and that sparked a growing passion in learning how they worked.  In addition, he found an interest in the ever-evolving world of InfoSec.  What started as simple viruses to annoy people to ransomware demanding payment in return for decrypting data.  Learning how to build computers and troubleshoot issues that arose, he was able to start freelancing computer repair.  Most recently, Christopher started attending Metropolitan Community College for Information Assurance and hopes to one day find a career in InfoSec.