SPEAKER: This is Email Phishing 101, a look at the Java phish that caught many Cornellians by surprise. Phishing is malicious. Fraudulent or "phishing" emails try to trick you into replying with information the sender wants or into visiting a bogus website that automatically downloads malicious software, including viruses.
The end goal is to take control of your computer and accounts so that the criminals can capitalize on any information to which you have access. Your diligence is the best line of defense to prevent information from falling into the wrong hands. Phishing and malicious software have become so sophisticated that, if you aren't careful, your identity can be used to steal Cornell resources. And you may not know until it's too late.
Phishes can be hard to spot. It takes constant diligence not to be tricked. To protect yourself and Cornell, don't click any link in an email, open any attachments, or respond unless you are either expecting the email from someone whom you trust or you have verified the source and are 100% sure the URL is legitimate.
So what made the recent Java phish such a good one? The criminals who created it used real information from a recent security alert sent out by the security office. Let's look at the real email and the phish side by side.
First, notice the subject line is the same. That's because whoever created this phish has discovered our Security Alerts page, and they copied the headline exactly. What's more, they were careful to steal our exact language. They knew it would look and feel legitimate.
They even chose to provide a little bit of context and some words of caution about Kronos and ongoing support. See here where it says "Please note that the Kronos vendor has not yet certified these Java versions." That's right out of our original message.
As a final touch, they signed it with the IT Service Desk name and number, knowing full well that people would relax and think, why would a criminal give me the opportunity to call the Service Desk and potentially ruin their plan? It feels so real, doesn't it? They even spoofed the from address with a real Cornell community member's name and email. But from addresses are really easy to fake, so that doesn't mean anything.
Everything looks legitimate, right? No way it's a trick? Wrong. Take a look at the NetID in the from address. You can look up that person by doing a people search at cornell.edu/search.
Watch for clues it's a fake. In this case, the sender was a student, but the email appears to be from the IT Service Desk. Even if the sender were a member of the Service Desk, the Service Desk would use an official from address to send a message asking you to take action. The Service Desk would never use a personal account. This mismatch is evidence that the sender's NetID has been compromised and emails from this person should not be trusted until after they've changed their password and regained control of their email account.
Also, take a look at the URL. It's totally bogus. Yes, it says itnews.cornell.edu. But that's not all. Look here. The URL continues. After cornell.edu, it says .806157.4tw3.biz. This link isn't going to a website at cornell.edu. It's going to some web site somewhere in the world named 4tw3.biz.
The link is a dead giveaway, because the only thing that matters when you are looking at a URL is the domain listed immediately before the first slash. Everything else doesn't matter at all. It can say Cornell, officialcornell, cornell.president, it.cornell, or any other combination of Cornell with other words. And if the cornell.edu is not the last thing before the first slash, then it's not Cornell. It's a fake, and it should be treated with extreme caution.
Hold on. There's one more tricky thing to know. Here, we've created a similar duplicate to that Java phish and we've made the URL look totally legitimate. See? It's it.cornell.edu, with cornell.edu right before the slash. This is another important thing to remember. Even if the URL looks legitimate at first glance, you must, must, must, must hover over the link. Don't click. Just hover for a couple of seconds. And there. You'll see that Outlook will show you the real address underneath.
In this case, it says it.cornell.edu-- all fake-- .123456.trickedyou.biz. So even though it looks real at first glance, it's fake. It's a phish, and it should be treated with extreme caution, preferably deleted immediately.
Hopefully these quick tips will help you to make a habit of scrutinizing your emails, and you'll be better protected. Remember, if you're still unsure about any email, ask someone you trust, like a technical support staff, or call the IT Service Desk. This is an official Cornell IT Security Office message. See and report phishing attempts targeting the Cornell community at it.cornell.edu/phishbowl.
We've received your request
You will be notified by email when the transcript and captions are available. The process may take up to 5 business days. Please contact firstname.lastname@example.org if you have any questions about this request.
When just one person in the community falls for an email scam, otherwise known as a phish, the results can be devastating.
Email accounts are hijacked and used to send spam; otherwise secure systems are hacked, putting everyone's confidential information at risk; and, university business can experience significant disruptions as countless hours, across departments, are lost responding to the situation.
If our community can learn to spot phishing attempts, we can significantly reduce risk of Cornell suffering financial loss or damage to its reputation.
See lots of examples of real phishing attempts targeting Cornell at: