Internet Skeptic Blog

Posted by: Bob Bayn on Dec 10, 2015

Library Phish Uses Copy of USU Login Page

Overnight (Dec 9-10, 2015) we received a fake account expiration email notice for the USU Library. The recipient is instructed to go to what looks like a Library login link that goes instead to a fake copy of the USU Login Page.

From: Access Services Manager <Library.Help@usu.edu>
Date: December 10, 2015 at 12:46:58 AM MST
To:
Subject: Merrill-Cazier Library
Dear User,

Your access to your library account is expiring soon due to inactivity. To continue to have access to the library services, you must reactivate your account. For this purpose, click the web address below or copy and paste it into your web browser. A successful login will activate your account and you will be redirected to your library profile.

hxxp://dist.lib.usu.edu/iii/cas/login&service=httpsFlibcat.lib.usu.eduFpatroninfo~S1FIIITICKET&scope=1/

If you are not able to login, please contact Access Services Manager at Library.Help@usu.edu for immediate assistance.

Sincerely,

Access Services Manager 
Access & Delivery Services 
Merrill-Cazier Library 
Utah State University
(435) 797-2678

What you can't see here is that the link that is apparently to dist.lib.usu.edu actually goes some place else.  The phishing spammer has installed an altered copy of the USU Login Page on that server.  If you enter your A-Number and Password on that altered page, it sends your USU credentials to the spammer and sends you to the USU Library homepage.  The only clue to the mischief is the Web Address (URL) that your browser shows you for that fake page.  We have highlighted that clue in the screenshot below:

During the investigation of this phish, we learned that the spammer's web server also hosts fake login pages for about a dozen other universities.  The spammer is probably interested in getting licensed databases from the various libraries for re-sale to customers (probably in other countries) in violation of the licensing terms and fees that USU has agreed to.  But the spammer may realize that any A-Numbers and passwords that he collects can be used for other purposes ranging from accessing USU email accounts and VPN services to changing Direct Deposit information in Banner.

Once again, it pays to be an Internet Skeptic and to use the Skeptical Hover Technique!