Go to the U of M home page

Saturday, November 29, 2014

Phishing Example 78: Urgent Update From Umn.edu

Received November 2014:

From: University of Minnesota <XXXXX@xxxxxxx.edu>
Date: Sat, Nov 29, 2014 at 3:07 PM
Subject: Urgent Update From Umn.edu

*Dear Umn.edu User,*

*Due to the newest upgrade to our database, we have placed your four
incoming mails on pending status .In Order to receive the four new
messages, Click Here
<hxxp://xxxxx.weeklynepal.com/wp-includes/pomo/redirect.php>to login and
wait for response from our email support team.We sincerely apologize for
any inconveniences and appreciate your understanding..Thank you.*

The link takes you to an exact copy of the University's login page, but the URL is false.

Friday, November 21, 2014

Phishing Example 77: Review Documents

Received November 2014:

   ---------- Forwarded message ----------
   Date: Fri, Nov 21, 2014 at 7:53 AM
   Subject: Review Documents
   I want you to see this, its very important. Just CLICK HERE
   <hxxp://ixxxxxxxxxx/language/overrides/index0032.php> and sign in to
   view. The file is too large so I couldn't attach it.

Tricky fake Google page - aimed at harvesting Gmail/AOL/Yahoo or Microsoft passwords:

Double tricky - they look for more info on you:

Hat trick! They send you to an "Art page" since the original email came from an account at an Art museum!

Wednesday, November 12, 2014

Advisory: Payroll Theft Scheme

Novermber 2014

REN-ISAC has released an important advisory regarding payroll theft schemes tied to phishing.

  The advisory notes that several peer institutions have been affected, and is available at


Phishing Example 76: Deceptive Login, Deceptive URL

Discovered November 2014

Here's an example of a very deceptive phishing page we discovered recently.

This page uses a copy of the real University login page. Almost every link on the page goes to the right (i.e. .UMN.EDU based) place, except the part that takes your ID AND PASSWORD! The URL for the page even looks like the real login page - except the ending of the URL adds "lib1.in" to the end.

Be aware of the URL when you click on a link!
Be wary of anything asking for your University ID and password!

Tuesday, November 4, 2014

Phishing Example 75: Admin Help Desk

Received November 2014

Message Text:
   Subject: Admin Help Desk
  Due to technical reasons, we are expanding and upgrading all Mailbox immedi=
   ately. Please CLICK HERE<hxxp://contactme.com/xxxxxxxxx> and=
   fill the form completely. click submit for validation.

Things to note:
  • Odd spelling of words.
  • Clear text password display.
  • No UMN branding.
  • Hosted at "ContactMe.com," not "umn.edu."

Monday, November 3, 2014

Phishing Example 74: Notice

Received November 2014:

Message text:

   From: Webmaster@
   Date: Sun, Nov 2, 2014 at 9:02 PM
   Subject: Notice
   Following security breach on our server. All account owners are to update
   his / her account for upgrade, CLICK or COPY ( xxxxx.webs.com )
   to update your account.
   Technical Support

Things to note:

  • odd anti-filter spellings of "userid" and "password."
  • Passwords display in the clear.
  • Not from umn.edu.
  • Hosted at a commercial web page provider.
  • Page includes a link for "photo albums."