Go to the U of M home page

Thursday, December 31, 2015

Phishing Example 119: DOCS

Received December 2015


From: **Compromised UMN account**
Date: Thu, Dec 31, 2015 at 4:05 AM
Subject: DOCS
To:


3  files named "Confidential Letter" has been shared with you and will be
available in Google Drive, you can access them anytime below
Drive_Statement <hxxp://xxxxxxx.in/u.php>
Google Drive: create, share, and keep all your stuff in one place.
<https://drive.google.com/>


1) Leads to a typical fake Google Drive login: (Not .IN (India) URL)

2) Again this is NOT how Google does logins - they do not use other email services to authenticate:

3) New wrinkle, fake animation for "opening" the drive


(Leads to a PDF with a financial document report - probably nothing you'd be interested in.)


Wednesday, December 9, 2015

Advisory: Legitimate Tech Support Known to Transfer to Scammers

This month we had a report of a customer who contacted the legitimate tech support number listed on the bill for a major Internet service provider. In the course of that call, the support analyst determined that his options for helping the customer had been exhausted and transferred the customer to another support line.

The secondary support (Technicalsupport4u in India) took remote control of the victim's computer, asked for a credit card number and ended up charging $399 (from a bank in Paris) to that credit card. Frighteningly, that "support analyst" called to follow up the next day; although the problems were still not solved, that follow-up call adds to the seeming legitimacy of the scam. When the victim contacted the ISP, they said that they would never do such a thing or charge that much to a credit card. The victim ended up having to cancel that credit card and change bank routing numbers, which is a huge hassle.

We followed up with the security team at the ISP, as it is alarming that while most telephone scams begin with the scammers contacting the victim, in this case the victim contacted a legitimate, trusted service and ended up connected to the scammers. They acknowledged that while their tech support has a list of vetted contacts for other support teams, sometimes the support analyst just Googles for support numbers instead of using the list, and transfers the customer in order to be helpful. They said they would investigate.

Important take away: Constant vigilance! Even if the starting point is trusted, beware transfers to other locations.

Monday, December 7, 2015

Advisory: Seven Steps for Making Identity Protection Part of Your Routine

Posted December 2015, by IRS.GOV


Seven Steps for Making Identity Protection Part of Your Routine

IRS Security Awareness Tax Tip Number 3, December 7, 2015
The theft of your identity, especially personal information such as your name, Social Security number, address and children’s names, can be traumatic and frustrating. In this online era, it’s important to always be on guard. ...
IRS Identity Protection tips
IRS Identity Protection tips


Friday, December 4, 2015

Phishing Example 118: ALERT!!!

Received December 2015

From: "Help Desk"
Date: Dec 4, 2015 7:39 AM
Subject: ALERT!!!
To:
Cc:
Email Account User,
Your UMN account Certificate expired on the 4th-12-2015, This may interrupt your email delivery configuration, and account POP settings, page error when sending message.
To re-new your UMN Certificate, Kindly:
hxxp://umnhelpdeskteam.xxxxxxxx/page/4591274031?preview=Y
account will work as normal after the verification process, and your UMN
Certificate will be re-newed.
Sincerely,UMN Minnesota Help Desk.

Note:
  • NOT hosted at umn.edu ("moonfruit.com," is not a UMN partner!)
  • Modest attempt at branding - does not match UMN login page.
  • May appear to "fail" when filled in, this may *still* expose credentials. If you filled it in, CHANGE YOUR PASSWORD ASAP!

Tuesday, December 1, 2015

Phishing Example 117: Secured Doc from Carlos Abente

Received December 2015

Sent from a compromised UMN account (not Carlos Abente)


Date: Tue, 1 Dec 2015 17:39:47 +0200
Subject: Secured Doc from Carlos Abente
From: Carlos Abente
To: undisclosed-recipients:;

Carlos Abente shared the following PDF:
Secured File Via Google Drive <hxxp://xxxxxxxxxx/lite.htm>
Open <hxxp://xxxxxxxxxx/lite.htm>

Note - this one actually shows the current Google logo:

Takes you to a fake login:

If you fill it in... It takes you to a real Google doc (which you likely have no interest in)



Monday, November 9, 2015

Advisory: Wire Transfer Scams


Most phishing appears to be aimed at stealing email credentials to use for spamming, but occasionally the phishers have a more sophisticated strategy, namely using a stolen account for malicious financial purposes.

Some phishers are looking to hijack accounts they can use to extract payments from University departments - using the account to send requests, sometimes quite insistent, to request fund transfers.

A typical scenario:
  • Victim receives a "shared google document" and "logs in", giving up their ID and password.
  • Phisher researches the victim's email account (by reading their email) to learn more.
  • Phisher notes the victim has a position likely to involve finances.
  • Phisher adds filters to hide messages in folders without landing in victim's inbox.
  • Once the phisher is ready, they use the account to send invoices or other messages to relevant contacts in the victim's mail, requesting money be directed to a bank account they control. Filters divert responses into a folder (or to another email account) so the victim does not see the exchange.
The good news is, we have yet to see this scenario succeed. So far in all cases reported, the requests have been resisted and no money has been reported lost.

Best practices:

  1. Be sure your department has established procedures for all financial transactions, and stick to them.
  2. Treat unusual, hurried and insistent requests with suspicion. "Is this the way Professor Smith normally acts?"
  3. Use other means of communication than email to confirm unusual requests. Make a phone call, or ask in a face-to-face conversation.

Friday, November 6, 2015

Phishing Example 116: Dropbox File

Received November 2015

Notes:
  • Variation on "I've shared a document."
  • Attempts to steal email credentials.
  • The U does not use Dropbox - cloud storage is provided via UMN branded Google.


Subject: Dropbox File

Dropbox
Dear,

This user used Dropbox to share a file with you!

View|Download files
Thanks!
- The Dropbox Team


Link takes you to a page that looks like this:



Filling out page tries to send you to (but fails) a document at Morgan Stanley:


Thursday, November 5, 2015

Advisory: Google Warnings on Suspect Email

GMail may flag phishing mail that is suspect - please pay attention!

Here's an example from a recent phish:

The "Learn more" link will take you to a helpful page full of information about dealing with phishing and spam:


Wednesday, November 4, 2015

Phishing Example 115: Update

Received November 2015

From: help@umn.edu <--NO, NOT REALLY
Date: Wed, Nov 4, 2015 at 5:24 AM
Subject: Update
To:

*92%*

Your MyUMN mail quota is almost full and needs to be updated to unlimited
storage system. To adjust/update, login to MyUMN with your Internet ID and
Password to automatically increase mail quota.

*CLICK MyUMN*

Web Team
HelpDesk: 865.974.9900 or http://help.umn.edu. 
           NOPE - That's the Helpline for a different school (UTK)
© 2014–2015 Regents of the University of Minnesota. All rights reserved.


Very good copy of UMN login page - hosted at "altervista.org??":


Filling in the page sends you TO the University:



   

Tuesday, October 27, 2015

Phishing Example 114: (umn.edu) email quota

Received October 2015

From: Help | IT@UMN
Date: Tue, Oct 27, 2015 at 6:16 AM
Subject: *****SPAM***** (umn.edu) email quota
To:
 
 
Dear umn.edu Account User,



You have exceeded your (umn.edu) email quota, Click on the link below to
re-validate your email account.



hxxp://xxxxxxxxxx.jimdo.com/



Thanks,

Helpdesk - University of Minnesota - (OIT)


Things to note:


  • Better than average branding attempt
  • Uses UMN logo
  • HOSTED AT JIMDO.COM(!)




Thursday, October 15, 2015

Phishing Example 113: Your Application (poisoned attachment scam)

Received October 2015

HOUSTON
Methodist
WEST HOSPITAL


Thank you for your application. At Houston Methodist, we are proud of the talented, knowledgeable and dedicated employees who have helped build our tradition of excellence in health care.
Complete the application form attached. Job description and requirements for the position can be viewed on our website or from Google drive.

hxxps://drive.google.com/open?id=xxxxxxxxxxxxxxxxxx

Regards.
Xxxxxxx Xxxxxxxx
423-###-###
Houston Methodist



    BE AWARE!
This email links to an innocuous looking Google Drive (below), with an application form and "application requirements" file. The requirements file is actually a poisoned .scr file that, on a windows system could install trojan software.

Anyone who opened the Application file should contact their tech support for assistance in determining whether they have been compromised.

Monday, October 12, 2015

Phishing Example 112 (multiple) Pdf ready / Attached review / urgent attachment / Column Page

Received October 2015

  • Multiple subjects sent from compromise UMN accounts - all messages identical
  • Address NOT Google, but a Canadian address


From:
Date: Oct 12, 2015 8:10 AM
Subject: Pdf ready
To:
Cc:

Please kindly find the last page of paper work Uploaded using Google drive
<hxxx//xxxxx.xx.ca/floxy/trophy/auth/view/document> for your review,
please follow the instruction to make view attachment.

Regards


NOTE: Google logo is NOT current:

NOTE: This is NOT STANDARD GOOGLE DRIVE LOGIN 

Wednesday, September 30, 2015

Phishing Example 111: (multiple) Contract page / Heads up pages / Waldo page / Important review

Received September 2015


  • Multiple examples seen, similar body, different subjects. 
  • Same link for all - an Indian (.in) website
  • Page goes to a fake Google login (without current Google logo) and non-standard login



From:
Date: Wed, Sep 30, 2015 at 4:18 PM
Subject: Contract page
To:


Very good, attached please find the last sets of paper work Uploaded using
Google drive <hxxp://xxxxxxxxxxx.in/dss/Hot/page/auth/view/document> in
your final review, and don't forget to follow the instruction, to make a
review.

Kind regards


Wednesday, September 16, 2015

Phishing Example 110: Vital Information

Received September 2015

From:
Date: Wed, Sep 16, 2015 at 10:37 AM
Subject: Vital Information
To:

Hello

I've Shared a secure file Document attached with Google icon

CLICK DOCUMENT

*Regards*



NOTE:

  • Old Google logo
  • Includes non-Google logins (Google doesn't)
  • Hosted at a .IN (India) address

Friday, September 11, 2015

Phishing Example 109: Updated Purchased labor report (et al)

Received September 2015

Multiple subject lines, all going to the same URL

Other subject lines:

  •  FY13 Rates
  • financial report
  • floor replacement

Email message goes to a fake google doc login page

Note out-of-date Google branding

Clicking on the link gives you the choice of logging in with MULTIPLE(!) email accounts?


Note also the website is hosted at an Iranian site (.ir ending) which appears to be hosted in France.

Tuesday, September 8, 2015

Phishing Example 108: Urgent

Received September 2015

From: Bernice Martin
Date: Tue, Sep 8, 2015 at 12:08 PM
Subject: Urgent
To:
g
GGoogle Drive
Bernice uses Google unit to safely share files with you safely!

View - Download files <hxxp://xxxxxxx/XXXXX>

*scan011.pdf           *

*scan012.pdf*

Bernice Martin
Accountant


Note: 
  •    Not a normal Google or UMN login
  •    Login not hosted AT Google.


Phishing Example 107: Scanned Documents

Received September 2015

*From: *Neil Morris <neilhmorris@yahoo.com>
*Date: *September 8, 2015 8:18:20 AM CDT
*Subject: **RE: Scanned Documents*
*Reply-To: *Neil Morris <neilhmorris@yahoo.com>


You have a pending incoming docs shared with you via Dropbox
Click to open: *SECURE MESSAGE
<hxxp://db.vXXXXs.com/R-viewdoc/Re-viewdoc/index.htm>*

I've shared a secured file document attached with Google Drop Box.
.

Notes:

  • The University does not use Dropbox for sharing.
  • The link does NOT go to dropbox.com
  • The link offers multiple non-umn logins
What? This said Dropbox, but shows Google.
That is NOT the UMN Google login.

Ends at some bogus (and out-of-date) document


Friday, August 28, 2015

Advisory: "August 2015 Salary Increase" Scam

This email appears to be from UMN-HR, but it is a scam. Thanks to everyone who recognized and reported this!

From: UMN-HR <employeeresources@umn.edu>
Date: Thu, Aug 27, 2015 at 6:37 AM
Subject: August 2015 Salary As Adjusted



Hello,
We assessed the 2015 salary structure as provided for under the terms of
employment and discovered that
you are due for a salary raise starting August 2015
Your salary raise documents are enclosed below:

Access the documents here <hxxp://nutribetics.ca/umn.edu/Sign-In.htm>

Faithfully
Human Resources
University of Minnesota

Friday, August 7, 2015

Advisory: Phishing Campaign Similar to July 4 Weekend in Progress

In the last couple of days, we have seen a wave of phishing emails with subjects like

School Mail Box Validation
Mailbox Update
Re-Validate Your School Mail Box
CARD AUTHENTICATION

This is the same pattern of phishing that we experienced during the July 4th holiday weekend, documented on this blog.

Please be wary of these emails. They may appear to come from umn.edu accounts. If you see one of these, please forward it to phishing@umn.edu, report it as phishing in Google mail, and delete it.

Thank you for your efforts to protect yourself and others on the University's network!

Monday, August 3, 2015

Phishing Example 106: I've shared an item with you.

Received August 2015

From:
Date: Mon, Aug 3, 2015 at 9:17 AM
Subject: I've shared an item with you.
To:

Hello,

I just shared a document with you using the new Google App. To open this
document, go to hxxp://drive.google.com
<hxxp://e-tuition.net/media/platform>  to view it and sign in with your
email address, as it is stored online.

Note: it's not an attachment, it's a document stored online.                                      
                                                                                                   
Best Regards                                                                                      
--            

Things to Note:


  • NOT the proper Google Drive login.
  • URL redirects to NON-GOOGLE, NON-UMN login.

Phishing Example 105: Subscription Expiration Announcement

Received August 2015

> From: "University of Minnesota" <help@umn.edu> no, not really
> Date: August 1, 2015 at 15:11:18 CDT
> Subject: Subscription Expiration Announcement
> Reply-To: do.not.reply@umn.edu
>
> Dear Subscriber,
> Welcome to your UMN Mail subscription expiration summary from The Office
> of Information Technology (OIT). Simply fill a subscription renewal form
> here;
> hxxp://xxxxxxxxxxxxxxxx/service.php
> © 2015 University of Minnesota. All rights reserved.




Things to note Note:

  • Not hosted at the University.
  • Not branded with UMN info.
  • Fictitious warning "Subscription Expiration" - there isn't any such thing.

Friday, July 24, 2015

Advisory: "Notice to Appear in Court"

Received July 2015

>  From: "State Court"
> Date: July 23, 2015 at 11:07:01 PM CDT
> To:
> Subject: Notice to Appear in Court  
> Reply-To: "State Court"
>
> Notice to Appear,
>
> You have to appear in the Court on the July 31.
> You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
> Note: The case will be heard by the judge in your absence if you do not come.
>
> The Court Notice is attached to this email.
>
> Kind regards,
> Court Secretary.

We've had this scam reported on our network

You can read about such scams at Snopes: http://www.snopes.com/crime/fraud/courtnotice.asp where the verdict is: 
Scam:   Malicious code is loaded onto computers via the e-mailing of fraudulent court appearance notices. 
Typically these have an attached "notice" that contains malicious code - don't open them. If you have any questions, report it to University Information Security at phishing@umn.edu

Wednesday, July 8, 2015

Phishing Example 104: Coordinated Phishing Campaign

Reported July 2015

We are seeing a coordinated set of phishing messages aimed at harvesting information from the University community. Please report any such mail you've received to phishing@umn.edu

If you have entered your login information in such a fraudulent page - change your password immediately. If you have revealed personal or financial information, please refer to https://www.identitytheft.gov/ for steps to secure your information.


First - emails are sent to steal login information:

Subject: School Mail Box Validation
   Date: Wed, 8 Jul 2015 06:55:55 +0100
   From: ctl HELP-DESK

It has been our pleasure to provide you with an [2]umn.edu campus login and
email account in the past. Please be advised that effective 11/07/2015 we will
be deleting accounts whose account has not been validated yet.
 Re-Validate< Click Here>

Please make arrangements to move valued email messages to another email
account before the above date, as all messages will be deleted along with the
accounts at that time if you no longer need it.
Thank you for your attention.


(NOTE some of these come from outside the U, but once they get some accounts this and the rest are sent from UMN accounts, and the forms are hosted at UMN google).


NEXT - Phished login information is used to set up a variety of forms used to steal financial information. Phished accounts are then used to send this email to UMN community members.

From : VISA/MASTER CARD
To :  <undisclosed-recipients:;>
Date : Wed, 08 Jul 2015 01:12:37 -0500
Subject : Visa/Master Card Verification
============ Forwarded message ============
 Dear Esteemed Customer,
 Due to some suspicious activities, we advice you verify your VISA/MASTER CARD details.
 Please click here < Verify >  to verify your card.
 For your safety this link will expire within 6 hours 
 ? Copyright 1996-2015 Visa. All Rights Reserved.

*From:* ctl@umn.edu.RE-VALIDATE 
      (NOTE: ctl@umn.edu is a non-existent UMN address)
*Sent:* Wednesday, July 08, 2015 4:03 AM
*Subject:* Easy Fast And Reliable??

*Internal Revenue Service Record Shows You Are Still Yet To Validate.*
Update your *Internal Revenue* *Record* immediately today,
validation of your identity due to the new health care *Service* and much
benefits.
click here to -  *< Validate >

USA.gov is the U.S. government's official web portal.
*For your protection, this link would expire in six hours*




  

Monday, July 6, 2015

Phishing Example 103: IDENTITY PROTECTION / IDENTITY RE-VALIDATION / Easy Fast And Reliable

received July 2015

WARNING - DO NOT ENTER DATA INTO THIS GOOGLE FORM PURPORTING TO BE FROM THE IRS

Note: This mail is being sent with different subjects:


  • IDENTITY PROTECTION  and
  • IDENTITY RE-VALIDATION
  • Easy Fast And Reliable



From: "ctl@umn.edu.RE-VALIDATE"
                             
NOTE: "ctl" is not a valid UMN account. Some have been sent                 
           "from" *tcf@tcfbank.com.RE-validate* 
           or "isss@umn.edu.re-validate"

Date: July 5, 2015 at 4:50:26 PM PDT
To: undisclosed-recipients:;
Subject: IDENTITY PROTECTION

 You are to update your IRS e-file immediately, To Update -
           < Click Here >
         USA.gov is the U.S. government's official web portal.

  IRS e-file. Since 1990
 ****************************




This is a bogus IRS form; the compromised accounts sending these have closed and are being recovered.

Tuesday, June 2, 2015

Phishing Example 102: I've shared an item with you

Received June 2015

From:
Date: Tue, Jun 2, 2015 at 7:17 AM
Subject: I've shared an item with you.
To:
     
Hello,

I just shared a document with you using Google Drive. To open this
document, go to hxxps://drive.google.com
<hxxp://xxxxxxxxx.com.br/platform/directory>  to view it and sign in
with your email address, as it is stored online.

Note: it's not an attachment, it's a document stored online.

Best Regards


Things to note:


  1. Sent from a compromised UMN account.
  2. Familiar fake Google-login page.
  3. Hosted at a .br (Brazil!) web address.
  4. Review our earlier post to see what logging into a UMN.EDU Google resource really looks like.

Thursday, May 28, 2015

Phishing Example 101: UMN Alert***

Received May 2015

---------- Forwarded message ----------
From: UMN IT Centre <xxxxxxx(at)gmail.com>
Date: Thu, May 28, 2015 at 4:46 AM
Subject: UMN Alert***
To:  
 
This is to notify you that the University of Minnesota received a
terror threat through your email directly to the University.The (IT)
Policy Help Center STRICTLY require your email account verified and
clear you from sending terror threats at the University with the email
system of the University and for an active affiliation with cyber
technology services.

The satellite system network does not show 2015 active university data for
you at this time. You are required to provide the following
information in response to this email for activation and proper
verification and scrutiny:

Internet ID:

Password:

Your email account is scheduled to be deactivated within 24 hours "Non
Compliance "After that time, you will not be able to access your
mail box. Emails sent to your mailbox will be rejected.

© 2015 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.

Things to note:

  • We've seen a number of these simple "email me your password" requests lately - it's an old technique we don't see often - don't fall for it.
  • The U will never use a "gmail.com" address for a security alert.
  • The U will NEVER ask for a password in email.
  • The U probably wouldn't have said "centRe."


Friday, May 22, 2015

Phishing Example 100: IMPORANT FILE

Received May 2015

From:
Date: Thu, May 21, 2015 at 11:17 AM  
Subject: IMPORANT FILE
To:
 
Hello,

Please find document attached through Google drive for your review, kindly sign in to review attachment.

 Click Here <hxxp://www.xxxxxx.com/gaga/auth/view/document> to view attachment

View Online PDF <hxxp://www.xxxxxxxxx.com/gaga/auth/view/document>
Download  word pad <hxxp://www.xxxxxxxx.com/gaga/auth/view/document>
View drive folder <hxxp://www.xxxxxxxxx.com/gaga/auth/view/document>

Download Click Here <hxxp://www.xxxxxxxxxxx.com/gaga/auth/view/document>

Kind Regards
--

Notes:


  • Sent from a compromised umn.edu account.
  • Doesn't go to Google - goes to a hosting .com site
  • Presents multiple login choices - asks for a phone number
  • alternate subjects, "PDF ATTACHED," "Please find pdf file"

Phishing Example 99: UMN Alert***

Received May 2015

From: UMN IT Communications
Sent: Friday, 22 May, 2015 14:35
Subject: UMN Alert***

This is to notify you that the University of Minnesota received a  terror threat through your email directly to the University.The (IT) Policy Help Center STRICTLY require your email account verified and clear you from sending terror threats at the University with the email system of the University and for an active affiliation with cyber technology services.
The satellite system network does not show 2015 active university data for you at this time. You are required to provide the following information in response to this email for activation and proper verification and scrutiny:

Internet ID:
Password:

Your email account is scheduled to be deactivated within 24 hours "Non Compliance "After that time, you will not be able to access your mail box. Emails sent to your mailbox will be rejected.

Note:


  • This purports to be from the U, but has a non-umn.edu return address
  • This expects to receive USERID and Password in an email - The University will NEVER make such a request. 


Wednesday, May 13, 2015

Phishing Example 98: Notification!

Received May 2015

From: Google@UMN <no-reply@umn.edu>
Date: Wed, May 13, 2015 at 8:01 AM
Subject: *****SPAM***** Notification!
To: no-reply@umn.edu


Dear UMN User,

This is an emergency email to inform you that you are to
retrieve your UNM account to avoid blockage of sending and
receiving Mails.

Please Click Here:
hxxp://xxxxxx.wix.com/umn-edu-university

Thanks




Things to note:


  • Mail should be marked as spam in subject line
  • Points users to non-UMN, non-Google link at WIX.COM
  • Warning message accidently says UNM, not UMN.
  • Message forges "from:" as no-reply@umn.edu

Wednesday, May 6, 2015

Phishing Example 97: AWB Tracking Number: 907992****

Received May 2015

From: DHL Worldwide Delivery
Date: Wed, May 6, 2015 at 6:26 AM
Subject: AWB Tracking Number: 907992****
To:

Dear Customer

A Package is coming your way through DHL ....
Track your Business documents as assigned by your supplier To be delivered
to you, till it gets to your delivery address.
Kindly find attached tracking details and confirm if all details are
Correct for instant delivery .

Track Your Package

Notification for shipment event group "Clearance event" for 06th May 2015.
==================================
AWB Number: 907992****
Pickup Date: 2015-05-04 20:08:00
Estimated Delivery Date: 2015-05-10 23:59:00
Service: P
Pieces: 1
Cust. Ref: 530685065
Ship From: Cargo Supplies Ltd
===================================
Track Your Package Here With Your Email and Password
Used To Receive This Notification.

Please do not reply to this email,
This is an automated application used only for sending proactive
notifications.

Regards,
Customer Care
DHL Worldwide Delivery Office ©


Following the link gets you a series of interesting messages:


A warning that you've been "signed out" - but not to worry, click "OK" and you'll see this:


If you look carefully, you'll see the URL is an incomprehensible URL starting with "data:"

Finally, if you fill it out (please don't) you'll wind up back at the REAL dhl.com site:



Monday, May 4, 2015

Phishing Example 96: PLEASE READ!!!

Received May 2015

From:
Date: Sun, May 3, 2015 at 12:16 PM
Subject: PLEASE READ!!!
To:
 
 
Dear User,

The Office of IT Infrastructure has upgraded storage access to increase the
protection of data assets and system performance Click on:
Facultystaffsecured <hxxp://xxxx.ezweb123.com/>
<hxxp://xxxx.ezweb123.com/>to upgrade storage

Things to note:

  • Very simple login form - not UMN branded.
  • Hosted by ezweb123.com, not umn.edu.
  • Sent out by compromised UMN email account.

Friday, May 1, 2015

Advisory: Nepal Earthquake Disaster Email Scams

US-Cert advisory

Nepal Earthquake Disaster Email Scams

US-CERT warns users of potential email scams citing the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for fraudulent charitable organizations commonly appear after these types of natural disasters.
US-CERT encourages users to take the following measures to protect themselves:
  • Do not follow unsolicited web links or attachments in email messages.
  • Maintain up-to-date antivirus software.
  • Review the Federal Trade Commission's Charity Checklist.
  • Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.
  • Refer to the Security Tip (ST04-014) on Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Wednesday, April 29, 2015

Phishing Example 95: Notice - Message Board

Received April 2015

From: myUMN UMN Service Desk
Date: Tue, Apr 28, 2015 at 7:40 PM
Subject: Notice - Message Board
To:

            [image: MinnesotaGoldenGophers.png]

You have an important message at you Message Board. We could not verify
your Single Sign-On. Did you recently change your..... Update Needed

View this Message
<hxxp://xxxxx.com.au/wp-includes/css/umn/UniversityofMinnesota.html>


Things to note:

  • Examples reported were sent from compromised @umn.edu email accounts.
  • Presents a good copy of the real UMN login page.
  • URL reveals the login page is hosted at a compromised WordPress site in Australia!

Thursday, April 16, 2015

Phishing Example 94: Find PDF Copy (yet another fake document share)

Received April 2015

From:
Date: Thu, Apr 16, 2015 at 11:30 AM
Subject: Find PDF Copy
To:

[image: Spreadsheet]
I've shared an item with you.

          [image: Spreadsheet]Retrieve Document
<hxxp://xxxxxxx.com/view8/instructions/up/index.php>

Google Docs makes it easy to create, store and share online documents,
spreadsheets and presentations.



  • Again - NOT hosted at the University
  • NOT what a real Google Doc login looks like.
  • See http://phishing.it.umn.edu/2015/01/advisory-logging-on-to-university.html
  • Anyone who did reply with their account information should reset their password and account secrets immediately at http://www.umn.edu/myaccount

Wednesday, April 15, 2015

Phishing Example 93: Its Help Desk

Received April 2015

Subject: RE: Its Help Desk

Dear E-mail User.

Your EMAIL ACCOUNT PASSWORD Expires Today, to UPDATE Please Click LOGON
<hxxp://xxxxxxx.wix.com/outlookwebapp> and Follow Instructions.

ADMIN HELP DESK
Connected to Microsoft Exchange
© 2014 Microsoft Corporation. All rights reserved

notes:

  • No UMN branding at all.
  • Hosted at wix.com - not umn.edu.
  • Password displays in clear text.

Important - 

The University DOES mandate passwords be changed at least once a year, and currently DOES send out reminders. Those reminders contain information about this policy AND links to supporting
information.


Tuesday, April 7, 2015

Advisory: FBI Warns of Fake Govt Sites

Krebs on Security posted a reminder of recent FBI announcements:

The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.



The FBI advice regarding the fake government sites is good practice for engaging in transactions on the internet - research and review before contacting online services:

Below are some consumer tips when using government services or contacting agencies online:

  • Use search engines or other websites to research the advertised services or person/company you plan to deal with.
  • Search the Internet for any negative feedback or reviews on the government services company, their Web site, their e-mail addresses, telephone numbers, or other searchable identifiers.
  • Research the company policies before completing a transaction.
  • Be cautious when surfing the Internet or responding to advertisements and special offers.
  • Be cautious when dealing with persons/companies from outside the country.
  • Maintain records for all online transactions.
As a consumer, if you suspect you are a victim of an Internet-related crime, you may file a complaint with the FBI’s Internet Crime Complaint Center atwww.IC3.gov.

Also mentioned - hacked sites taking advantage of out-of-date Wordpress installations:


http://www.ic3.gov/media/2015/150407-1.aspx

Saturday, March 21, 2015

Phishing Example 92: Details of Your New Salary Raise

Received March 2015

Note: This is a variation of last week's scam hosted again at cphcph.com


 From: UMN HR
 Date: March 21, 2015 at 16:11:31 GMT+1
 To:  Subject: Details of Your New Salary Raise



 Hello,

 The 2014 salary structure was recently reviewed and it was discovered
 that you are due for a 4.18%

 salary raise on your next paycheck starting March 2015.

 Login below with your credentials to read your salary raise letter.


 Access the documents here xxxxx.com/www.umn.edu/Sign-in.htm



 Faithfully,

Human Resources

University of Minnesota


Thursday, March 19, 2015

Advisory: Notice to Appear in Court (and other lies)

Received March 2015

We've seen an uptick in a phishing spam with a bonus - a nasty attachment!

Below are some examples - other emails claim to be invoices, or package shipment details. Treat these as spam, and delete - the attachments can contain invasive programs that are intended to download malware and infect your computer.

If you've opened one of these attachments, contact your tech support ASAP for assistance. Depending on how invasive the payload is, you may need to reinstall your system!

Beware, and be aware - unexpected email like this is almost certainly fraudulent.


From: District Court
Date: Thu, Mar 19, 2015 at 7:26 AM
Subject: Notice to appear in Court #00000733060
To:

Notice to Appear,

You have to appear in the Court on the March 24.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.

You can review complete details of the Court Notice in the attachment.

Kind regards,
Bob Lewis,
District Clerk.





From: District Court
Date: Sun, Feb 15, 2015 at 3:01 PM
Subject: Notice to appear in Court #00383465
To:

Notice to Appear,

You have to appear in the Court on the February 23.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

The copy of Court Notice is attached to this email.

Kind regards,
Timothy Davenport,
Court Secretary.

Tuesday, March 17, 2015

Phishing Example 91: ITS HELP-DESK

Received March 2015


Subject: ITS HELP-DESK‏‏
Date: Tue, 17 Mar 2015 14:01:54 +0000
From:

All Faulty\Staff Mailbox Message ! 45GB 50GB
 We currently upgraded to Saver to 50GB inbox space. Please log-in to
your user account to validate E-space.
Your emails won't be delivered by our server, unless email account is confirmed.
protecting your email account is our primary concern,
for account update (Web Mail)
click on Outlook Web Access<hxxp://oultloo.jigsy.com/>
should you have any questions please contact the IT Helpdesk.
Copyright ©2015 ITS Help Desk



Things to note


  • Badly constructed form
  • Form hosted at jigsy.com
  • Misspelling on form
  • Passwords show in clear
  • Not UMN branded


Friday, March 13, 2015

Phishing Example 90: Your New Salary As Adjusted

Reported March 2015

From: UMN HR 
Date: Saturday, March 14, 2015
Subject: Your New Salary As Adjusted
To: 

Hello,
The 2014 salary structure was recently reviewed and it was discovered that you are due for a 4.18%
salary raise on your next paycheck starting March 2015.
Login below with your credentials to read your salary raise letter.

  Access the documents here <hxxp://xxxxxx.com/umn.edu/Sign-in.htm>


Faithfully,
Human Resources
University of Minnesota


Things to note:


  • Very good copy of UMN login page
  • URL hosted at  "cphcph.com" - NOT UMN.EDU
  • Duplicate found hosted at "keprc.com" - ALSO, not UMN.EDU
  • Filling form redirects you to UMN.EDU - http://twin-cities.umn.edu/
BE VERY AWARE of login pages and where they are hosted.

Wednesday, March 11, 2015

Phishing Example 89: IMPORTANT NOTICE: Secure Your Mailbox Account

Received March 2015

From: "
Date: Mar 11, 2015 12:48 PM
Subject: IMPORTANT NOTICE: Secure Your Mailbox Account
To:
Cc:

*New ZixCorp secure email message from xxxx@xxxxx.xxx
*Open Message
<hxxps://zixmessagecenter.com/s/e?m=xxxxxxxxxxx>

To view the secure message, click Open Message.

The secure message expires on Mar 25, 2015 @ 05:48 PM (GMT).

Do not reply to this notification message; this message was auto-generated
by the sender's security system. To reply to the sender, click Open Message.

If clicking Open Message does not work, copy and paste the link below into
your Internet browser address bar.
hxxps://zixmessagecenter.com/s/e?

Want to send and receive your secure messages transparently?
Click here <hxxp://www.zixcorp.com/info/zixmail_ZMC> to learn more.


Things to Note:
  • Mail comes from a compromised zixmail user (https://en.wikipedia.org/wiki/Zix_Corp)
  • Mail provides a link to a Weebly run page
  • NONE of the links are hosted on UMN.EDU pages.

Thursday, March 5, 2015

Phishing Example 88: Important account information update

Received March 2015


From: University of Minnesota <xxxxxx@georgetown.edu>
Date: Thu, Mar 5, 2015 at 1:38 PM
Subject: Important account information update
To:

 
*Hello University Members,*
 
You are required to update your University of Minnesota account information
due to recent update in our database. Please follow the link below to
update your account information.
 
University of Minnesota Account Update
<hxxp://xxxxx.es/includes/db/umn/access_web.htm>
 
Regards,

The University of Minnesota

Things to note:

  • URL is NOT from "umn.edu," - it's hosted in Spain.
  • VERY good copy of current login page
  • IF a person fills it out, it redirects to myu.umn.edu and will show you what appears to be the same login page. Users will probably assume they mistyped their password and re-enter it, THEN get a successful login.