Navigation :

Dangerous email messages, late October 2020

Hi. We’ve recently seen a rash of dangerous email messages. One of those is a spearphishing attack with a Subject: line something like “Quick question” claiming (falsely) to be from a real person at MIT and from a Gmail address crafted to look similar to that person’s MIT email address. We don’t know what this particular one is about, but often these are designed to get the victim to buy gift cards or other things of value and pass along the information to redeem them to the attackers. (They can also be for more dangerous purposes, like stealing confidential information.) These attackers seem to try to move the correspondence from email to text-message when possible (which has the added risk of exposing phone numbers).

Another kind of dangerous email message many at CSAIL have been receiving (often several times in the day) is more immediately dangerous. It claims to be some sort of form or document relevant to MIT employment, like a feedback form or a list of employees to be terminated or the like. The link in the message goes to a Google Docs document which tells you to follow links in it which, if followed, prompt you to download and run a Windows malware executable which presumably will infect your PC if you run it. (On some versions of Windows, or with some Windows settings, it’s possible that just clicking the link might download and run the malware. If you’re on a Mac or Linux, or on your phone, and have no way to run Windows software on that machine, you’re probably safe.)

If you follow the link in the initial email you get to a page that looks something like this:

example page

(See here for a full-sized version of that example.) The details may be different, but the examples we’ve seen have all had a big icon in the middle, some text around it with several links that all go to the same place, a lot of whitespace, and a bogus header.

If you get one of those and you’d like to help us out, there are two things you can do:

Forward a copy of the message to phishing@csail.mit.edu, so we have a copy of the link to the Google Docs document. (They change the URLs periodically, but reuse them for quite a while, and I’ve been blocking the ones we see as they come to my attention, which might be doing some good.)
Follow the “Report Abuse” link down at the very bottom (highlighted in the screenshot clip below), and let Google know that that particular Google Doc is being used to distribute malware. They do seem to be taking them down as they’re reported. (That gray “Published by Google Drive - Report Abuse” footer is added by Google and is not part of the document. It’s not safe to click on any of the links in the document itself, especially if you’re on a Windows machine.)

reporting abuse

If you’d like to check in with us, or especially if you think you might have actually run or downloaded the malware these messages are trying to distribute, please send mail to help@csail.mit.edu and we’ll get back to you. (If you don’t need a response and just want to make sure we’ve seen this particular version of the attack, just forwarding it to phishing@csail.mit.edu is fine.)