Go to the U of M home page

Monday, December 22, 2014

Phishing Example 81: Faculty And Staff Mailbox Alert.

Received December 2014

(note: good example of our inbound process tagging phishing mail as spam )

---------- Forwarded message ----------
From:
Date: Dec 22, 2014 3:41 AM
Subject: *****SPAM***** *****SPAM***** RE: Faculty And Staff Mailbox Alert.
To:
Cc:


 ------------------------------
*From:*
*Sent:* Monday, December 22, 2014 12:04 AM
*To:*
*Subject:* Faculty And Staff Mailbox Alert.
 
  Your password Will Expire In The Next TWO {2} Days Current Faculty and
Staff Should Please Log On To IT WEBSITE
<hxxp://xxxxx.wix.com/outlook-web-app> To Validate Your E-mail Address
And Password,Or Your E-mail Address Will Be Deactivated.Thank You.

 *ITS help desk*
*ADMIN TEAM*

©Copyright 2014 Microsoft
All Right Reserved.    



Things to note:

  • No UMN branding.
  • Hosted at Wix, a free form site.
  • Form displayed password in clear text.
  • Form was littered with ads for Wix.

Friday, December 19, 2014

Advisory: FTC Releases "Package Delivery" Themed Scam Alert

FTC Releases "Package Delivery" Themed Scam Alert

The Federal Trade Commission (FTC) has released a Scam Alert addressing a "Package Delivery" themed phishing campaign regarding package delivery notifications from the U.S. Postal Service.  Scam operators often use false information linked to reputable organizations to imply the email is legitimate.
Users are encouraged to review the FTC Scam Alert for details, and refer to the Recognizing and Avoiding Email ScamsPublication for information on email scams.

 FTC Releases "Package Delivery" Themed Scam Alert

Friday, December 5, 2014

Advisory: Be Wary of "Attached Document" Files

December 2014

We're advised by State of Minnesota IT staff that some alarming fraudulent messages have been received claiming to be from DHS or MNSure. These emails have included attached documents which, if opened, may present a malware infection risk.

It's good practice to question any unexpected email with attachments - particularly if they include scary subjects or content aimed at making you quickly open the attached file. If you receive such unexpected email, take time to question it and use other means (e.g. a phone call, website, or email to a known correspondent) before opening the document.

Thursday, December 4, 2014

Advisory: Be Wary of ‘Order Confirmation’ Emails

Timely warning from Brian Krebs of krebsonsecurity.com :

Be Wary of ‘Order Confirmation’ Emails

If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to click the included link or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities. ...


Wednesday, December 3, 2014

Phishing Example 80: Kindly Review The Attached Document !!!

Received December 2014

From:
Date: Wed, Dec 3, 2014 at 10:07 AM
Subject: Kindly Review The Attached Document !!!
To:


Hello,
   I tried to get these document across to you before. Did you ever get
it?  VIEW HERE <hxxp://xxxx.ir/mm/google> and sign on with your email to
access it as attached on Google.doc, get back to me so we can discuss.
Regards
 

NOTE:


  • Sent from a compromised UMN account - probably to all contacts in user's mail
  • Hosted at a non UMN site
  • Fake "google document" login - but includes other company email types - this is NOT how Google docs/drive works.


Phishing Example 79: Message from UMN.EDU Email Support

This summary is not available. Please click here to view the post.

Saturday, November 29, 2014

Phishing Example 78: Urgent Update From Umn.edu

Received November 2014:

From: University of Minnesota <XXXXX@xxxxxxx.edu>
Date: Sat, Nov 29, 2014 at 3:07 PM
Subject: Urgent Update From Umn.edu
To:


*Dear Umn.edu User,*


*Due to the newest upgrade to our database, we have placed your four
incoming mails on pending status .In Order to receive the four new
messages, Click Here
<hxxp://xxxxx.weeklynepal.com/wp-includes/pomo/redirect.php>to login and
wait for response from our email support team.We sincerely apologize for
any inconveniences and appreciate your understanding..Thank you.*


The link takes you to an exact copy of the University's login page, but the URL is false.

Friday, November 21, 2014

Phishing Example 77: Review Documents

Received November 2014:

   ---------- Forwarded message ----------
   From:
   Date: Fri, Nov 21, 2014 at 7:53 AM
   Subject: Review Documents
   To:
   I want you to see this, its very important. Just CLICK HERE
   <hxxp://ixxxxxxxxxx/language/overrides/index0032.php> and sign in to
   view. The file is too large so I couldn't attach it.
   --

Tricky fake Google page - aimed at harvesting Gmail/AOL/Yahoo or Microsoft passwords:



Double tricky - they look for more info on you:


Hat trick! They send you to an "Art page" since the original email came from an account at an Art museum!


Wednesday, November 12, 2014

Advisory: Payroll Theft Scheme

Novermber 2014


REN-ISAC has released an important advisory regarding payroll theft schemes tied to phishing.




  The advisory notes that several peer institutions have been affected, and is available at

        http://www.ren-isac.net/alerts/REN-ISAC_ADVISORY_University_Payroll_Theft_20141112_TLPWHITE.pdf



Phishing Example 76: Deceptive Login, Deceptive URL

Discovered November 2014

Here's an example of a very deceptive phishing page we discovered recently.


This page uses a copy of the real University login page. Almost every link on the page goes to the right (i.e. .UMN.EDU based) place, except the part that takes your ID AND PASSWORD! The URL for the page even looks like the real login page - except the ending of the URL adds "lib1.in" to the end.

Be aware of the URL when you click on a link!
Be wary of anything asking for your University ID and password!



Tuesday, November 4, 2014

Phishing Example 75: Admin Help Desk

Received November 2014

Message Text:
  From:
   Subject: Admin Help Desk
  Due to technical reasons, we are expanding and upgrading all Mailbox immedi=
   ately. Please CLICK HERE<hxxp://contactme.com/xxxxxxxxx> and=
   fill the form completely. click submit for validation.



Things to note:
  • Odd spelling of words.
  • Clear text password display.
  • No UMN branding.
  • Hosted at "ContactMe.com," not "umn.edu."


Monday, November 3, 2014

Phishing Example 74: Notice

Received November 2014:

Message text:

   From: Webmaster@
   Date: Sun, Nov 2, 2014 at 9:02 PM
   Subject: Notice
   To:
   Following security breach on our server. All account owners are to update
   his / her account for upgrade, CLICK or COPY ( xxxxx.webs.com )
   to update your account.
   Technical Support



Things to note:

  • odd anti-filter spellings of "userid" and "password."
  • Passwords display in the clear.
  • Not from umn.edu.
  • Hosted at a commercial web page provider.
  • Page includes a link for "photo albums."

Friday, October 24, 2014

Phishing Example 73: IT Help Desk Requirement

Received October 2014

Simple spam requesting login credentials via email.

Message text:

   Subject: IT Help Desk Requirement
   Date: Fri, 24 Oct 2014 09:46:08 +0100
   From: IT Help Desk <xxxxxxxx@gmail.com>
   Reply-To: xxxxxxxx@gmail.com
   To: undisclosed-recipients:;
   Hello,
   A shadow server upgrade is been carried out. A bigger and better
   server is been employed to meet with up-to-date information technology
   services. In order to ensure that your files, folders and accessories
   are accurately updated, do endeavor to submit the following info:
   Your Email:
   Your User Login:
   Your User Password:
   If you disregard this instruction, your account would not be updated
   at the completion of this upgrade. This means that your current login
   credentials would be null and void and also note that lost account
   properties may not be recovered after upgrade is completed if you do not
   comply. Do note that during this exercise, your account credentials and
   particulars will not be altered and you will receive a notification to
   change them yourself here after.
   Thank You.
   Help Desk
   Information Technology

Thursday, October 23, 2014

Phishing Example 72: IMPORTANT****** System Admin Team

Received late September 2014:

This very deceptive message was hosted at a URL that was NOT at a umn.edu address, but included text in their URL which resembles umn.edu URLs used for logins.

The URL address was at
                        university-of-minnesota.system-info.info

(note: this site has been taken down) Because the last part of the URL included what looked like a umn.edu address it may have seemed legitimate.

BE VERY CAREFUL when visiting any page that requests your UMN credentials - the address for logins should only be hosted at a website that BEGINS with 
https://*something*.umn.edu/


Message text:

From:
Date: Mon, Sep 29, 2014 at 11:46 AM
Subject: IMPORTANT****** System Admin Team
To:

The Technology Team will be performing a Data Center-wide infrastructure
upgrade to protect against phishing. Please Click here
<hxxp://xxxxxxxxxx.xxx.xx.info/idp2.shib.umn.edu/idp/umn/login.html>
​ to complete the upgrade. If in rare case you are unable to click the
link, then you can copy and paste the below link on your browser.​

hxxp://xxxxxxxxxx.xxx.xx.info/idp2.shib.umn.edu/idp/umn/login.html
Some remaining maintenance may still be undergoing for large improvement
updates that will increase our security. To avoid any complication, it
is mandatory you follow the instruction.

*Thanks,*
*UMN System Admin Team*




THE login page MAY have been like this - similar, but NOT like the UMN login page:



Thursday, October 16, 2014

ALERT: Ebola Phishing Scams and Malware Campaigns

FROM US-CERT : 
https://www.us-cert.gov/ncas/current-activity/2014/10/16/Ebola-Phishing-Scams-and-Malware-Campaigns

 US-CERT alert
Users are encouraged to use caution when encountering these types of email messages and take the following preventative measures to protect themselves:


  • Do not follow unsolicited web links or attachments in email messages.
  • Maintain up-to-date antivirus software.
  • Refer to the Using Caution with Email Attachments Cyber Security Tip for information on safely handling email attachments.
  • Refer to the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip for information on social engineering attacks.


Tuesday, October 7, 2014

Phishing Example 71:ALERT!

Received October 2014

Message text:


   Date: Mon, Oct 6, 2014 at 6:09 PM
   Subject: ALERT!  
   To:
   Attention:
   Please be prepared for all systems to be offline for maintenance tomorrow
   night. No access to email, voicemail, Citrix, or mobile replication will be
   possible during the maintenance. All mailbox is undergoing regeneration to  
   the new Microsoft outlook web access 2014. Inability to activate account
   will render your email in-active. Activate by completing the Microsoft
   outlook web access page. Click on the Re-activation link below to begin
   this process. Process is completed once redirected to Google.
   Re-activation <hxxp://xxxx.xx.xxxxx..com/amd/upd/>
   System Administrator.
   --


Phishing Example 70: IT

Received October 2014

Message Text:

  ---------- Forwarded message ----------
   From: IT HELP-DESK SERVICE.
   Date: Mon, Oct 6, 2014 at 1:33 PM
   Subject: IT
   To:
   We are upgrading Email over the next several weeks We urge all user to
   participate in this upgrade. With the new upgrade, you'll see new features
   and enhancements included.
   GO TO: www.it help-desk /anti-spam <hxxp://xxx.xxx.xxx/> And Submit your
   details for confirmation of account.
   Thanks for your Co-operation.
   IT HELP-DESK SERVICE.



Things to Note:
  • Very simple, unbranded form
  • Clear text password

Wednesday, October 1, 2014

Phishing Example 69: HELP-DESK

Received October 2014

Message text:

  From:
   Date: Wed, Oct 1, 2014 at 9:44 AM
   Subject: RE: HELP-DESK
   To:
   Dear Your Mailbox Account User Your mailbox is full.  
   465MB 500MB
   Current size Maximum size
   Your mailbox can no longer send messages. Please reduce your mailbox
   size. CLICK
   HERE <hxxp://xxxxxxx.tripod.com/> to reduce your mailbox
   size


Things to note:


  • From Triopd.com, not umn.edu
  • Password in clear text


Tuesday, September 23, 2014

Phishing Example 68: Faculty and staff Email notification

Received September 2014

Message text:

   From:
   Date: Tue, Sep 23, 2014 at 11:06 AM
   Subject: Faculty and staff Email notification
   To:
   Dear user,
   We currently upgraded to 15GB space. Please log-in to your account in
   order to validate
   E-space. Your emails won't be delivered by our server, unless email account
   is confirmed.
   Click on Faculty and staff email confirmation
   <hxxp://xxxxxxxx.tripod.com/> to confirm details of your
   email account.
   Note that failure to confirm your email with this notification, would lead
   to dismissal of your
   user account. Protecting your email account is our primary concern.
   This has become necessary to serve you better.
   Copyright �2014 IT Help Desk.
   The information contained in this transmission contains privileged and
   confidential information. It is intended only for the use of the person
   named above. If you are not the intended recipient, you are hereby notified
   that any review, dissemination, distribution or duplication of this
   communication is strictly prohibited. If you are not the intended
   recipient, please contact the sender by reply email and destroy all copies
   of the original message.
   *CAUTION*: Intended recipients should NOT use email communication for
   emergent or urgent health care matters.


Things to note:
  • Hosted at tripod.com, not umn.edu;
  • Has advertisements(!) on the page;
  • Includes captcha verification;
  • No UMN branding

Monday, September 15, 2014

Phishing Example 67: VALIDATE

Received September 2014

Message text:


   From:
   Date: Mon, Sep 15, 2014 at 11:42 AM
   Subject: VALIDATE
   To:
   Dear UMN users,
   This message was sent automatically by our web server to inform you of the
   current validation of your web-mail account and help protect your account,
   we recommend you follow this link: *hxxp://XXX.lixter.com/  
   <hxxp://XXX.lixter.com/>* to complete the validation process.
   NOTE: Failure to comply may lead to confiscation of account.
   Regards,
   UMN I.T Web-mail Admin.

Things to note:

  • VERY good copy of the University login page - ALL links off of the page go to the appropriate UMN.EDU location.
  • NOT hosted at the University - hosted at "lixter.com"

Wednesday, September 10, 2014

Phishing Example 66: Faculty/Admin/Staff and Student Mailbox

Received September 2014

Message text:

   Subject: RE: Faculty/Admin/Staff and Student Mailbox
   Date: Wed, 10 Sep 2014 11:29:48 +0000
   From:
   To:
   *
   *Staff and Faculty Mailbox Message !*
   495MB
   *500*MB
   *This is to notify all Faculty Members and Staff on the end of year
   Mailbox Quota Cleanup, If you are a staff or faculty member log on to
   your staff and faculty **ACCESS-PAGE
   <w>**to clean up mailbox.*
   *Staff and Faculty Members mailbox quota size increase in progress click
   on**ACCESS-PAGE
   <hxxp://xxx-xxxxx-portal.jigsy.com/>**<hxxp://xxx-xxxxx-portal.jigsy.com/>
   to complete.*
   *Mailbox Sending/Receiving authentication will be disabled at 490MB*
   *ITS help desk*
   *_ADMIN TEAM_*
   *
   *
   *


Things to note:
  • Site hosted at jigsy.com, not umn.edu
  • Advertisement on page
  • Password field not obscured
  • Headings have odd spellings

Monday, September 8, 2014

Phishing Example 65: Sign-in Alerts

Received September 2014


Message text:
From: University of Minnesota Duluth Date: Mon, Sep 8, 2014 at 8:39 AM
Subject: Sign-in Alerts 
To: Recipients
*Dear Student/Staff,*
*We detected a login attempt with valid password to your UMN account froman unrecognized device on Tue, Sep 08, 2014 6:19 PM IST.*

*Location: India (IP=178.137.239.184)*  [note: REALLY that's from Ukraine.]
*Note: The location is based on information from your Internet service orwireless carrier provider.*
*Was this you? If so, you can disregard the rest of this email.*
*If this wasn't you, please Kindly **CLICK HERE*<hxxp://www.123contactform.com/xxxxxxxxx/University-Of-Minnesota-Duluth>*to protect your UMN Webmail account information from potential futureaccount compromise:*
** Activate second sign-in verification with your Computer* Review yourlogin activity* Re-Validate your account information *
*To learn how sign-in alerts like this one can help you to protect youraccount information, please visit IT@UMN <http://it.umn.edu/index.htm> >Help .*
*Sincerely,*
*ITS UMN*



NOTES:
  • Hosted at 123contactform.com - not umn.edu
  • NOT a secure site
  • Passwords in the clear
  • Odd spellings of common words

Phishing Example 64: Validate Now (also "Validate", "I T Service")

Received September 2014

Message text:

   From: UMN Admin <xxxxxxxxxxxxxxx@york.ac.uk>
   Date: Mon, Sep 8, 2014 at 9:14 AM
   Subject: Validate now
   To:
   Dear umn user,
   validate umn.edu <hxxp://some-home-domain.NOT.UMN.EDU/validate.umn.edu/>


Things to note:

  • Sign in page resembles, but not identical to login page
  • Top bar links and search bar are IMAGES, not active
  • Not hosted at UMN.EDU - tricky use of "validate.umn.edu" as the end of the URL, but domain is actually at a ".cc" home.


Wednesday, September 3, 2014

Phishing Example 63: Warning Message !!!

Received September 2014

Message text:

  From: Helpdesk Upgrade
   Date: Wed, Sep 3, 2014 at 5:13 AM
   Subject: *****SPAM*****  Warning Message !!!
   To:
   Dear Customer,
   Your *Email *account has exceeded its storage limit as set by
   our Administrator. Please, Re-Validate your account to avoid
   suspension.
   Please click on the link below to Re-Validate your *Email* account Update
   Click here <http://xxxxxxxxx,xxxxxxx,xx/>
   Thanks,
   The webmail account team




Things to note:
  • No University Branding
  • NOT at a University website
  • Mail should be tagged as spam

Friday, August 29, 2014

Advisory: Beware of Impersonation Fraud


Don't be afraid to question communications that claim to come from "official" sources. A common tactic in phishing and other scams is a claim to be or represent some important official.

Examples:

  • Email from the "help desk" claiming you need to re-authenticate your account. This is a common tactic used to trick people into giving up their Internet ID and password.
  • Phone messages from "Microsoft support" telling you that your computer is infected. This trick usually involves telling the victim that they need to let the caller examine their computer remotely - usually aimed at installing malicious software.
  • Email or text messages telling you that you need to install "special software" to chat with your help desk. Again, the aim of such tactics is to trick you into installing malicious software.

If you receive messages like these, don't be afraid to challenge them. You should be able to confirm official communications through other channels. For technical issues, visit http://it.umn.edu and use the search function to confirm that a caller or email is official. Likewise the search function on  UMN home page at http://www.umn.edu will help you. (Don't forget about http://search.umn.edu!)

For examples of other common fraud methods, see the FBI's page on Common Fraud Schemes at http://www.fbi.gov/scams-safety/fraud.

Thursday, August 28, 2014

Phishing Example 62: Alert!

Received August 2014

Message text:

   Subject: Alert!
   Date: Wed, 27 Aug 2014 17:29:00 +0100
   From: Admin Center
   To: undisclosed-recipients:;
   Unusual Sign-in Activity,  
   We've detected something unusual about a recent sign-in to your
   umn.edu <http://umn.edu> E-mail account. Hence, to keep you safe; we've
   required an extra security check Via Validation. You might not be able
   to send or receive new mail until you re-validate your mailbox .To
   re-validate your mailbox.-
   *Click Here* <hxxp://xxxxx.webs.com/> Or Open this link:
   *hxxp://xxxxxx.webs.com/ <hxxp://xxxxx.webs.com/>*
   Thanks for your anticipated co-operation,
   Property: Account Security
   Connected to Googlemail  
   � 2014 Microsoft Corporation. All rights reserved.



Things to note:

  • Passage is hosted at webs.com - not umn.edu OR google.com
  • Login labels have bizarre mispellings
  • Email message includes "connected to Googlemail," AND "Microsoft?" Which is it?

Thursday, August 21, 2014

Phishing Example 61: Help desk

Received August 2014

Message text:

   Subject: Help desk @umn.edu
   Date: Thu, 21 Aug 2014 19:59:50 +0800
   From: Help Desk University of Minnesota
   To:
   For your security, this admin has safeguarded your account when there is a possibility that someone other than you is
   attempting to sign on. As part of our ongoing commitment to provide the "Best protection to all our student's and sta$
   security" we therefore ask you fill in your online data correctly to update your account. You'll need to update the
   settings on your email account by clicking on this link:hxxp://www.formget.com/xxx/xxxxxx


Notes
  • Looks nothing like UMN,EDU login page
  • Hosted at "formget.com" a free form provider.
  • Password fields not masked



Tuesday, August 19, 2014

Phishing Example 60: Password Protected Malware!

We've had no reports of this in UMN email (yet), but here's a warning:

While legitimate documents may be sent with a password protected file, it is very unlikely that the mail will CONTAIN the password.

Attackers will do this because, if an infected file is encrypted and protected with a password, virus scanners will not be able to detect the infection.


This example comes from blog.appriver.com, who reports:

Early this morning a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, which should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware not possible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.

Friday, August 1, 2014

Phishing Example 59: DOCUMENT

Received August 2014:

Message Body:

   From:
   Date: Fri, Aug 1, 2014 at 11:12 AM  
   Subject: DOCUMENTS
   To:
   Hello,
   I shared a document with you. Goto: hxxps://dropbox.com/
   <http://www.xxxxxx.xx/tarifas/pdf/process1.php> and just sign in with your
   email address to view the document.
   Notice: You will need to sign in with your email address to access the
   document.
   Wishes
   Thank you,


Things to note: 
  • Pretends to take you to dropbox
  • Spoofs Google Drive instead
  • Presents bogus login offering what Google doesn't: a list of email providers



IF someone fills it it - it takes you to a real (but useless) Google Doc:


Tuesday, July 29, 2014

Security Tip: Clear All Sessions!


How can you tell if someone else has used
(IS using!)
your account?

Gmail gives you a tool to answer that question, the “Last Account Activity” control. Even better, you can clear all sessions to prevent someone who has logged in with you password!





Phishing Example 58: Warning

Received July 2014

Message Body:


   Subject: Warning!
      Date: Tue, 29 Jul 2014 05:46:31 -0700
        To: undisclosed-recipients:;
      From: UMN Web Admin
   This is an automatic message by University of Minnesota system to let you
   know that you have to confirm your account information. An Attempt has been
   made to login from a new computer, You might not be able to send or receive
   new mail until you re-validate your mailbox .To re-validate your mailbox.-
   Click Or Open this link to VERIFY your Account:
      http://xxxx-xxx-xxx.com/
 
Thanks for your anticipated co-operation,
   Subscriber! University of Minnesota Customer Care
   Case number: 8949824
   Property: Account Security
   � 2014 Regents of the University of Minnesota. All rights reserved.


Things to note:
  • Attempt to use UMN branding, in message and on web form.
  • Still on a commercial web form provider.
  • Odd language (Pas|WORD for Password) on form.
  • Password shows in clear on form.

Phishing Example 57: Attention

Received July 2014

Message Body:

   Subject: Attention
   Date: Tue, 29 Jul 2014 15:50:12 +0530 (IST)
   From: Webmail Administrator

  Dear eMail User,Your email account is due for upgrade.Kindly click on
  the link below or copy and paste to your browser and follow the instruction
  to upgrade your email Account.
              http://wadministrator.xxxxxx..xxx/webmailtechnicalteam

Our webmail Technical Team will update your account. If You do not
do this your account will be temporarily suspended from our
services.Warning!! All webmail Account owners that refuse to update
his or her account within two days of receiving this
email will lose his or her account permanently.Thank you for your cooperation!
Sincere regards,WEB MAIL ADMINISTRATOR
Copyright @2014 MAIL OFFICE All rights reserved.
   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Things to note:
  • Nothing UMN branded
  • IST (India Standard Time Zone)?
  • Served off of a free web page provider ("make your own" link included on page)



Thursday, July 24, 2014

Phishing Example 56: WEBMAIL DATABASE

Received July 2014

Message text:

From: web Admin
   Date: Thu, Jul 24, 2014 at 9:12 AM
   Subject: WEBMAIL DATABASE
   To: info@webmaster.org
   This is to inform you that we are of current plan to upgrade our
   *WEBMAIL DATABASE* and You have to confirm and upgrade your
   Email account by clicking on the link below:
   *http://xxxxx.webs.com/ <http://xxxx.webs.com/> *
   Regards
   Online Support Team

Notes:
  • Hosted at webs.com, not umn.edu.
  • No UMN.edu branding.
  • Mail "from" webmaster.org? 




Wednesday, July 23, 2014

Phishing Example 55: New Message

Received July 2014

Message text:

   ---------- Forwarded message ----------
   From: University of Minnesota
   Date: Wed, Jul 23, 2014 at 2:22 PM
   Subject: New Message
   To:
   Dear Member,
   You Have 1 New Message
   Click Here To Read
   <http://xxxxx.xxxt.com/openemr/library/classes/umn.edu.htm>
   Regards,
   �2014 University of Minnesota

Notes:

  • Received from multiple .edu email addresses (not from umn.edu!).
  • Directs to a .com address (NOT umn.edu),
  • Uses a very good copy of the UMN login page.





Tuesday, July 22, 2014

What Are We Doing About Phishing?

On report of phishing attempts – 
  • We block the phisher return email addresses.
  • If a website is used to collect replies, we notify the website administrators that their services are being misused or have been compromised.
  • We block access from the University network to phisher websites.
  • We notify other schools about reported phisher addresses and websites.
  • We work to tune our rules that flag phishing email as spam.
IF you or anyone receive a phishing email that targets University email ACCOUNTS, REPORT it to
phishing@umn.edu 

Monday, July 21, 2014

Phishing Example 54: Update Alert

Received July 2014

Message Text:

   From:
   Date: Mon, Jul 21, 2014 at 2:37 PM
   Subject: Update Alert
   To:
   You have exceeded your mail.umn.edu quota limit of 500MB and you need
   to expand the mail.umn.edu quota before the next 48 hours. If you have not
   updated your *mail.umn.edu  *account in 2014,
   you must do it now. You can expand to 10GB mail.umn.edu quota limit.
   Click on the link below to upgrade your account:

   https://docs.google.com/forms/d/....xxxxxxxx

   Thanks for your understanding.

Google form used for phish:




Things to notice:

  1. Not branded with standard UMN template
  2. Uses Google forms
  3. INCLUDES Google Form warning not to submit passwords!

Phishing Example 53: Incoming mails noreply@umn.edu

Received July 2014

Message text:
   From:
   Date: Mon, Jul 21, 2014 at 8:23 AM
   Subject: Incoming mails noreply@umn.edu
   To:
   You have a message click on the link hxxp://xxx-xxxx-umn-edu.webs.com/
   to read




Notes:

All these factors should tip you off - this is NOT really from the University.

  1. Modest attempt at UMN branding
  2. Tricky add of "noreply@umn.edu to the subject, not the from line.
  3. Hosted at "webs.com" free website provider
  4. Misspelled "Internat ID"
  5. Misspelled "Pascsword"
  6. Shows the password in the clear

Friday, July 18, 2014

Phishing Example 52: I've shared an item with you.

Received July 2014.

This has been sent from a compromised umn.edu account (or accounts), so you may not see the tag ***SPAM*** in the subject line.


Message body:

   Subject: I've shared an item with you.
   From:
   To: undisclosed-recipients:;
   *Sent:* Friday, July 18, 2014 12:59 PM
   *Subject:* I've shared an item with you.
   Hello,
   I just shared a document with you using Google Drive. All you have to do is
   go to https://drive.google.com <http://xxx.xxxxx.com/platform/index.htm> to
   view it and sign in with your email address, as it is stored online.
   Note: it's not an attachment, it's a document stored online
   Best Regards


This is what the link takes you to, but it is NOT how a real Google doc will prompt you for your login.
Google docs do not ask you to use Yahoo, Windows or AOL logins:


If you "login" you will be directed to a bogus doc that is in Google.  However your credentials will be in the phishers hands, and your account will be sending spam (probably just like this one).


If you, or someone you know entered an ID and password in this, change that password immediately!

Thursday, July 17, 2014

Reminder: Avoid tech support phone scams

We've recently had a number of reports on campus of people receiving calls from "technical support" (often "Microsoft Technical Support") alerting users to supposed problems with their computers.  If you receive such a call - don't fall for them.  Check with your technical support or help@umn.edu if you have any doubts.

The word from Microsoft:

Avoid tech support phone scams
Cybercriminals don't just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license. Once they have access to your computer, they can do the following:
  • Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
  • Convince you to visit legitimate websites (like www.ammyy.com) to download software that will allow them to take control of your computer remotely and adjust settings to leave your computer vulnerable.
  • Request credit card information so they can bill you for phony services.
  • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.
Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.
See also the Snope.com page (http://www.snopes.com/fraud/telephone/microsoft.asp) about such scams.

Monday, July 7, 2014

Phishing Example 51: Your mailbox has been temporally suspended

Received July 2014

From:
   Date: Mon, Jul 7, 2014 at 10:21 AM
   Subject: Your mailbox has been temporally suspended
   To:
   --

      [ NO text in the message ]

   Download ADMIN.docx
   application/vnd.openxmlformats-officedocument.wordprocessingml.document 10.6k

The attachment, if you opened it (please don't) :


The link in the document takes you to:



A *very* generic login which looks nothing at all like the real deal:

Note: 
 Looks can be deceiving.  Some phishers (happily, not many) do copy the UMN login page and present you with a very convincing counterfeit.  As always - double (triple!) check the URL when being asked to log into a UMN web page.


Wednesday, July 2, 2014

Phishing Example 50:Webmail Verification

Received July 2014

 From:
   Date: Wed, Jul 2, 2014 at 12:42 PM
   Subject: RE: Webmail Verification
   To:
   *Dear mailbox user,*
   *Your Email Account have been violated, unsuspicious activities was
   noticed in your email account and your account will be disabled shortly.*
   *you are required to verify your email account to prevent your email
   account from being disabled. click on our ITS-SUPPORT
   <http://xxxxxxxxx.tripod.com/>*
   <http://xxxxxxxxx.tripod.com/>*to fill out the necessary
   information to secure and verify your account*
   *Additional Info Staff,Student and Faculty Members Only.* *Click on
   Staff and Faculty ACCESS-PAGE <http://xxxxxxxxxx.tripod.com/>*
   *IMPORTANT NOTE**:* *Your account will be disabled if not verified within
   the next 24hours**.*
   *ITS help desk **ADMIN TEAM*
   *�Copyright 2014 Microsoft*


Nope, no UMN branding, advertisements... AND hosted at tripod.com?




Phishing Example 49: Administrative Notice!!!

Very old school - a request for you to email your name and password (please don't!).

Received July 2014
Message body:


  > From: Help Desk
   > Subject: Administrative Notice!!!
   > Date: 2 July 2014 at 10:38:19 CDT
   > To:
   > Reply-To:
   >
   > Help Desk
   >
   > Attention Account User,
   >
   > Scheduled Maintenance & Upgrade
   >
   > Your account is in the process of being upgraded to a newest
   > Windows-based servers and an enhanced online email interface inline with
   > internet infrastructure Maintenance. The new
   > servers will provide better anti-spam and anti-virus functions, along with IMAP Support for mobile    
   >devices to enhance your   usage.
   >
   > To ensure that your account is not disrupted but active during and after this upgrade, you are
   > required to kindly confirm your account by stating the details below:
   >
   > * Domain\user name:
   > * Password:
   >
   > This will prompt the upgrade of your account.
   >
   > Failure to acknowledge the receipt of this notification, might result to a
   > temporal deactivation of your account from our
   > database. Your account shall remain active upon your confirmation of your login details.
   >
   > We do apologize for any inconvenience caused.
   >
   > Sincerely,
   >
   > Your Customer Care Team
   >
   >
   > (c) Copyright 2014, All Rights Reserved.
   

Phishing Example 48: System Notifications/Account Closure

Received July 2014

Message body:

   From: UMD Email - Support
   Date: Wed, Jul 2, 2014 at 1:10 AM
   Subject: System Notifications/Account Closure
   To:
   Dear University of Minnesota Duluth Webmail User
   We hereby announce to you that your email account has exceeded its
   storage limit. You will be unable to send and receive mails and your
   email account will be deleted from our server. To avoid this problem,
   you are advised to verify your email account by clicking on the link
   below.
   CLICK HERE <http://xxxxxxxxxxxxxxx/upgrade.php>
   Failure to comply will result to permanent termination of your email account
   Thank you.
   � 2014 Regents of the University of Minnesota Duluth . All rights reserved.
   The University of Minnesota is an equal opportunity educator and employer
   The Webmail Management Team



Notes:
  • very simple, unbranded form
  • does hide the password when entered
  • not from a ...umn.edu/ URL

Tuesday, July 1, 2014

Welcome To The New Blog! Same As The Old Blog!


We've moved!

With the end of the http://blog.lib.umn.edu/ support, we've moved the UMN Phishing blog to Blogger!

You should find all the past posts here - and new ones as we have more examples of phishers targeting our UMN community.


Phishing Example 47: Library Account

Here's a reminder to question unexpected warnings and double-check that supposed "official" login pages are REALLY hosted at UMN.EDU locations.
Received June 2014:
Email being seen that points at what LOOKS like a UMN URL, but went offshore:
From: Library 
Date: Thu, Jun 26, 2014 at 8:47 AM
Subject: *****SPAM***** Library Account
To:
Dear User,
Your library account has expired, therefore you must reactivate it
immediately or it will be closed automatically. If you intend to use this
service in the future, you must take action at once!
To reactivate your account, simply visit the following page and login wilth
your library account.
Login Page:
xxxxxxxxxxxxxxxxxx
Sincerely,
University of Minnesota Libraries
499 Wilson Library
309 19th Avenue South
Minneapolis, Minnesota 55455
(612) 624-3321 (voice)
(612) 626-9353 (fax)



---
Goes to a copy of UMN login page on an offshore website, and claims to "reactivate" your account.
Dangerous, because the phishers copied our real login page - and the page looks identical to, and behaves like a real login page - then puts up a fake "reactivation message" with a link to the UMN library system: