Phish 2013-05-11 #1

Many people received multiple copies of the following phish. They came from multiple source email addresses.

Screen shot 2013-05-11 at 08.08.30

There are many signs that the message was illegitimate.

  1. The senders are non-USC addresses and were most probably compromised accounts since it does not look like they were forged.
  2. The message is not addressed directly to you.  Instead they BCC’d each recipient and left the To line empty.
  3. Typographical and grammatical mistakes.  “lick”?
  4. Non-USC link which was disguised as a supposedly more legitimate looking URL.
  5. What does “logout the account from your mailbox” mean?
  6. The odd Copyright 2013.

Here is the target web phish form.

Screen Shot 2013-05-11 at 08.19.40

There are many signs the form is illegitimate.

  1. Not a URL.  Though they did try to fool people with the
  2. No USC branding.
  3. None of the links (Change Password? Manage Autoresponder, etc, actually work).

Update: looks like this phish has been around since late last year:  Email Account Phishing: Your Account Is Open in One Other Location