Go to the U of M home page

Wednesday, January 17, 2018

Example 211: myU maintenance

Well crafted email "from" morris.umn.edu, linked to forged UMN login site aimed at stealing user id and password.

Message text
From: University of Minnesota Morris [forged as from Morris]
Date: 2018-01-14 20:17 GMT-06:00Subject: myU maintenanceTo: xxxx@morris.umn.edu 

We are carrying out a system upgrade, as a result inactive Student INTERNET IDs and Students mail will be removed from our servers during this Upgrade. All Students are required to go to MyU [link to offshore .GA website] Student portal and click OK to acknowledge your account usage or risk loosing access to University Services.

If you encounter any problems accessing your account and for additional assistance with your  INTERNET ID, please send a mail to ummonestop@morris.umn.edu or call 320-589-6046.

105 Behmler Hall
600 E 4th StreetMorris, MN 56267-2132
8:00 a.m. - 4:30 p.m., Monday-Friday

We apologize for any inconveniences

Thank you.

Please note: IT Service Desk and the system office will never ask you for your password. If you receive any request for your password, please delete it immediately without a reply.

 Web form
Forged UMN Login page - hosted offshore
Forged UMN Login page - hosted offshore
Things to note:

  • Hidden link in emal text for "MyU" goes to a website hosted at a .ga (Gabon) site, NOT umn.edu
  • All contact info in the fake mail IS correct - you can call or email to confirm; if you did you'd learn this was a scam
  • If you ever receive such messages and question them - send them to phishing@umn.edu for our team to investigate

Friday, December 8, 2017

Example 210: Warning Your EMail Will be Shut Down After 24 Hours!

Bogus Shutdown warning tied to a PDF linking to a very good copy of Gmail login pages. Note, other subjects were seen, like "Update Notice"


Graphical letter with Google branding warning users they will be shut down
Graphical letter with Google branding warning users they will be shut down
PDF attachment displays form with a link:

PDF attached to warning letter - with link to Brazilian fake Google login
PDF attached to warning letter - with link to Brazilian fake Google login

Fake Google login form (hosted in .br, brazil - NOT google.com)

Good copy of Google login - filling it in redirects to REAL Google login page
Good copy of Google login - filling it in redirects to REAL Google login page

Things to Note:

  • No University of Minnesota branding
  • No link in email - you're expect to download and open a PDF
  • PDF contains link to a Brazilian (.br, NOT google.com) login page
  • Fake login site will redirect you to a real Google site.

Tuesday, November 21, 2017

Example 209: Library Notifications

Bogus warning forged as from UMN library - links to a clone of UMN login page via wisc.edu quicklink.

Message text
From: University of Minnesota Libraries <libraries@ umn. co> <<--NOTE "UMN.CO" senderDate: Tue, Nov 21, 2017 at 7:39 AMSubject: Library NotificationsTo: 

Dear Library User,
Our records show that your access to University of Minnesota Libraries System is about to expire. Due to security precautions established to protect University Libraries System, you have to renew your library account on a regular base, so please use the following link
(Note: this fake link in TEXT, really links to a go.wisc.edu quicklink to a fake UMN login)
After your successful authentication, your access will be restored automatically and you will be redirected to the library homepage. If you are unable to log in, please contact the library help desk for immediate assistance. We apologize for any inconveniences this may have caused.

Thank you,

University of Minnesota Libraries 309 19th Ave S, Minneapolis, MN 55455libraries@umn.edu  <<---NOTE non-existent "libraries@umn.edu" address
Web Form

Forged UMN login page
Forged UMN login page
Things to Note:

  • Email comes from "umn.co," not "umn.edu" 
  • Displayed URL appears to be a umn.edu address, 
  • BUT goes instead to a wisc.edu URL-shortener service 
  • Final URL includes "umn.edu" but ends in "citt.cf"
  • IF you "logged in" you will be redirected to the UMN library site - if you did this change your password ASAP!

Friday, November 17, 2017

Advisory: Fake "Invoice" and "UPS" notices come bearing malware!

Multiple versions of "Invoice" or UPS delivery notices have been received, linked to malware aimed at stealing financial information.

Example messages:
From: UPS.com <some.name @some.domain.org>
Date: Mon, Nov 13, 2017 at 7:15 AM
Subject: UPS Ship Notification, Tracking Number 0IT41910520287451
You have a parcel coming.
The physical parcel may or may not have actually been tendered to UPS for shipment.
Current status of the delivery is available here.
Scheduled Delivery Date: Monday, 11/13/2017
Shipment Details
From: eBook on Leukemia: Causes, Symptoms & Treatment
Tracking Number: 0IT41910520287451
Number of Packages: 8
Thank you for your business.

From: Some Name < some different email@someplace.com>Date: Fri, Nov 17, 2017 at 12:02 PMSubject: Invoice number 00744297 issueTo:

This is your invoice dated 17 Nov 17. If you have questions or concerns, just let me know at 01382 844946.
http://xxxx .yyy/New-invoice-3498177/
Yours Truly,Some Name

Things to Note:

  • The name in the "From:" field usually does not match the email address
  • In some cases the "sender" name IS known to the recipient (though it is NOT from their email)
  • The URL addresses have been in multiple countries, none of them apparently related to UPS or the purported business
  • Do not download (and open) unexpected "invoices" 
  • If you have downloaded and opened this malware - contact your tech support immediately to assess and determine next steps
  • Report and forward any such mail to phishing@umn.edu

Friday, October 20, 2017

Example 208: [ATTENTION REQUIRED] University of Minnesota Employee Organizational Internal Communications

Forged mail "from" President Kaler, with a PDF that leads to a fake login page aimed at stealing passwords.

Message Text:

Date:Fri, 20 Oct 2017 15:45:47 +0000
From:"Theresa" <txxxxx@xxxxxx>
Subject:FW:[ATTENTION REQUIRED] University of Minnesota Employee Organizational Internal Communications
Dear Colleagues,
Integrity has long been a hallmark of our success. It characterizes everything we do. In fact, when we talk about the core values of our company, we start with integrity. Integrity means being straight forward, honest, and transparent in our professional and business relationships. This means doing what we say and saying
what we do.
Each of us makes a wide range of business and ethical decisions every day in the execution of our responsibilities on behalf of University of Minnesota. We are fully committed to ensuring that such decisions comply with the letter and spirit of the law and are ethically above reproach.
This Code of Ethics and Business Conduct is a guide to making the best possible decision in situations affecting your fellow employees or our shareholders, customers, and partners, as well as the communities in which we live and work. In simple terms,  our Code contains the guidelines we must all follow to do business
the only way we should: the right way.

NOTE: It is fundamentally Urgent that all staffs read attached.

University of Minnesota
202 Morrill Hall l 100 Church Street S.E. l Minneapolis l MN l 55455 l USA
Email: upres@umn.edu l Website: www.umn.edu
Phone: 612-626-1616 l Fax: 612-625-3875

PDF content:

PDF with link to fake document
PDF with link to fake document

Web Form

Web form to get document - with login to steal credentials
Web form to get document - with login to steal credentials
Things to Note:

  • Letter forged as "from the President."
  • Email delivers a very simple PDF which has one purpose - a link to a login page.
  • Login page WILL deliver an innocuous PDF of  a "code of ethics."
  • Anyone who filled in the form should immediately change their password.

Monday, October 2, 2017

Example 207: You have an Important message to review

Fake health message email directs to a forged UMN login site in Russia

Message Text:

 From: UMN - Health Care <xxxx @ Some-other-school.edu>
 Subject: You have an Important message to review
 Date: October 2, 2017 at 1:58:48 PM CDT
 You have an important Health message from University of Minnesota Health Center. Click  Here
      hxxp:// news-xxxxx.ru/login.umn.edu/
  authentication is required to read this message
  We apologize for any inconvenience.
 Thank You.. 
 Allen Brianna
 Health Care Center
 University of Minnesota
Login Form:

Russian hosted forged umn login site
Russian hosted forged umn login site

Things to Note:

Thursday, September 21, 2017

Advisory: FTC Releases Alerts on Protecting Against Identity Theft

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

09/20/2017 04:58 PM EDT

The Federal Trade Commission (FTC) has released two alerts to educate consumers on recommended protections against identity theft after the recent data breach at Equifax. Users should consider placing security freezes with the three major credit reporting agencies: Equifax, Transunion, and Experian. Alternative security recommendations include using fraud alerts and free credit monitoring from Equifax. 
US-CERT encourages users to refer to the FTC alerts on Equifax credit freezes and fraud alerts vs. credit freezes. See the US-CERT Tip on Preventing and Responding to Identity Theft for more information.