"Wire Transfer" Phishing Emails
In late May/early June, spam/phishing emails relating to a "Wire Transfer Canceled" began pervasively making their way around IU.
Some have reported that clicking the link will launch a Java applet. We do not know if this behavior is the same for all emails.
- Workstations (could possibly affect Mac OS X in addition to Windows)
Some have reported that the Exchange Global Address List was hijacked and used to distribute — which is incredibly easy with a compromised account. Much of the time, spammers simply send millions of emails just by guessing email addresses. Other times, email distribution lists (like LISTSERV or IU List) are prime targets.
For general information and remediation, see our Blog post: Get an email about a wire transfer?
The UISO also recommends that IT professionals treat the machine of a user who has clicked the link as compromised, until they can scan and prove otherwise. Rebuilding the machine is almost always the safest and most secure recovery option.
Further end-user recommendations can be found at: How to Avoid Phishing Scams
- Get an email about a wire transfer? | Protect IU Blog
- Want to know more about what is happening in those links being sent? Read a write up from Sophos on the exploit kit: