Go to the U of M home page

Tuesday, March 20, 2018

Advisory: Facebook Phonies

Fraudulent pages attempt to lure incoming students into fake University Facebook Groups.

Each year as students confirm their enrollment to the University of Minnesota, they receive an official Welcome email that lists next steps—such as reminders to apply for financial aid and housing—and other options to consider before their New Student Orientation in the summer. 
Included in that email is information about a closed Facebook group created by the University of Minnesota that is just for students in the incoming class. The University works to verify that only confirmed freshmen are accepted to the group so that these students can connect with others in their cohort without the distraction of marketing efforts or misrepresentation. 
Students should be aware that an official University of Minnesota Facebook page or group would never:
•    endorse or promote the purchase of commercial products or services that are unaffiliated with the University of Minnesota;
•    ask for personal or student data, such as a student ID, social security number or other personal identification data;
•    solicit payment or purchasing information for any reason through these channels.
As for outside entities, actions are limited when a page clearly identifies itself as unofficial, independently run and unaffiliated with the University. In some circumstances, Off-Campus Living - a unit of the Office for Student Affairs - will join unofficial groups to monitor for and respond to questions within the unit's area of focus. If an applicant has questions about a particular page or group, they are encouraged to contact Orientation & Transition Experiences.

Monday, February 19, 2018

Example 213: Employment

Fraudulent offer of employment from non-existant University Counselor. Likely "money-mule" scam.

Message Text:

From: Dr. John Largen <xxxxx @ gmail.com>
Date: Sun, Feb 18, 2018 at 8:54 PM
See Attached

Attached message:


Things to note:

  • Name in "From: doesn't match email address, or message text
  • Department named does not exist
  • Message follows standard "money mule" come-on

What's a money mule?

A money mule is someone recruited by criminals to transfer the profits of their illegal activities. The money may have been stolen directly from another bank account or may be the profits of fraud, drug trafficking, child labour or prostitution. Most of the criminals carrying out this type of crime are located abroad, so a money mule based in the UK is required to transfer the money overseas.
Although some money mules know that they are handling stolen money, criminals also target groups such as university students to unwittingly laundering the funds on their behalf.

Monday, February 5, 2018

Example 212: Incoming call from Wireless Caller AM

Bogus email with "voice mail" attachment - aimed at stealing credentials.

Message text:

From: Wireless Caller <Jxxx@xxxxus>Date: Fri, Feb 2, 2018 at 10:05 AMSubject: Incoming call from Wireless Caller AMTo: 

You have received a voice mail message from 801-917-7591 for mailbox 2119. Message length is 00:01:59. Message size is 8.3 KB.
attached file "WIRELESS MESSAGE.html"


web form in attached .html file
web form in attached .html file

Clicking "Listen" reveals a "login form"
Clicking "Listen" reveals a "login form"

Things to note:

  • No UMN branding.
  • UMN voice mail is not part of Office 365.
  • IF you filled in your ID/password, change them ASAP!

Wednesday, January 17, 2018

Example 211: myU maintenance

Well crafted email "from" morris.umn.edu, linked to forged UMN login site aimed at stealing user id and password.

Message text
From: University of Minnesota Morris [forged as from Morris]
Date: 2018-01-14 20:17 GMT-06:00Subject: myU maintenanceTo: xxxx@morris.umn.edu 

We are carrying out a system upgrade, as a result inactive Student INTERNET IDs and Students mail will be removed from our servers during this Upgrade. All Students are required to go to MyU [link to offshore .GA website] Student portal and click OK to acknowledge your account usage or risk loosing access to University Services.

If you encounter any problems accessing your account and for additional assistance with your  INTERNET ID, please send a mail to ummonestop@morris.umn.edu or call 320-589-6046.

105 Behmler Hall
600 E 4th StreetMorris, MN 56267-2132
8:00 a.m. - 4:30 p.m., Monday-Friday

We apologize for any inconveniences

Thank you.

Please note: IT Service Desk and the system office will never ask you for your password. If you receive any request for your password, please delete it immediately without a reply.

 Web form
Forged UMN Login page - hosted offshore
Forged UMN Login page - hosted offshore
Things to note:

  • Hidden link in emal text for "MyU" goes to a website hosted at a .ga (Gabon) site, NOT umn.edu
  • All contact info in the fake mail IS correct - you can call or email to confirm; if you did you'd learn this was a scam
  • If you ever receive such messages and question them - send them to phishing@umn.edu for our team to investigate

Friday, December 8, 2017

Example 210: Warning Your EMail Will be Shut Down After 24 Hours!

Bogus Shutdown warning tied to a PDF linking to a very good copy of Gmail login pages. Note, other subjects were seen, like "Update Notice"


Graphical letter with Google branding warning users they will be shut down
Graphical letter with Google branding warning users they will be shut down
PDF attachment displays form with a link:

PDF attached to warning letter - with link to Brazilian fake Google login
PDF attached to warning letter - with link to Brazilian fake Google login

Fake Google login form (hosted in .br, brazil - NOT google.com)

Good copy of Google login - filling it in redirects to REAL Google login page
Good copy of Google login - filling it in redirects to REAL Google login page

Things to Note:

  • No University of Minnesota branding
  • No link in email - you're expect to download and open a PDF
  • PDF contains link to a Brazilian (.br, NOT google.com) login page
  • Fake login site will redirect you to a real Google site.

Tuesday, November 21, 2017

Example 209: Library Notifications

Bogus warning forged as from UMN library - links to a clone of UMN login page via wisc.edu quicklink.

Message text
From: University of Minnesota Libraries <libraries@ umn. co> <<--NOTE "UMN.CO" senderDate: Tue, Nov 21, 2017 at 7:39 AMSubject: Library NotificationsTo: 

Dear Library User,
Our records show that your access to University of Minnesota Libraries System is about to expire. Due to security precautions established to protect University Libraries System, you have to renew your library account on a regular base, so please use the following link
(Note: this fake link in TEXT, really links to a go.wisc.edu quicklink to a fake UMN login)
After your successful authentication, your access will be restored automatically and you will be redirected to the library homepage. If you are unable to log in, please contact the library help desk for immediate assistance. We apologize for any inconveniences this may have caused.

Thank you,

University of Minnesota Libraries 309 19th Ave S, Minneapolis, MN 55455libraries@umn.edu  <<---NOTE non-existent "libraries@umn.edu" address
Web Form

Forged UMN login page
Forged UMN login page
Things to Note:

  • Email comes from "umn.co," not "umn.edu" 
  • Displayed URL appears to be a umn.edu address, 
  • BUT goes instead to a wisc.edu URL-shortener service 
  • Final URL includes "umn.edu" but ends in "citt.cf"
  • IF you "logged in" you will be redirected to the UMN library site - if you did this change your password ASAP!

Friday, November 17, 2017

Advisory: Fake "Invoice" and "UPS" notices come bearing malware!

Multiple versions of "Invoice" or UPS delivery notices have been received, linked to malware aimed at stealing financial information.

Example messages:
From: UPS.com <some.name @some.domain.org>
Date: Mon, Nov 13, 2017 at 7:15 AM
Subject: UPS Ship Notification, Tracking Number 0IT41910520287451
You have a parcel coming.
The physical parcel may or may not have actually been tendered to UPS for shipment.
Current status of the delivery is available here.
Scheduled Delivery Date: Monday, 11/13/2017
Shipment Details
From: eBook on Leukemia: Causes, Symptoms & Treatment
Tracking Number: 0IT41910520287451
Number of Packages: 8
Thank you for your business.

From: Some Name < some different email@someplace.com>Date: Fri, Nov 17, 2017 at 12:02 PMSubject: Invoice number 00744297 issueTo:

This is your invoice dated 17 Nov 17. If you have questions or concerns, just let me know at 01382 844946.
http://xxxx .yyy/New-invoice-3498177/
Yours Truly,Some Name

Things to Note:

  • The name in the "From:" field usually does not match the email address
  • In some cases the "sender" name IS known to the recipient (though it is NOT from their email)
  • The URL addresses have been in multiple countries, none of them apparently related to UPS or the purported business
  • Do not download (and open) unexpected "invoices" 
  • If you have downloaded and opened this malware - contact your tech support immediately to assess and determine next steps
  • Report and forward any such mail to phishing@umn.edu