Go to the U of M home page

Monday, August 14, 2017

Example 205: ITS Support/Help desk

Fake support message leading to deceptive login page to steal name and password.

Message text:

From: Help Desk Support [mailto: non-UMN.EDU address]
Sent: Monday, August 14, 2017 10:09 AM
To: undisclosed-recipients:
Subject: ITS Support/Help desk

Dear Faculty and Staff,

Important information from Web Access Security Service.

An upgrade was made to the university’s authentication structure. The upgrade was required to prepare systems for compliance with State Security Standards, and the implementation of multi-factor authentication. Now, when you lo-gin. You will be required to enter your Network Username and password into the link that will be provided below.

Due to the upgrade that was made. Your lo-gin page will be changing. However, to avoid loss of your email address and password LOGIN your account now.

Thank you for your cooperation and patience as we take steps to further protect university data.

Thank you,
Division of Information Technology.
Login form:

fake login page aimed at stealing account credentials
fake login page aimed at stealing account credentials
 Things to note:

  • No UMN branding in message or webform
  • Email not from umn.edu address
  • Web form not hosted at a umn.edu site

Wednesday, August 2, 2017

Example 204: Notice ! Notice !!

Fake warning "from" google leads to a well crafted fake google login page

Message Text:

Spam Warning email - attached to PDF containing link to Fake Google login
Spam Warning email - attached to PDF containing link to Fake Google login

Web Form

Fake Google Login page
Fake Google Login page

Filling it out redirects to a REAL Google account login:
Real Google Login - with CORRECT "Google" text font
Real Google Login - with CORRECT "Google" text font

Things to Note:

  • Link not in email text - you have to open a PDF to find link
  • Link is hosted at an advertising website, NOT Google.com
  • Forged login uses an older font for "Google" - real google.com uses a san serif font
  • Filling in the form redirect to a REAL Google login page, with CORRECT font

Monday, July 31, 2017

Example 203: Unrecognized Login Location Alert For xxx@umn.edu

Spoof security alert message aimed at capturing login credentials.

Message Text
Date: 29 Jul 2017 18:27:07 -0400
Subject: Unrecognized Login Location Alert For xxx@umn.edu
To: xxx@umn.edu
From: " E-mail Security Alert" <xxx@xxx.xx.cn
(note: EMAIL From Non-UMN.EDU address!)
for - Account User: xxx@umn.edu 
This is to notify you that someone from an unrecognized location tried logging into your e-Mail (xxx@umn.edu ) few minutes ago. 
Was this done by you? 
For your account security, we strongly recommend that you verify your account now, else you account will be blocked without further notice. 
Click here to Verify your E-mail account now
After verification, extra security features will be activated in your email settings and your account will be safe for use again.
Source: Email Security Team

Things to Note

  • No University of Minnesota text or branding
  • Email source NOT @umn.edu 
  • Personalized report includes recipient email, which is also embedded in the form link (this lets the form come up with your ID already filled in)
  • Form link NOT at UMN.EDU (it was actually on a doggie day care website)
  • Sorry, no picture of the form, which was already removed by the time it was reported

Monday, July 10, 2017

Example 202: umn.edu

Simple message leading to a fake UMN login page on a free web service

Message Text
From: helpdesk>support <xxxxxxx14@gmail.com>Date: Fri, Jul 7, 2017 at 3:31 PMSubject: umn.eduTo: 

Your umn.edu e-mail account have exceed its limit click the below linkhxxp://umn-xxxxxxxx.myfreesites.net/ to re-validate. UMN<help-surport> Thanks
Login Form
Fake UMN login page hosted at freesites.net
Fake UMN login page hosted at freesites.net

Improved version included in some spam messages
Improved version included in some spam messages

Things to note

  • Email sent from a gmail.com email address
  • Some copies sent from compromised UMN.EDU addresses
  • Mild branding with UMN logo, but not hosted at UMN.EDU
  • Web page advertises free web page building service
  • Password entry displays passwords in the clear

Wednesday, June 21, 2017

Example 201: Library Services

Well crafted email directs recipient to a forgery of the UMN login page.


 Dear User,
 This message is to inform you that your access to your library account
 will soon expire. You will have to login to your account to continue to
 have access to the library services.
 You need to reactivate it just by logging in through the following URL. A
 successful login will activate your account and you will be redirected to
 your library profile.

 If you are not able to login, please contact Emily Bonnell at
 enbonnell@umn.edu for immediate assistance.
 Emily Bonnell
 University of Minnesota Libraries
 (612) 624-xxxx


Forged UMN login page - NOT hosted at UMN.EDU
Forged UMN login page - NOT hosted at UMN.EDU

Thing to Note

  • Email comes from a Gmail account, not UMN.EDU
  • "Emily Bonnell" is not a real UMN staff member - the umn.edu email referenced does not exist
  • Forged web page NOT hosted at umn.edu
  • Logging into page redirects to the real login page (or a UMN service page if you ARE logged in)

Tuesday, June 20, 2017

Example 201: Security Updrade Strongly Required

Phish with security warning, going to very good copy of UMN login.


From: Help Desk <compromised user@umn.edu>
Date: Mon, Jun 19, 2017 at 6:20 PM
Subject: Security Updrade Strongly Required
University of Minnesota Account Help Desk  is having a problem with your Account.You will not be able to receive any new emails until you Upgrade your account  to avoid suspension.
Kindly be informed that we'll not be held responsible for your account deactivation once you fail to upgrade your account after this Final Warning. To remove your account from our deactivation list kindly click Upgrade below: 
Upgrade <hxxp://xxxxxxxxxx.ru/love.php>
- Identity Management Team
Web Form
Forged MyU login page - hosted at a .com site
Forged MyU login page - hosted at a .com site

Things to Note
  • Email comes from a compromised UMN account
  • URL in email points to a Russian (".ru") URL, but redirects to a .COM site for login
  • Logging into the page redirects to the REAL MyU login page (nearly identical to their fake page)

Tuesday, June 13, 2017

Advisory: Logging into University Google resources.

Note: This is an updated reminder of what logging into Google resources should look like (June, 2017). 

From time to time, you will see phishing schemes that claim to be a Google Doc. Most recently, many have received a scam letter titled "I've shared an item with you." The "google link" in the email doesn't go to Google, of course - and it may present a login that looks like this:

Currently, a REAL Google login should look like this:

Current Google App Login (May 2017)
Current Google App Login (June 2017)

But, be careful. Looking like this is not enough.

(PLEASE note - if you are  already logged in to gmail, following a link to a google doc should NOT present you with a login - you're already logged in.)


  1. You ARE prompted to login to a resource for the University, 
  2. AND you receive the Google prompt,
  3. DO NOT enter your password.
  4. Just present your email address, e.g. internet-id@umn.edu
Like this:
Logging into Google with an @umn.edu account
Logging into Google with an @umn.edu account

If it's legitimate, you may next see:
(You'll see this if Google thinks you have two versions of NAME@umn,edu, Choose "Organizational")
You'll be sent to the U's authentication system where you will do your real Internet ID + Password login on this screen: 

University Login page

Remember, if legitimate, THIS login page will be hosted at an address that ends in "umn.edu." If it isn't, it is unlikely to be a real login page and you should report it to phishing@umn.edu.

(note: We present this post on a regular basis so that it reflects the current user experience for logging into Google resources. When there are updates to the Google or University experience, we will update it. The current version will be linked at http://z.umn.edu/RealLogon)