Open in app

Sign in

Write

Sign in

The cyberattack is the email about the cyber attack!

Oliver Schoenborn
2 min readOct 23, 2020

Today I got an email that seemed to come from my school website. It said the school alumni website got hacked and that next time I sign in, I will have to reset my password. The email contained a link to the alumni site. Nothing too ominous, right? The email didn’t recommend that I change my password now, just “the next time I log in”.

Still, that’s a big warning sign right there: you should be weary of links in emails, let alone links related to account passwords.

I noticed that the alumni website that showed in the email had a .com address? Weird. A “.com” site is usually a business. Hovering mouse pointer over the link in the email showed “https://<alumni-site-name>.us19.list-manage.com/track/…”… now why the heck would the alumni web site admin want to track me going to the site? The plot thickens.

So I went to my web browser and typed the address that was showing up in the text of the email (not the list-manage.com address). I have setup our home to use OpenDNS to resolve web addresses, because it does a lot filtering out of bad websites and sure enough, the page that came up said OpenDNS was preventing access to that address because it was found to be involved in a phishing attack.

I then looked at the email sender *details* which in gmail, you get by clicking the down-arrow:

If you don’t pay attention it may seem like this comes from the high-school for this alumni group, perhaps from “mnalette”. But look again and you see that the email sender is at qc.ca which is the Quebec government, and “via utoronto.onmicrosoft.com”. This address does not even exist (I checked). The “from” address is completely forged.

You can also see in the sender details that it was mailed by utoronto.ca which belongs to University of Toronto, how does UofT know anything about my high school? Plus, the email is digitally signed for “security” by that onmicrosoft.com which does not exist. Notice gmail does not say the signature is valid. When it does, it looks like this, ie there is a “security” field that verifies the signed-by is legit:

Here, you now know a few things to verify before clicking on links in emails. Basically, hover over links to see what they *really* point to (not necessarily what the email text shows), and check the sender info.

--

--

Oliver Schoenborn

Written by Oliver Schoenborn

14 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams