Go to the U of M home page

Thursday, May 24, 2018

Advisory: FBI Releases Article on Building a Digital Defense with Credit Reports

Summary: FBI has released an article on using credit reports to build a digital defense against identify theft.

FBI has released an article on using credit reports to build a digital defense against identify theft. FBI explains how identity theft can deal a devastating blow to consumers' credit history. However, regularly checking the accuracy of credit reports can help consumers minimize risk.
NCCIC encourages consumers to review the FBI Article and NCCIC's Tip on Preventing and Responding to Identity Theft.

Tuesday, May 22, 2018

Advisory: Tragedy-Related Scams

Summary: In the wake of the recent Texas school shooting, NCCIC advises users to watch out for possible malicious cyber activity 

In the wake of the recent Texas school shooting, NCCIC advises users to watch out for possible malicious cyber activity seeking to capitalize on this tragic event. Users should exercise caution in handling emails related to the shooting, even if they appear to originate from trusted sources. Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations are also common after tragic events. Be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the event.
To avoid becoming a victim of fraudulent activity, NCCIC encourages users and administrators to review NCCIC's Tips on Using Caution With Email Attachments and Avoiding Social Engineering and Phishing Attacks as well as the Federal Trade Commission's article on Before Giving to a Charity.

Thursday, May 3, 2018

Example 219: XXX, Secure Your Email Communication. Now!

Forged (personalized) letter providing link to malicious software.

Message text:

From: UMN Security <umnalert@ xxxx .win>
Date: Thu, May 3, 2018 at 7:22 AM
Subject: XXX, Secure Your Email Communication. Now!
To: xxx  < xxxxx@umn.edu>

Hello Xxx,
As a result of the rising cyber security threat, it has become necessary
that the entire staff and students of this institution download and install
the new Microsoft Email Security Software, *WinMail Defender* in order to 
further protect all our email communications.
*WinMail Defender* is an email security software that adds an extra layer
of security to your email communications. It provides end-to-end email 
encryption, there by making it a lot more difficult for third parties and
other unauthorised parties to access your email communications.
Bernard Gulachek
Vice President and Chief Information Officer,
Regents of the University of Minnesota.

Linked Form

   Email contains a tinyurl.com link which redirects to this page:
webform hosting malicious software ink
webform hosting malicious software ink
Things to Note:
  • Email comes from NON @umn.edu address
  • Email subject and letter address recipient by first name
  • Email link goes to a tinyurl.com (not UMN.EDU) link
  • Link redirect to a site123.com page - site123.com is a free website provider
  • Link on form will download malicious software
  • If you downloaded and ran this software, contact your tech support immediately to address possible system compromise. 

Monday, April 30, 2018

Example 218: Attention!!!

Fraudulent email promising ATM card with money from "scam artists."

Message Text:

From: [BOGUS UMN ADDRESS]@umn.edu
Subject: Attention!!!
Date: April 29, 2018 at 16:00:23 CDT
To: Undisclosed recipients:;
Reply-To: < xxxxx xxxx @gmail.com>
This is to inform you that we have been working towards the eradication of fraudsters and scam Artists in America, Europe and Africa with the help of the Organization of African Unity (OAU) United Nations (UN), European Union (EU) and FBI.
We have been able to track down some scam artist in various parts of Europe and African countries which includes (Spain, England, Nigeria, Republic of Benin, Burkina Faso, Ghana and Senegal with Cote d'ivoire)They are all in Government custody now, they will appear at International Criminal Court (ICC) soon for Justice.

During the course of investigation, we were able to recover some funds from these scam
artists and IMF organization have ordered the funds recovered be shared among the 50
Lucky people listed around the World as a compensation and this will be done randomly.
This notice is being directed to you because your email address was found in one of the
scam Artists file and computer hard-disk during investigation may be you have been scammed. 

You are therefore being compensated with sum of ($300,000.00) Three hundred thousand US Dollars valid into an ATM Card which shall be mailed to you .
Since your email address is among the lucky beneficiaries who will receive the compensation funds, we have arranged your payment to be paid to you through ATM VISA CARD and deliver to your postal address with the pin code as to enable you withdrawal maximum of $5,000 on each withdrawal from any Bank ATM Machine of
your choice, until all the funds are exhausted.

The ATM Card with Security Pin number shall be delivered to you via courier Service,
depending your choice.

In order to proceed with this transaction, you will be required to e-mail us with the
following information:
Send your information to Mr. John Ewing via his email
  xxxxxxxxxxxxxx @gmail.com

We advice you to stop all communications with everyone regarding your payment as you
have been short listed to receive the compensation and now urge you to comply and
receive your ATM Card funds. Your cooperation will be highly appreciated and if
you have any further information that will help this investigation and fight against
scam artist. Please do not hesitate to make it available to us.
Thanks for your understanding as you follow instructions while I wait to hear from you soon.
Yours in Services
Mr. John Ewing

  • Mail comes from a non-existent UMN address
  • Mail seeks personal information
  • Mail has no specific details - sounds more like a lottery than a legal notice
  • Mail return address is NOT to @umn.edu, but a gmail.com address

Thursday, April 12, 2018

Example 217: Google Chrome Critical ERROR

This is a scam. Do not call the "Help Desk" number. Research suggests that this scam spreads through malicious ads on web sites, so there might not be any malware or malicious browser plugins to clean up. However, we do recommend you follow your process to clean up University-owned devices, or run Malwarebytes or other anti-virus program for personal devices.

Tuesday, April 10, 2018

Example 216: Letter From The President Eric W. Kaler.

Forged letter "from" Prez Kaler, with PDF leading to a login form

Message Text:

Dear Staff,
Attached is the employees update document.
\Eric W. Kaler .
University of Minnesota .

Attached PDF with simple HTML link 

simple PDF, delivering a link to a login form
simple PDF, delivering a link to a login form

link leads to this forged "Microsoft" web page
link leads to this forged "Microsoft" web page

clicking "Download" gives this login page
clicking "Download" gives this login page

Things to Note:

  • Email sender address NOT from "umn.edu" (and NOT from President Kaler)
  • PDF is nothing but a "link delivery system" - aimed at driving you to a web page
  • Web page NOT at Microsoft OR umn.edu (country code GQ??)

Thursday, March 29, 2018

Advisory: IC3 Issues Alert on Tech Support Fraud

IC3 Issues Alert on Tech Support Fraud

Original release date: March 29, 2018
The Internet Crime Complaint Center (IC3) has released an alert on tech support fraud. Tech support fraud involves criminals claiming to provide technical support to fix problems that don't exist. Their methods include placing calls, sending pop-ups, engaging misleading lock screens, and sending emails to entice users to accept fraudulent tech support services. Users should not give control of their computers or mobile devices to any stranger offering to fix problems.
NCCIC/US-CERT encourages users and administrators to refer to the IC3 Alert and the NCCIC Tip on Avoiding Social Engineering and Phishing Attacks for more information. If you believe you are a victim of a tech support scam, file a complaint with the IC3 at www.ic3.gov.

See also:

Omitting the “o” in .com Could Be CostlyTake care when typing a domain name into a browser address bar, because it’s far too easy to fat-finger a key and wind up somewhere you don’t want to go. For example, if you try to visit some of the most popular destinations on the Web but omit the “o” in .com (and type .cm instead), there’s a good chance your browser will be bombarded with malware alerts and other misleading messages — potentially even causing your computer to lock up completely. As it happens, many of these domains appear tied to a marketing company whose CEO is a convicted felon and once self-proclaimed “Spam King.”

Matthew Chambers is a senior security adviser at SecureWorks, an Atlanta-based firm that helps companies defend against and respond to cyberattacks. Earlier this month Chambers penned a post on his personal blog detailing what he found after several users he looks after accidentally mistyped different domains — such as espn[dot]cm. ...