Go to the U of M home page

Thursday, May 28, 2015

Phishing Example 101: UMN Alert***

Received May 2015

---------- Forwarded message ----------
From: UMN IT Centre <xxxxxxx(at)gmail.com>
Date: Thu, May 28, 2015 at 4:46 AM
Subject: UMN Alert***
To:  
 
This is to notify you that the University of Minnesota received a
terror threat through your email directly to the University.The (IT)
Policy Help Center STRICTLY require your email account verified and
clear you from sending terror threats at the University with the email
system of the University and for an active affiliation with cyber
technology services.

The satellite system network does not show 2015 active university data for
you at this time. You are required to provide the following
information in response to this email for activation and proper
verification and scrutiny:

Internet ID:

Password:

Your email account is scheduled to be deactivated within 24 hours "Non
Compliance "After that time, you will not be able to access your
mail box. Emails sent to your mailbox will be rejected.

© 2015 Regents of the University of Minnesota. All rights reserved.
The University of Minnesota is an equal opportunity educator and employer.

Things to note:

  • We've seen a number of these simple "email me your password" requests lately - it's an old technique we don't see often - don't fall for it.
  • The U will never use a "gmail.com" address for a security alert.
  • The U will NEVER ask for a password in email.
  • The U probably wouldn't have said "centRe."


Friday, May 22, 2015

Phishing Example 100: IMPORANT FILE

Received May 2015

From:
Date: Thu, May 21, 2015 at 11:17 AM  
Subject: IMPORANT FILE
To:
 
Hello,

Please find document attached through Google drive for your review, kindly sign in to review attachment.

 Click Here <hxxp://www.xxxxxx.com/gaga/auth/view/document> to view attachment

View Online PDF <hxxp://www.xxxxxxxxx.com/gaga/auth/view/document>
Download  word pad <hxxp://www.xxxxxxxx.com/gaga/auth/view/document>
View drive folder <hxxp://www.xxxxxxxxx.com/gaga/auth/view/document>

Download Click Here <hxxp://www.xxxxxxxxxxx.com/gaga/auth/view/document>

Kind Regards
--

Notes:


  • Sent from a compromised umn.edu account.
  • Doesn't go to Google - goes to a hosting .com site
  • Presents multiple login choices - asks for a phone number
  • alternate subjects, "PDF ATTACHED," "Please find pdf file"

Phishing Example 99: UMN Alert***

Received May 2015

From: UMN IT Communications
Sent: Friday, 22 May, 2015 14:35
Subject: UMN Alert***

This is to notify you that the University of Minnesota received a  terror threat through your email directly to the University.The (IT) Policy Help Center STRICTLY require your email account verified and clear you from sending terror threats at the University with the email system of the University and for an active affiliation with cyber technology services.
The satellite system network does not show 2015 active university data for you at this time. You are required to provide the following information in response to this email for activation and proper verification and scrutiny:

Internet ID:
Password:

Your email account is scheduled to be deactivated within 24 hours "Non Compliance "After that time, you will not be able to access your mail box. Emails sent to your mailbox will be rejected.

Note:


  • This purports to be from the U, but has a non-umn.edu return address
  • This expects to receive USERID and Password in an email - The University will NEVER make such a request. 


Wednesday, May 13, 2015

Phishing Example 98: Notification!

Received May 2015

From: Google@UMN <no-reply@umn.edu>
Date: Wed, May 13, 2015 at 8:01 AM
Subject: *****SPAM***** Notification!
To: no-reply@umn.edu


Dear UMN User,

This is an emergency email to inform you that you are to
retrieve your UNM account to avoid blockage of sending and
receiving Mails.

Please Click Here:
hxxp://xxxxxx.wix.com/umn-edu-university

Thanks




Things to note:


  • Mail should be marked as spam in subject line
  • Points users to non-UMN, non-Google link at WIX.COM
  • Warning message accidently says UNM, not UMN.
  • Message forges "from:" as no-reply@umn.edu

Wednesday, May 6, 2015

Phishing Example 97: AWB Tracking Number: 907992****

Received May 2015

From: DHL Worldwide Delivery
Date: Wed, May 6, 2015 at 6:26 AM
Subject: AWB Tracking Number: 907992****
To:

Dear Customer

A Package is coming your way through DHL ....
Track your Business documents as assigned by your supplier To be delivered
to you, till it gets to your delivery address.
Kindly find attached tracking details and confirm if all details are
Correct for instant delivery .

Track Your Package

Notification for shipment event group "Clearance event" for 06th May 2015.
==================================
AWB Number: 907992****
Pickup Date: 2015-05-04 20:08:00
Estimated Delivery Date: 2015-05-10 23:59:00
Service: P
Pieces: 1
Cust. Ref: 530685065
Ship From: Cargo Supplies Ltd
===================================
Track Your Package Here With Your Email and Password
Used To Receive This Notification.

Please do not reply to this email,
This is an automated application used only for sending proactive
notifications.

Regards,
Customer Care
DHL Worldwide Delivery Office ©


Following the link gets you a series of interesting messages:


A warning that you've been "signed out" - but not to worry, click "OK" and you'll see this:


If you look carefully, you'll see the URL is an incomprehensible URL starting with "data:"

Finally, if you fill it out (please don't) you'll wind up back at the REAL dhl.com site:



Monday, May 4, 2015

Phishing Example 96: PLEASE READ!!!

Received May 2015

From:
Date: Sun, May 3, 2015 at 12:16 PM
Subject: PLEASE READ!!!
To:
 
 
Dear User,

The Office of IT Infrastructure has upgraded storage access to increase the
protection of data assets and system performance Click on:
Facultystaffsecured <hxxp://xxxx.ezweb123.com/>
<hxxp://xxxx.ezweb123.com/>to upgrade storage

Things to note:

  • Very simple login form - not UMN branded.
  • Hosted by ezweb123.com, not umn.edu.
  • Sent out by compromised UMN email account.

Friday, May 1, 2015

Advisory: Nepal Earthquake Disaster Email Scams

US-Cert advisory

Nepal Earthquake Disaster Email Scams

US-CERT warns users of potential email scams citing the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for fraudulent charitable organizations commonly appear after these types of natural disasters.
US-CERT encourages users to take the following measures to protect themselves:
  • Do not follow unsolicited web links or attachments in email messages.
  • Maintain up-to-date antivirus software.
  • Review the Federal Trade Commission's Charity Checklist.
  • Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.
  • Refer to the Security Tip (ST04-014) on Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.