University "Accept your new raise" Phish

One of the best emails that an employee can get from their employer is the one that tells you that you have been awarded a raise! In certain industries, such as academia, this type of email is quite rare, so you can imagine what welcome news it would be!

University Salary Phish Example

Phishers have been attacking universities across the country with emails that look like this one (Example email from University of Chicago):

++++++++++++++++++++++

From: employeebenefits@uchicago.edu
Subject: Your Salary Raise Confirmation

Hello,

The University is having a salary increase program this year with an average of 2.5%.
The Human Resources department evaluated you for a raise on your next paycheck.
Click below to confirm and access your salary revision documents:

Click Here hxxp://kirovtourism.ru/www.uchicago.edu/Sign-In.htm to access the documents

Sincerely,
Human Resources
The University of Chicago

++++++++++++++++++++++

Recent reports about Your Salary Raise Confirmation

A google search for that email subject "Your Salary Raise Confirmation" helps to reveal just how many Universities are targeted in this attack.

• Longwood.edu (Sep 25, 2014) - www.longwood.edu/usersupport/58483.htm
• UChicago.edu (Sep 22, 2014) - itservices.uchicago.edu/page/email-scam-sep-22-2014-your-salary-raise-confirmation
• WUSTL.edu (Sep 22, 2014) - nso.wustl.edu/securitynewsandnotes
• Geoge Mason ( Sep 17, 2014) - itservices.gmu.edu/alerts/view-alert.cfm?customel_dataPageID_8958=33535
• UOregon (Sep 11, 2014) - www.facebook.com/UOTechDesk/posts/6745046326415720
• USouth Florida (Aug 4, 2014) - hscweb3.hsc.usf.edu/is/phishing-alert-email-with-subject-of-your-usf-salary-raise/
• Brown.edu (Jul 26, 2014) - www.brown.edu/information-technology/alerts/phishing-alert-your-salary-raise-confirmation-0
• Illinois (July 5, 2014) - security.illinois.edu/content/secsup-9121-university-human-resources-phishing-scam
• Virginia Commonwealth (June 30, 2014) - phishing.vcu.edu/2014/06/30/
• Nebraska Wesleyan (Jun 20, 2014) - csit.nebrwesleyan.edu/security_alert_phishing_scam_reported
• UVM.edu (May 28, 2014) - www.uvm.edu/it/?Page=news&storyID=18599&category=etsspotlight
• Michigan State (Mar 17, 2014) - support.anr.msu.edu/support/news/item/email_phishing_attempt_your_salary_raise
• Duke (Ma 13, 2014) - security.duke.edu/phishing-attacks-your-salary-raise-details-march-13-2014
• UPENN.edu (May 6, 2014) - www.upenn.edu/computing/security/phish/
• Georgetown - security.georgetown.edu/students/diy-computer-security/phishing-attacks/phishing-examples
• ODU.edu (Aug 21, 2014) - www.odu.edu/announcements/faculty-staff/2014/8/21/phishing_campaing_ag.iframe.html

DHS / REN-ISAC / Multi-State ISAC Advisory

On August 18, 2014, the Department of Homeland Security released an advisory titled "University Payroll Theft Scheme" that cautioned Universities to be wary of this scheme.

Some of the email subjects that were mentioned in that advisory include:

• Your Salary Review Documents
• Important Salary Notification
• Your Salary Raise Confirmation
• connection from unexpected IP
• RE: Mailbox has exceeded its storage limit.

According to the DHS advisory, this scam has been seen repeatedly at a number of universities dating back to at least August of 2013!

If you receive a copy of a phish such as this, please send an alert to: soc@ren-isac.net