Detection of phishing emails

• Check and update your Bauhaus-Universität webmail account
• Account Verification
• Warning
• confirm your account
• UPDATE
• Final warning!!!
• Account Upgrade Alert!
• Dear Webmail Account Owners
• You have exceeded the storage for your mailbox

The subject lines are intended to create pressure to act, but are often not very meaningful or even meaningless or contain errors.

Examples:

• Your e-mail account has been temporarily deactivated by the System Mail administrator due to unusual activity in your e-mail account as some information has not been verified. To activate your account, click on the following link
• If not collected from you in the next 24 hours, we will shut down your mail account until after proper verification before you can access your mail account again. Click on »Upgrade« to add free storage space of 20 GB. Your mail account will be closed if you are unable to increase the storage capacity. Click on Update to increase your storage capacity by 20.00 GB ...
• Your user account needs to be updated. Please log in to Weimar-Universität to confirm your password

The SCC and other Bauhaus-Universität institutions will NEVER ask you to e-mail him/her your personal log-in information (log-in and password).

An e-mail requesting this information is a forgery.

Users' personal passwords are of no interest to service providers (SCC, providers, ...) and are never requested. The data that service providers have already entered will not be requested again in the event of changes (even if the database crashes, a backup will exist).

The SCC will never ask you to enter sensitive data on a website outside our domain uni-weimar.de. Attachments of suspicious e-mails should at least be uploaded to virustotal.com  and checked for malware before opening them.

• Failure to do so may result in the cancellation of your webmail account.

• webmaster@uni-weimar.de (fsshaffer@verizon.net)
• Webmaster (mariae.lopez@odontologia.unt.edu.ar)
• Mail System Administrator (Xavier.De.Ghellinck@ulb.ac.be)

The SCC only sends official e-mails via internal university e-mail accounts.

Attention: The displayed sender name and the displayed sender address of e-mails have no reliability whatsoever (development-related weakness of e-mail communication). A sender can only be verified beyond doubt by using digital signatures.

• Subject: Draft law: 10795497, Content: Bill

The SCC usually sends e-mails in German, if necessary in English. We do not use any other languages, neither in the subject nor in the text.

A service provider knows the names of their customers/clients or important contract data. The SCC will always address them personally.

But it's also a new trend: Spear Phishing

Designations/places are chosen that do not exist/are not used at Bauhaus-Universität Weimar/the SCC:

• Bauhaus-Universität Webmail Management
• Bauhaus-Universität Webmail Message Center
• The Webmail team
• Webmail Verification Centre
• IT-Service-Center
• The Help Desk Admin
• Support-Team
• Mailer Security service
• Admin Help Desk

Too general designations:

• system administrator
• Systemadministrator

Incorrect allocation of place and service:

• (Web)-Mail to Webmaster

Examples:

• Shut down your account, in the next 12 hours!
• Thank you, and sorry for the inconvenience
• We are quite grateful for the exploitation of our services.
• ... We have reason believe that third party accessed your e-mail account.
• Good day, you should be quite happy now, because you have...
• The security of your e-mail account is our main concern.
• Die ganze Summe können Sie in der Datei rechnung516.cab herunterladen
• You can download the whole sum in the file rechnung516.cab
• ... that you reprint the paper...
• This prevents your email completed during this exercise.
• You are required to check and update your e-mail with confirmation of your e-mail identity immediately.You are required to check and update your e-mail with confirmation of your e-mail identity immediately.
• In order to identify the culprits and preserve the funds from our clients unharmed…
• In order for the system to run properly, we ask you to complete the Additional Authorisation Form
• Da zur Zeit die Betrügereien mit den Bankkonten von unseren Kundschaften öfters geworden sind
• Since the frauds with the bank accounts of our clients have become more frequent at the moment…
• This measurement serves to protect you and your money!
• We value your business. It is a great honour for us to serve you.
• your 5 (five) incoming e-mails are on hold

Example:

• Amount: ?200.81
• "Our specialists have redesigned ьboth the protocols of informatioьn transmission and the methods of coding the transmitted data."
• "Administration of the Stadtsparkasse M&# 252;chen "

Examples:

• Subject: Ordering 31516959959 (instead of Order)
• Your order #31516959959 will be sent 20-06-2014.
• Your mailbox has exceeded the storage limit of 2.GB Founded by the administrator is currently 2,30 GB, cannot send or receive new messages until you re-validate your e-mail Click the link below to your e-mail validation
• This is, to notify, all webmail account users, the admin webmail is currently clogged, so are we deleting inactive accounts.
• Note that your e-mail account set the memory limit value, in that the administrator/database has exceeded you currently run out of context and you may not to send or receive new mail, until to reconfirm your account. Of your e-mail account to avoid were closed, click here
• This is to notify you that you exceeded the storage limit for your mailbox.
• Your mailbox has exceeded the storage limit as set by the default administrator, you are currently low and you are unable to send or receive new mail until you revalidate your mailbox are.

Example:

• Okay, du musst eine Aufgabe für mich diskret erledigen.‌ ... Anrufe sind verboten, daher kann ich Sie nur per E-Mail kontaktieren.
• Bitte helfen Sie mir, vier Amazon-Geschenkkarten im Wert von 100 € in einem beliebigen Geschäft zu erhalten. ... Ich werde es dir erstatten, sobald ich im Büro bin. Ich brauche physische Karten, also hilfst du mir, sie aus dem Laden zu holen. Wenn Sie sie erhalten, kratzen Sie einfach,

(Examples are in German because there are hardly any examples in English.)

Examples:

• Diese Nachricht ist von the Admin Help Desk.
• Aufgrund unserer neuesten IP-Sicherheit party-Upgrades...
• Email Alert-Benutzer
• WICHTIG: dear-Mail-Konto User
• UNIVERSITÄT Webmail Security Alert

By means of a completely/ largely incomprehensible e-mail, the recipient is to be animated to a reaction, such as an inquiry, an answer or the like.

Example:

• Ivgtqcrpnte9n2mrjgrnationaeyzl Saqehles
  Ja16mgckowpertkywnla Mklxold Co., ta5bbLigmci8td Wtorvipfcpebwxrncxfvqhwwc1gidv4km.joyrqlstawaqn9.c4xckl3om
  Note: - If you are not interested then you can reply with a simple \"NO\",We will never contact you again.

Notice: If you answer with »NO«, you will probably not be spared from further spam, quite the contrary. In addition, you may reveal more details to the spammer through the information in your personal e-mail signature (text).

Do not click, just move the mouse cursor over the link to display data in the browser

In case the link was used after all: »Detection features of phishing websites«

At Bauhaus-Universität Weimar there are no limits regarding e-mail usage, so no storage limit can be exceeded.

If something sounds too good to be true, it is usually also a fake.

Examples:

• alleged (lottery) win, although one has not played at all
• alleged large inheritance from a stranger (from abroad)

Particularly in the administrative area, standard processes are often carried out, also with the use of e-mail. If a completely new or previously unusual request suddenly arrives (possibly supposedly from a superior person), skepticism is advisable. If you are unsure, it is always advisable to ask the alleged sender (always obtain contact details from a reputable source, not from the e-mail itself) or from the SCC User Service.

Examples:

• Wir informieren Sie hiermit, dass Ihr Schufa-Status sich geandert hat.
• We hereby inform you that your Schufa status has changed.
  attached you will find the requested information as a PDF file.
• Enclosed you will find the transfer voucher, so the money should soon be with you on the account. Also attached is the scan of the agreement.

If an e-mail that supposedly refers to ordering processes or the like cannot be assigned to any real process, it is likely to be a forgery.

• Attached to this e-mail you will find a .DOC file with the requested information.
  scanned document:
• Attached to this e-mail you will find a .DOC file with the requested information.
  scanned document: (no info requested)
• Rech 83439167665 [Last name First name, intern] 
  You will receive your invoice as an attachment.

In job advertisements of the Bauhaus-Universität, indicators are always mentioned on which an application should be based. If this information is missing, skepticism is appropriate.

Phishing mails often have attachments that contain malware such as Trojan horses etc. instead of a supposed invoice.  Reputable companies usually use the pdf format here and never executable files (.exe) or archives (.zip); the use of .cab files is also untypical. In the recent past, there have been increasing attempts to smuggle malware onto IT systems via JS (JavaScript). JavaScript is not a format for office documents (!) but executable code, so you will never receive an invoice or similar in this format from a reputable sender.

When using Windows, make sure that the display of extensions of known file types has not been disabled, otherwise an executable file may be foisted upon you by specifying a duplicate extension (fileixy.pdf.exe).

• Attached you will receive your associated invoice as a JS document.
  scanned document:
  ...ttp://jemsonline.co.uk/scanned-document-017283593...

The e-mail talks about an attachment, but it contains a link instead.

• It is attached below.
  APPENDIX TO THE DOCUMENT (...ttps://negahad.ir/.../Loan_agreement_669697_18052020.zip) 

Attackers often try to smuggle malware onto the IT system via macros in Office documents (e.g. Word files). The macro function should therefore be deactivated by default and, if possible, remain so. Temporary activation should only take place if there is no doubt that the document contains a macro that does not contain malicious code. It is better to ask the supposed sender via a known alternative communication channel (such as the telephone, caution: never take the telephone number from a suspicious e-mail).

If you suddenly receive e-mails from known senders without an imprint, even though they usually use one, or suddenly receive unsigned e-mails even though an electronic signature was always used before, you should be alert. In the case of forgeries, this is often missing. However, the use of mobile devices such as smartphones is also possible. The recommendation here is to make appropriate adjustments so that recipients are not irritated by different looks and missing features. Electronic signatures are the only way to identify the sender of an e-mail beyond doubt.

In Germany, there is a legal obligation to use e-mail signatures for business e-mails. If the mandatory information is missing in a supposed business e-mail, it is very likely that it is a forgery. Details: external Link

A company or organization logo used in the phishing e-mail is improperly hosted by an external storage service and not by the company or organization in question, and a misleading name may be used to disguise the misuse:

• Subject: Paypal: Update our terms and conditions
  <https://abload.de/img/mixtapev6lon.png>
  Dear Mr. ...

If an e-mail is recognized and marked as such by the spam filter, the probability is very high that it is a forged, compromised, unwanted or malicious e-mail. A release should only take place in the case where an incorrect classification is established beyond doubt.

• [SPAM] scanned document 62304401722