Phishing scam targeting UI computer users, passwords

Phishing scam targeting UI computer users, passwords

If you got an email message with a fax attachment from someone at the University of Illinois on Wednesday, you should probably delete it.

A two-part computer "phishing" scam ultimately designed to steal banking passwords attacked UI computer users and their off-campus email contacts as far away as Ohio.

The first wave came in an email message indicating that the user had authorized a large payment to PayPal or another site; the amount varied from email to email, said Brian Mertz, spokesman for UI Technology Services.

An attachment included a piece of malware intended to infect the user's computer, read its address book and use that to send out a second wave of emails with a dangerous fax attachment known as a "banking Trojan."

"We've seen this fax attack before," Mertz said. "The fax is actually a piece of malware called TrickBot. What it's trying to do is steal passwords," usually bank passwords, he said.

Technology Services disabled the attachment so that it no longer included the malware, he said.

"So people may have received that email, but if we blocked it in time all they would open is a harmless text file," he said. "That was our way of stopping the spread of the risk farther on campus."

But he emphasized that anyone who received the email should simply delete it and not open the attachment, just to be safe.

The emails appeared to be legitimate. The sender's email address was usually a familiar name with the address. The subject line read, "You have received a fax," and the body of the email said, "This email scanned with McAfee," a common antivirus software.

"That name that people recognize is what made this a dangerous and tricky phishing attack," Mertz said. "It wasn't from a stranger or random-looking email account, but people we all interact with. I got emails for people I interact with every single day.

"That's what makes a phishing attack a good phishing attack," Mertz said.

Technology Services alerted campus users Wednesday morning and sent a mass email later in the day explaining what to do if they received the emails or mistakenly clicked on the attachments.

Mertz said anyone who opened the fax before it was disabled should run MalwareBytes or other anti-malware software, and make sure it says "everything is clean" before updating their passwords.

"If you try to update them first, TrickBot will just steal your passwords," he said.

He wasn't aware of any damage caused by the attack but said it depends on how quickly the thieves would try to use the stolen passwords. Some gather lists of passwords to sell to other people, he said, so it's important for users to remove the malware and change their passwords for the UI and financial institutions.