Go to the U of M home page

Thursday, September 21, 2017

Advisory: FTC Releases Alerts on Protecting Against Identity Theft

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

09/20/2017 04:58 PM EDT

The Federal Trade Commission (FTC) has released two alerts to educate consumers on recommended protections against identity theft after the recent data breach at Equifax. Users should consider placing security freezes with the three major credit reporting agencies: Equifax, Transunion, and Experian. Alternative security recommendations include using fraud alerts and free credit monitoring from Equifax. 
US-CERT encourages users to refer to the FTC alerts on Equifax credit freezes and fraud alerts vs. credit freezes. See the US-CERT Tip on Preventing and Responding to Identity Theft for more information.

Thursday, September 7, 2017

Advisory: Potential Hurricane Harvey Phishing Scams

Reminder from US-CERT that recent disasters will lead to scam "fund-raising" emails.

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

09/08/2017 01:56 PM EDT

Original release date: September 08, 2017
As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.
To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:

Tuesday, September 5, 2017

Example 206: Urgent Notice

Fake "warning" leads to forged UMN login page aimed at stealing passwords.

Message text:

From: UMN Admin <noreply@xxx.edu>
Date: Tue, Sep 5, 2017 at 4:52 PM
Subject: Urgent Notice
To all staffs/employees and UMN users, we have observed that there are some
non-active email address in our database recently serving as a loop to
hackers trying to hijack our server. User are advised to CLICK
<hxxp://umn-edu.xxxx.biz/index.html> here to login and validate their email
address and continue with their normal activity as their login information
will not be altered or shared.
If you receive this message as spam, kindly move message to your inbox
before you click. Failure to comply with this demand will be regarded
as non active user and will lead to deletion after 48 hours of
reception of this email.
Sorry for the inconveniences.
Web Form

Fake UMN login hosted at .biz address
Fake UMN login hosted at .biz address

Things to Note:

  • Email forged as coming from a .edu address - but NOT umn.edu
  • Web form hosted at a ".biz" address - NOT umn.edu
  • Filling in the form redirect to the login.umn.edu web page

Monday, August 14, 2017

Example 205: ITS Support/Help desk

Fake support message leading to deceptive login page to steal name and password.

Message text:

From: Help Desk Support [mailto: non-UMN.EDU address]
Sent: Monday, August 14, 2017 10:09 AM
To: undisclosed-recipients:
Subject: ITS Support/Help desk

Dear Faculty and Staff,

Important information from Web Access Security Service.

An upgrade was made to the university’s authentication structure. The upgrade was required to prepare systems for compliance with State Security Standards, and the implementation of multi-factor authentication. Now, when you lo-gin. You will be required to enter your Network Username and password into the link that will be provided below.

Due to the upgrade that was made. Your lo-gin page will be changing. However, to avoid loss of your email address and password LOGIN your account now.

Thank you for your cooperation and patience as we take steps to further protect university data.

Thank you,
Division of Information Technology.
Login form:

fake login page aimed at stealing account credentials
fake login page aimed at stealing account credentials
 Things to note:

  • No UMN branding in message or webform
  • Email not from umn.edu address
  • Web form not hosted at a umn.edu site

Wednesday, August 2, 2017

Example 204: Notice ! Notice !!

Fake warning "from" google leads to a well crafted fake google login page

Message Text:

Spam Warning email - attached to PDF containing link to Fake Google login
Spam Warning email - attached to PDF containing link to Fake Google login

Web Form

Fake Google Login page
Fake Google Login page

Filling it out redirects to a REAL Google account login:
Real Google Login - with CORRECT "Google" text font
Real Google Login - with CORRECT "Google" text font

Things to Note:

  • Link not in email text - you have to open a PDF to find link
  • Link is hosted at an advertising website, NOT Google.com
  • Forged login uses an older font for "Google" - real google.com uses a san serif font
  • Filling in the form redirect to a REAL Google login page, with CORRECT font

Monday, July 31, 2017

Example 203: Unrecognized Login Location Alert For xxx@umn.edu

Spoof security alert message aimed at capturing login credentials.

Message Text
Date: 29 Jul 2017 18:27:07 -0400
Subject: Unrecognized Login Location Alert For xxx@umn.edu
To: xxx@umn.edu
From: " E-mail Security Alert" <xxx@xxx.xx.cn
(note: EMAIL From Non-UMN.EDU address!)
for - Account User: xxx@umn.edu 
This is to notify you that someone from an unrecognized location tried logging into your e-Mail (xxx@umn.edu ) few minutes ago. 
Was this done by you? 
For your account security, we strongly recommend that you verify your account now, else you account will be blocked without further notice. 
Click here to Verify your E-mail account now
After verification, extra security features will be activated in your email settings and your account will be safe for use again.
Source: Email Security Team

Things to Note

  • No University of Minnesota text or branding
  • Email source NOT @umn.edu 
  • Personalized report includes recipient email, which is also embedded in the form link (this lets the form come up with your ID already filled in)
  • Form link NOT at UMN.EDU (it was actually on a doggie day care website)
  • Sorry, no picture of the form, which was already removed by the time it was reported

Monday, July 10, 2017

Example 202: umn.edu

Simple message leading to a fake UMN login page on a free web service

Message Text
From: helpdesk>support <xxxxxxx14@gmail.com>Date: Fri, Jul 7, 2017 at 3:31 PMSubject: umn.eduTo: 

Your umn.edu e-mail account have exceed its limit click the below linkhxxp://umn-xxxxxxxx.myfreesites.net/ to re-validate. UMN<help-surport> Thanks
Login Form
Fake UMN login page hosted at freesites.net
Fake UMN login page hosted at freesites.net

Improved version included in some spam messages
Improved version included in some spam messages

Things to note

  • Email sent from a gmail.com email address
  • Some copies sent from compromised UMN.EDU addresses
  • Mild branding with UMN logo, but not hosted at UMN.EDU
  • Web page advertises free web page building service
  • Password entry displays passwords in the clear