Students have enough to worry about during finals period, between the finals and papers themselves and remembering to alert ATL when some professor uses the same exam as last year. So why would a school intentionally send students a false email threat during finals week?
Because they have nothing but contempt for their students, of course.
Yesterday afternoon, Fordham students were temporarily terrified to receive an email demanding that they appear in court:
From: Notice to Appear
Date: May 12, 2014, 1:15:15 PM EDT
Subject: Notice to appear in court – docket #6929
Dear Sir or Madame
This notice to appear in court is to advise that you are required to appear at the New York Municipal Court on May 29, 2014 for the hearing of your case.
Please, kindly prepare and bring the documents related to this case to Court on the date mentioned above. Attendance is compulsory.
The copy of the court notice is attached to this letter, please, download and read it thoroughly.
Clerk to the Court, New York Municipal Court, New York.
In fairness, a law student in New York should have been a tad suspicious of the invitation to attend a non-existent court. But who’s thinking at that level of detail when you get an email like this? Certainly not the entire student body of Fordham Law, who freaked the hell out when they got this email. Per a tipster:
Students couldn’t open the attachment on their phones and flooded Fordham Law IT with calls. After searching the sender’s address, I called IT to report spam, thinking that they might want to send a warning around so kids studying for finals wouldn’t freak out, thinking that someone was attempting to serve them. Nonchalantly, the guy told me that the university had sent them out to teach us a lesson about clicking on links. Seriously? Making kids think that someone is trying to sue them during finals week? This is what I’m paying thousands of dollars of tuition for? People are saying on FB that they’ve actually called NY clerk’s office in a panic when they couldn’t read the attachment.
Hey, they should just be happy their IT department is capable of doing anything. When they get out into the real world, they’ll learn that isn’t always the case. So what exactly was that attachment all the phone users couldn’t open? Click to embiggen:
Yeah, except the trick to HTML attachment phishing is tricking the user into entering information of some kind. So the students actually had reason to believe they weren’t exposing themselves to a phishing attack just by opening the attached HTML file, which, as a reminder, they were told was not an interactive form, but a copy of a court order.
So Fordham Law’s IT department failed even at trolling its students.
Now that’s the kind of IT department we’re used to.
 Despite the sources linked above, maybe there is now some cutting edge way of using locally stored HTML attachments to attack the computer without any user input (almost assuredly using Java somehow). It doesn’t seem to be prevalent enough to warrant a warning from security blogs, but that doesn’t mean hackers haven’t found a way. Frankly, it’s best to assume hackers are magic. But even if there is such a mechanism, the point remains that given the message from IT, wouldn’t the best “life lesson” be to include a .zip file to maximize the shame the students would feel at being duped? Opening .zip or .exe attachments is a much more prevalent risk, so let’s be realistic. You don’t teach kids to leave a note by suggesting it’ll lead to severed arms.