Dear faculty, students, and staff,

The email below is a phishing attack designed to steal your Google account username and password (or any other account username and password you get tricked to divulge).

The message contains an image (seen in email below) asking you to open the attached PDF urgently. No other information is provided thus creating a sense of mystery and rousing your curiosity. If you open the PDF you see a Google Drive icon and an invitation to click which send you to a website that states:

  • “Google Drive now supports multiple email providers,” which is designed to encourage you enter any username and password. They want to steal anything you get tricked to enter.
  • “A safe place for all your files,” appears above a “Go to Google Drive” button. If you press that button, a popup asks you to enter your username and password as shown below.

3

Clicking “OtherEmails” gives you the option of selecting Gmail, Yahoo, Outlook, and Aol accounts. That is, they will take any username, password, and phone number that you enter at this point.

The new bits of this phishing attack are

  1. The use of images (not text) to ask you to click or open files that’s harder for virus scanners to read
  2. The use of PDF file with embedded link that’s harder for virus scanners to detect
  3. The use of a website that claims to accept any username and password
  4. The use of a button to pop-up a dialog box that asks for your username and password. Hovering your mouse over the button does not reveal the target link because the button press action is handled by JavaScript. And since you cannot see the target link, you are less likely to step away

Please delete any similar email that you may get. You can first forward it to us at qatar-infosec@qatar.cmu.edu so that we can analyze things further.

Thank you.

Khalid Sarwar Warraich | Chief Information Officer
 

Begin forwarded message:

From: “Tilbury, Stephanie” <stephanie.e.tilbury@mcpsmd.net>
Date: December 15, 2016 at 2:49:04 PM GMT+2
To: undisclosed-recipients:;
Subject: Important message

4

Phishing attack: attempt to steal username and password