August 23 phishing attack



On August 23, a multi-staged phishing email attack hit the University of Illinois. The first wave of emails included a subject line that read "Payment has been made." People who opened the attachment with that email were infected with malware. That first piece of malware was designed to use the individual's email address book to send the second round of phishing emails.



The second round of phishing emails pretended to have a fax message sent as an attachment. 

The attachment was actually a Word document that attempted to install malware known as TrickBot onto Windows computers.

TrickBot is a "banking Trojan” that tries to steal passwords for various banking websites by injecting malicious DLL files into web browsers.


What you should do if you receive the email

While Technology Services has taken steps to block the further spread of this particular attack, if you receive either of these messages or messages like them in the future, DO NOT OPEN THE ATTACHMENT. Instead, simply delete the email.


What you should do if you opened an attachment

TrickBot is detected and removed by MalwareBytes, and likely by other anti-malware programs as well. Cleaning an infected computer with anti-malware software and rebooting should be sufficient to remove TrickBot.

Once you have removed TrickBot, it is important that you change your passwords for financial instituions, as well as change your University of Illinois passwords.

Anyone who opened the attachment should be aware of the possible compromise of any passwords that were entered during the time since the attachment was opened. Passwords that are stored in any browser may also have been compromised.  In order to be entirely safe, these passwords, particularly banking passwords and University NetID passwords, should be promptly changed. 

IMPORTANT: You must first clean TrickBot off of your computer before you change your password. If TrickBot is still on your computer when you change your password, it will simply steal your new password.

Your University of Illinois password can be changed by visiting and following the instructions there.


Further Assistance

If you need assistance, please contact your local IT support staff or the Technology Services Help Desk at 217-244-7000 or by emailing