The first targeted a University in the U.K. This phishing attack came via email, and purported that students must disclose certain information necessary for the payment of student grants, college fees, and university invoices. The scam requested the students’ user names, passwords, and National Insurance Number (rough equivalent to Social Security Number in the U.S.). After that information was acquired, the phishing sites then inquired as to whether students preferred to receive payments by check or direct credit, then requested their credit card information.
The second scam masqueraded as the finance directorate of another unnamed U.K. university and essentially sought the same set of user information as the previous scam. This phishing site included legitimate university contact information, in hopes of fortifying their legitimacy, which was tragically undercut by the site’s amateur developers, who failed to notice the glaring spelling error in “aaccurately.” Both this site and the previous one are hosted out of IP domains in Texas.
The final site beguiled itself as a U.S. university and also prompted students for their login credentials. However, once that information was entered, students were redirected to the university’s legitimate site. Strangely, the domain in this case was that of a South African security services company that had nothing to do with education, but offered armed and unarmed security services.
Symantec researchers speculate that because university web sites serve not only students but faculty and other employees, these attacks were not likely designed to only target students, but various individuals associated with universities.
As with all phishing scams we report on here at Threapost, we recommend that you avoid following unverified links and never provide personal information in emails or pop-up windows. As far as urgent security messages are concerned, if in doubt regarding the source of an email in any way, login directly to the source site, and if the message is legitimate, it is more likely than not that there will be a warning message there as well. Installing an anti-virus product and making sure it’s updated won’t hurt either.