← Back to News List

Phishing Alert: "Received AWB Documents via WeTransfer"

A "File Transfer" Phishing Campaign

The Division of Information Technology( DOIT) recently received reports of a ‘file transfer’ phishing campaign. Below is an example of this phishing email. We removed the To field for privacy purposes.


To: <CampusID>@umbc.edu

Date:21 Sep 2021 03:43:00 -0400

From:"Wetransfer" <offices@mekre-net.uno>

Subject: <CampusID>@umbc.edu Received PO-20210921GL via WeTransfer




<CampusID>@umbc.edu

You have received a PO-20210921GL  files via Wetransfer

1 files, 1.74 MB in total · Will be deleted on 22 Sept  2021





Download link 

https:/wetranster,com/ downloads/ 7fa32f92e5e6536721c0c454c64efb520180304192959/ 6c03cb9a8f23fd6c89dac4d8c16a09220180304193000/184ee46



1 file

PO-20210921GL.pdf

1.74MB





To make sure our emails arrive, please add noreply@wetransfer.com to your contacts.

 

sent by wetransfersupport.wetransfer.com

 

About WeTransfer    -   Help   -    Legal   -   Report this transfer as spam



This example originated from <offices@mekre-net.uno>; however, there are several more senders: 


If you receive a similar email, please forward it immediately to: security@umbc.edu along with the headers.


At first glance, the download link seems to originate from Wetransfer.com, however if you look closely, there is a comma between Wetransfer and com: 

https:/wetranster,com/ downloads/ 7fa32f92e5e6536721c0c454c64efb520180304192959/ 6c03cb9a8f23fd6c89dac4d8c16a09220180304193000/184ee46


Another flaw in the link is that copying the link address will take you to a completely different domain, https://firebasestorage.googleapis.com. Below is the full link and its website.




This format is similar to a previous phishing email. However, the background is different, and the link takes you directly to https://firebasestorage.googleapis.com and asks you to log in.


If you have received this email, please DO NOT CLICK on the link. However, if you have clicked on the link, DO NOT ENTER your password. If you entered your UMBC password, immediatelyCHANGE your password.



If you have received any message similar to the one listed above, please forward it with its headers tosecurity@umbc.edu. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.


______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.


Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

Tags:

Posted: September 28, 2021, 7:19 PM