Phishing (Email based passwort-stealing)

Permanent Link:

What is it?

Phishing are attempts to acquire information such as usernames, passwords, and credit card, payment cards details by masquerading as a trustworthy entity in an electronic communication.

Those emails are sometimes made by sophisticated criminal enterprises. Phishing mails can be very convincing - esp. when a specific person is targeted. Do not be fooled by your personal information being given in those mails (like your full name, your function at the institute, etc.).

However, there's a rule of thumb following which is sufficient to protect you from all phishing attempts that ever happened at the institute.

The only Rule.

Permanent Link:

Never ever ever enter your institute password on a Web page whose server name does not end with cbs.mpg.de .

That's it. Everthing that follows is just clarification.

Some safe example URL:

• https://mail.cbs.mpg.de/
• https://userportal.cbs.mpg.de/storageunified/manage_permissions
• https://some.thing.cbs.mpg.de/

Some unsafe example URLs:

• https://xyz.somecompany.com/...
  sometimes it's that simple
• https://forms.google.com/...
  A company might not be evil but the institute password must never be used outside the institute
• https://cbs.mpg.de.forms.com/...
  cbs.mpg.de is not at the end of the server name .
• https://forms.google.com/cbs.mpg.de
  Same here: no cbs.mpg.de at the end of the server name (which is forms.google.com here).
• https://intsancharika.bsnl.co.in/src/news.html?app=director@cbs.mpg.de
  The server name is intsancharika.bsnl.co.in and although the URL ends with cbs.mpg.de, the server name doesn't .

Hints:

• Using your institute password for an account on another website breaks the one and only rule!!! This includes Google, Microsoft, Apple, etc.
• The server name of an URL (e.g. https://some.server.de/... ) is the part between the second and the third / symbol ( some.server.de in this case).
• Do not be fooled by the layout of a web site - only the URL counts. Copying e.g. the layout of our mail server is very easy - this is a basic principle of the world wide web.
• Try to switch your eMail program to "text only"-view. This way, you'll instantly see target addresses in links and spot attacks more easily.
• You browser might hide the real URL from you. Try to find a setting to show the URL and enable it.

Additional tips

• IT will never send pressuring messages that include text like "act now!", "otherwise we will delete your account", "last warning!", etc.
• IT will never ask for confidential data of employees (your birthday, your password, ...).
• Whenever you're following a link in an email and your password is being asked for, follow the Rule of thumb.
  • Just following a link is not a problem.
  • If you entered your password into some evil site, change your password immediately - at This page (whose server name ends with cbs.mpg.de ).

Some example phishing mails, we collected over the years

Example 1

From: "Webmail Administrator" <webtech.services@techie.com>
Sent: Thursday, 30 August, 2012 3:09:12 AM
Subject: INFORMATION ON OUR E-MAIL SERVICES

Attention Webmail Account User,

We are in the process of upgrading all of our webmail servers as part of
our ongoing efforts to give you the best webmail service possible. You
have almost exceeded your webmail storage quota. To avoid account
deactivation, please kindly click on the link below to verify and update
your webmail account.

Link to phishing form (in this case just the screenshot)

Please endeavor to respond to this email providing all required
information correctly within the next 48 hours to prevent account
deactivation.

These measures are part of our security policies and we sincerely
apologize for any inconveniences caused.

Web-mail Systems Administrator.

Example 2

From: Max-Planck-Institute <upgrade@mpg.de>
Subject:SPAM Email Disturbance

We have received many complaints about spam emails recently. In view of
the current situation, we have to protect our customers and prevent such
disruptions and annoyance spreading further. As a reliable Internet
Service Provider, it is our corporate responsibility to control the
problem of spam affecting our users.We have upgraded our database system
against this spam and virus attack,all customer are to update his/her
account within the next 48 hours.You are to update your account
information with the below link to avoid account disability.

Link to phishing form (in this case just the screenshot)

<!-- https://docs.google.com/a/blumail.org/spreadsheet/viewform?formkey=dG5ZTURaUlo4UkhZV0F6dFluckdLTXc6MQ -->

Thank you and we apologize for the inconvenience.

Max-Planck-Institut Technical Support
--
Este mensaje ha sido analizado por !MailScanner
en busca de virus y otros contenidos peligrosos,
y se considera que está limpio.
For all your IT requirements visit: http://www.transtec.co.uk

Example 3

From: Mail Administrator <admin@mpg.de>
Subject: Account Maintenance Process

We are currently carrying-out a maintenance process in your Email Account.
To complete this, you will have to reply to this mail immediately and use
the link below to validate your account against spy-ware and Spam Mails.

http://mailadministrator.phpforms.net/view_forms/view/e46f994493

This process will help us to fight against Spam Mails. Failure to update
your Account in the above link, will render your email address in-active
from our database.

Thank you and we apologize for the inconvenience.

Max Planck Institute Mail Administrator

-- 
Este mensaje ha sido analizado por !MailScanner en busca de virus y otros contenidos
peligrosos, y se considera que está limpio. For all your IT requirements visit:
http://www.transtec.co.uk

Example 4

From: "Help Desk" <donnagrilley@srt.com>
Sent: Wednesday, June 5, 2013 10:17:24 PM
Subject: LAST WARNING!!!

You Have Exceeded Your Email Quota limit of 450MB and you are advice to Upgrade your email account with the link below or your  email account will be close down.

Link to phishing form (in this case already suspended)

Thank you for using our  web-mail

Example 5

From: Zimbra WebClient <internetaccessadmins@cbs.mpg.de>
Subject: Kontingent Warnung


Lieber Zimbra User Account
 
Ihre Zimbra Mailbox Überschreitungstag Quota / Grenz Als Set von Zimbra-Team, und Sie können nicht in Lage zu senden oder neue E-Mails empfangen, bis Sie neu bestätigen Ihre Zimbra Mailbox. Zum Re-Validate, klicken Sie bitte hier Ihr Konto zu überprüfen.
 
Fehler zu überprüfen, könnte Beendigung Ihrer E-Mail-Konto führen.
Zimbra Webmail Verwaltung
Copyright © 2005-2016 Zimbra, Inc

Caution: The link mentioned in the mail points to a website with the stolen layout of the web frontend of our mail server! Although it looks so familiar it is just faked. Watch the wrong URL! ,, Achtung: Der in der Mail genannte Link führt auf eine Webseite, die das Layout vom Webfrontend unseres Mailservers gestohlen hat. Obwohl es so gewohnt aussieht, ist es gefälscht. Beachte die falsche URL!

see also / siehe auch

• Aktuelle Phishing-E-Mails - Die nachfolgende Liste enthält eine Übersicht über die aktuell im Umlauf befindlichen uns bekannten Phishing-E-Mails mit vorgetäuschtem Bezug zur GWDG, Universität Göttingen oder MPG.
• Current Phishing-E-Mails
• Prüfung von E-Mails auf Gefährlichkeit und gefährliche Inhalte
• Checking e-mails for dangerous content

• NoPhish Videos zur Erkennung von gefährlichen Anhängen und Links