Go to the U of M home page

Thursday, December 29, 2016

Example 177:A Message from the IDmanagement

Forged "help desk" email from outside umn.edu, Redirects to bogus UMN login page.
Received December 2016

Things to note:


  • Email comes from an outside user - claims to be from "Help Desk"
  • Link goes to a very close copy of our current login page
  • Filling in page redirects to http://twin-cities.umn.edu/ - even if nothing is entered.


Message:
From: Help Desk <xxxx @xxx .arizona.edu>Date: Wed, Dec 28, 2016 at 5:16 PMSubject: A Message from the IDmanagementTo: 

To verify your email address  please Click Here, If  you did not verify your email,
it will automatically be cancelled within 24 hours
Thanks for using Umn.Edu!
Sincerely,
The UMN Help Team
Login page:

forged UMN.EDU login page - hosted on Russian domain
forged UMN.EDU login page - hosted on Russian domain

Tuesday, December 20, 2016

Example 176: Office Of The President. Attention!!! (multiple subjects)

PDF forged as from President Kaler, goes to fake Google login
Received December 2016

Things to note
  • Email comes from an outside user - claims to be from President Kaler
  • Attached PDF contains a link to a fake website
  • Filling in page redirects to real PDF (that has nothing to do with email subject)
  • other subjects: University Email / Update Required
Message:
Subject: Office Of The President. Attention!!!
Date: Tue, 20 Dec 2016 13:28:05 -0800
From:  [Different senders / from outside umn.edu]

University of Minnesota
Driven to  Discover
Office of the President

Dear All,
Attached is an important update for,  Download and verify your email identity.
P.S: If you do not verify your email identity, there will be restrictions accessing your email.
Sincerely,
Eric W. Kaler
President
PDF with link


dummy PDF with link to login form
dummy PDF with link to login form


Fake Login Forms

Bogus Google login (note multiple email providers named)
Bogus Google login (note multiple email providers named)
sign in form


Document delivered if you fill in form
document has nothing to do with email subject
document has nothing to do with email subject



Thursday, December 15, 2016

Example 175: Scanned document(s) attached

PDF from compromised user, goes to fake Google login


Received December 2016

Things to note

  • Email comes from a compromised umn.edu user's account
  • Attached PDF contains a link to a fake website
  • Filling in page redirects to real Google Drive 

Message:
From: Xxxxxx Yyyyyy <xyyyy  @  umn.edu>Date: Thu, Dec 15, 2016 at 12:05 PMSubject: Scanned document(s) attachedTo: 

I have shared a document for your review, please find it below.
Best Regards,
Xxxxxx Yyyyyyy
PDF with link
dummy PDF with link to login form
dummy PDF with link to login form




Fake Login Form
Bogus Google login (note multiple email providers named)
Bogus Google login (note multiple email providers named)

Wednesday, November 30, 2016

ADVISORY:US-CERT Alerts Users to Holiday Phishing Scams and Malware Campaigns

US-CERT Alerts Users to Holiday Phishing Scams and Malware Campaigns

Original release date: November 30, 2016
US-CERT reminds users to remain vigilant when browsing or shopping online this holiday season. Ecards from unknown senders may contain malicious links. Fake advertisements or shipping notifications may deliver infected attachments. Spoofed email messages and fraudulent posts on social networking sites may request support for phony causes.
To avoid seasonal campaigns that could result in security breaches, identity theft, or financial loss, users are encouraged to take the following actions:
  • Avoid following unsolicited links or downloading attachments from unknown sources.
  • Visit the Federal Trade Commission's Consumer Information page on Charity Scams.
If you believe you are a victim of a holiday phishing scam or malware campaign, consider the following actions:
  • Report the attack to the police and file a report with the Federal Trade Commission.
  • Contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
  • Immediately change any passwords you might have revealed and do not use that password in the future. Avoid reusing passwords on multiple sites.



Tuesday, November 22, 2016

Example 174: INVITATION TO ACCESS NECESSARY DOCUMENT [DOCX..313]

PDF from compromised user, goes to fake Google login
Received November 2016

Things to note

  • Email comes from a compromised umn.edu user's account
  • Multiple subject lines used, all about "document" requiring review
  • Attached PDF contains a link to a fake website (we've seen multiple including from the UK and Italy) that has a fake Google login form
  • Filling in page redirects to real Google Drive or a dummy document.


Message:

From: "X Xxxxx" <xxxxx @ umn.edu>
To: Subject: INVITATION TO ACCESS NECESSARY DOCUMENT [DOCX..313]
Date: Tue, 22 Nov 2016 11:22:13 -0400
Hello,
Please go through file report which i just shared with you,
it's need your prompt attention,
 Access Attached document and let me know if you have questions

PDF with link

dummy PDF used to deliver link to phishing form
dummy PDF used to deliver link to phishing form


Fake Login Form
Fake Google Login / includes multiple email providers (Google DOES NOT)
Fake Google Login / includes multiple email providers (Google DOES NOT)

Monday, November 21, 2016

Example 173: Code of Conduct / Final Update Required For All Staffs

PDF from compromised user, forged as from Pres. Kaler.
Received November 2016

Things to note


  • Email comes from a compromised umn.edu user's account, but used Pres. Kaler's name.
  • ALSO seen from an outside address, and from another outside address with the subject "Final Update Required For All Staffs"
  • NO text in email, instead there is an image of a notice regarding a new policy.
  • Attached PDF contains a link to a brazillian website that has a fake Google login form
  • Filling in page redirects to real Google Drive.


Message:

Image used for phishing message - claims to link to a pdf / google doc
Image used for phishing message - claims to link to a pdf / google doc

PDF with link

dummy PDF used to deliver link to phishing form
dummy PDF used to deliver link to phishing form

Fake Login Form

Fake Google Login / includes multiple email providers (Google DOES NOT)
Fake Google Login / includes multiple email providers (Google DOES NOT)

Friday, November 18, 2016

Example 172: Upgrade

Fake UMN warning from compromised user
Received November 2016

Things to note

  • Email comes a compromised umn.edu user's account
  • Link to "UMN" goes to a .com site
  • Copied UMN login page warns about going to non-umn sites - like their own page
  • Filling in page redirect to UMN TC home page
  • University email storage is UNLIMITED - there is no "15 GB" limit.

Message Text:
From: University Of Minnesota <compromised user @ umn.edu>
Date: Fri, Nov 18, 2016 at 9:39 AM
Subject: Upgrade
To:
Dear UMN user,
Your Email space is about to be used up. Please upgrade to 15GB mailbox
space below so that you can receive your new pending emails.

http://umn.edu/login
<http:// xxxx xxxx.com/unm/Sign%20In_%20University%20of%20Minnesota.html>

Fake Login Form
fake UMN login - note: includes warning about going to fake sites
fake UMN login - note: includes warning about going to fake sites


Wednesday, November 16, 2016

Example 171: Resource Info


PDF from compromised user - spam "mystery shopper" offer
Received November 2017

Things to note


  • Email comes a compromised umn.edu user's account
  • Attachment contains a PDF - only to deliver an ad for secret shopper offer
  • This is not the first such offers - the pdf is the same but the link is different from the others
  • This is NOT a legitimate offer - the application is designed for identity theft



Message Text:

From: Compromised User < xxx  @ umn.edu>
Date: Wed, Nov 16, 2016 at 6:14 AM
Subject: Resource Info
To:
Good Morning,
I participated in this survey and made some extra pay, kindly go through
the included info for details.
Thanks.

PDF with link to login form

pdf with link to bogus sign-up page
pdf with link to bogus sign-up page


Linked Sign Up on Compomised Site
screen shot of secret shopper sign up form
screen shot of secret shopper sign up form




Thursday, November 10, 2016

Example 170: University Of Minnesota Required Update For All Staffs

PDF forged as from President Kaler, links to fake dropbox doc with a "Google" login.
Received November 2017

Things to note

  • Email comes "from" President Kaler, but really sent by a compromised user's account
  • Attachment contains a PDF - only to deliver a link to a fake  login
  • Attachment says "dropbox" doc, but goes to fake Google login
  • "Logging in" flips to real Google Drive - if user is logged in to Google, they will see their own drive - otherwise they'll see a Google login


Message Text:

From: compromised user < xxxx@ .umn.edu>
Date: Thu, Nov 10, 2016 at 9:59 AM
Subject: University Of Minnesota Required Update For All Staffs
To:
 
Office of the President
Dear All,
Attached is an important update for you,  Download and verify your email
identity.
P.S: If you do not verify your email identity, there will be restrictions
accessing your email.

Sincerely,
Eric W. Kaler
President
------------------------------
This email was sent to faculty, staff and students at the University of
Minnesota, Morris by: Office of the President, 202 Morrill Hall, 100 Church
St S.E., Minneapolis, MN, 55455, USA. Read our privacy statement
<http :// click.ecommunications2.umn.edu/.... copied link to make it look real> 

PDF with link to login form
fake Dropbox pdf with link to fake login page
fake Dropbox pdf with link to fake login page

Fake Login 
Fake "Google" login page with multiple email providers
Fake "Google" login page with multiple email providers


"Error" message following login
Error message after filling in login form
Error message after filling in login form

Sends to REAL Google Drive/Docs
Real Google Drive login presented if user not logged in to Google
Real Google Drive login presented if user not logged in to Google

Tuesday, November 8, 2016

Example 169:  View Sent Info

PDF "from" compromised U account with PDF linked to fake adobe doc login
Received November 2017

Things to note


  • Attachment contains a PDF - only to deliver a link to a fake Adobe login
  • Adobe login not *at* adobe.com
  • "Logging in" to form presents Adobe error message, no document.



Message Text:
From: Xxxxx Xxxxxxxx < compromised user @umn.edu>Date: Tue, Nov 8, 2016 at 6:28 AMSubject: View Sent InfoTo: Xxxxx Xxxxxxxx < compromised user @umn.edu>
Good Morning,I need you to look through the included info and share your thoughts.

PDF with link to login form

oddly branded PDF with a link to a fake login page
oddly branded PDF with a link to a fake login page

Fake Login 

Fake (not hosted at adobe.com) Adobe login
Fake (not hosted at adobe.com) Adobe login

"Error" message following login


"Error" message that kicks you out at the end (no document delivered)
"Error" message that kicks you out at the end (no document delivered) 

Monday, November 7, 2016

Example 168: Kxxxx Hxxxx has shared the following document

PDF "from" non U source with PDF linked to fake google doc login
Received November 2017

Things to note

  • Attachment contains a PDF - only to deliver a link to a fake Google login
  • Google login (not *at* google.com) presents multiple email provider choices - Google doesn't do that
  • "Logging in" to form presents Adobe error message, no document.


Message Text:
From:
Date: Mon, Nov 7, 2016 at 5:41 AM
Subject: Kxxxx Hxxxx has shared the following document 
To:

Hi,
Kindly review the attached file report urgently.
FReportbook504.pdf
Regards.
Google Drive: Have all your files within reach from any device. 

PDF with link to login form
PDF containing phishing form URL link
PDF containing phishing form URL link



Fake Login Choices
Fake Google multiple email choice login
Fake Google multiple email choice login - Google DOES NOT do this

Fake Login Form

Non-Standard Google Login Form
Non-Standard Google Login Form

"Error" message following login

Error presented after login
Error presented after login


Friday, November 4, 2016

Example 167: Please view classified information to all staffs

PDF "from" Pres. Kaler with link to fake Google login
Received November 2016

Things to note

  • Message says "from President Kaler" but sender email is a compromised student account
  • Attachment contains a PDF only to deliver a link to a fake Google login
  • Google login (not *at* google.com) presents multiple email provider choices - Google doesn't do that

Message Text:
From: President Eric W. Kaler <  compromised user account@umn.edu>
Date: Fri, Nov 4, 2016 at 12:49 PM
Subject: Please view classified information to all staffs
To:

Hi,
please go through file report which i just shared with you,
it's need your prompt attention, Access Attached document
let me know if you have questions.
Sincerely
ERIC W. KALER
President
PDF with link to login form
PDF send to deliver link to phishing form
PDF send to deliver link to phishing form

Fake Login Form
Fake Google login - including non-Google email choices
Fake Google login - including non-Google email choices

Sunday, October 30, 2016

Example 166: Accounts Processing 11

Fake umn login on Moonfruit free website builder site

Received October 2016

Things to note
  • Email address from colby.edu, not umn.edu
  • Email text presents a bit.ly link obscuring the real site at formcrafts.com, a free website builder website
  • Minimal UMN branding - but NOT the real UMN login page

Message Text:

From: UMN < xxx @colby.edu>Date: Sun, Oct 30, 2016 at 1:40 PMSubject: Accounts Processing 11To:

System message: UMN is phasing out the use of UMN Username.
From October 31 Employees and Students that have not yet done thereUMN account verification will be wiped out completely during an updatemandatory for  establishing a connection LV, 8:00 a.m. to 4:00 pm,kindly follow the instructions below to complete the update page UMNSecurity ID. Use this link below bit.ly/xxxxxx
After completing this update you will be automatically connected tothe UMN services with your ID and password.

Fake Login Form

Fake UMN login from Moonfruit.com website builder site
Fake UMN login from Moonfruit.com website builder site

Thursday, October 27, 2016

Example 165: Helpful Resource

Fake umn login on Formcrafts free website builder site
Received October 2016

Things to note


  • Email address from colby.edu, not umn.edu
  • Email text presents a bit.ly link obscuring the real site at formcrafts.com, a free website builder website
  • Minimal UMN branding - but NOT the real UMN login page



Message Text:

From: *UMN BOARD ROOM* < xxx @colby.edu>
Date: Thursday, October 27, 2016
Subject: Helpful Resources
To:

Please verify your account because due to recent update on our data
base as the Administrator of University of Minnesota it seems that you
have multiple accounts and this as serve as an issue on our database
hence after 28-10-2016 If you do not submit your Umn account you wont
be able to access your Umn email next time. To Verify use this link
bit.ly/xxxxxxxxx 
Note that we will not be able to process your application unless you
have submitted an accepted way. This message sound as a notice and
failure to comply account will be disabled

© 2016 Regents of the University of Minnesota All rights reserved.
Fake Login Form
Fake UMN login on free web builder site
Fake site on FormCrafts.com

Thursday, October 20, 2016

Example 164: Your Pending Emails

Fake umn login on foreign website 
Received October 2016

Things to note

  • Email address says it comes "from" purdue.edu (but really sent by compromised UMN user)
  • Email text presents a link "at" umn.edu (but really linkied to an Australian website)
  • Copy of old UMN login missing "M" logo


Message Text:
From: Purdue University <online @ purdue.edu>
Date: Thu, Oct 20, 2016 at 9:53 AMSubject: Your Pending EmailsTo: 

Dear UMN user,
Please login below to upgrade your mailbox space in order for you to receive your recent pending emails.
http://www.umn.edu/Login <= link to fake login hidden with umn.edu text
Thanks
© 2016 Regents of the University of Minnesota. All rights reserved.     

Fake Login Form
Fake UMN login page - no branding, hosted in Australia
Fake UMN login page - no branding, hosted in Australia

Wednesday, October 12, 2016

Example 163: Email Account Update

Fake login warning pointing to a foreign website - Received October 2016

Things to Note:
  • Sender is a University member (not any IT office)
  • Refers to iCloud - not a University service
  • The University (and Google) do not send messages like this.
  • See z.umn.edu/whoused to identify (and clear) logins to your account
MESSAGE TEXT:

From: [from compromised account]
Date: Wed, Oct 12, 2016 at 9:04 AMSubject: Email Account UpdateTo: 

Someone else was trying to use your University of Minnesota ID to sign into iCloud via a web browser.
Date and Time: 11 October 2016, 1:38 AMBrowser: FirefoxOperating System: WindowsLocation:Thailand
If the information above looks familiar, you can disregard this email. If you have not recently and believe someone may be trying to access your account, you should click here to upgrade your network
Sincerely,Technical Support Team
FAKE FORM:


Fake, unbranded UMN login (hosted in Iran, not at umn.edu)
Fake, unbranded UMN login (hosted in Iran, not UMN.EDU)

Tuesday, October 11, 2016

Example 162: Web-mail Security update

Attached PDF with link to fake UMN login - Received October 2016

Things to note:


  • Comes from "Mail Server," but email link is to a user account.
  • Includes a PDF attachment (see below) carrying a link to the fake login.
  • Login page copies (not exactly) the NEW UMN login page (see below). Fake page is missing wordmark and small icons seen in the real page. 
  • Fake page not hosted at umn.edu
  • The University does NOT send PDFs just to point users to a login page - this was a trick to avoid spam filters.


MESSAGE TEXT:
From: Mail Server < compromised user account @ umn.edu>
Date: Mon, Oct 10, 2016 at 4:46 PM
Subject: Web-mail Security update
To:
Preview 'attached' document and act as instructed to keep you safe from online threat.
ATTACHED PDF:

FAKE LOGIN PAGE:
Copy of NEW UMN login - is missing complete branding

REAL LOGIN PAGE:
REAL UMN login page. Includes Full branding and icons.

Monday, October 10, 2016

Example 161: Please Check

Fake UMN login page hosted in India - Received October 2016

Things to note:
  • Email claims to be from a (non-existent) umn.edu address "details"
  • Email really sent from a umn.edu user account that was hijacked/compromised
  • Link in email appears to go to a umn.edu address - real link goes to a website in India
  • "Unread Email" message IS NOT SOMETHING UMN email ever sends.
MESSAGE TEXT:
From: UMN <details @ umn.edu> <compromised UMN account>Date: Mon, Oct 10, 2016 at 6:42 AM
Subject: Please Check
To:

Dear UMN user,
You have an unread emails on your inbox. Please login below to receive this email.
http://web.umn.edu/login

© 2016 Regents of the University of Minnesota. All rights reserved.     

EMAIL SENDS USERS TO A FAKE UMN.EDU LOGIN:

Image of fake UMN login page that is hosted in India.
As noted - copy of University login is actually hosted in India (".in" ending in the address).

Tuesday, September 20, 2016

Phishing Example 160: NOTICE: Important Immediate Action Required [Email Admin]

Received September 2016

From: IT Communications <compromised UMN account >
Date: Tue, Sep 20, 2016 at 7:10 AM
Subject: NOTICE: Important Immediate Action Required [Email Admin]
To:

University of Minnesota Driven to DiscoverOffice of Information Technology

Good Morning,

A message to terminate your email account
The process has begun by our administrator.

Please give us 2 hours to terminate your account OR.

Sign in here to cancel termination

Failure to cancel termination will result to closure of your account


Sincerely,

Donalee Attardo, Director, Academic Technology - OIT <---NOT THE SENDER

This email was sent by IT Communications <---NO IT REALLY WASN'T
2221 University Ave SE, Suite 305 Minneapolis, MN, 55455, USA

NOTE:

  • Sender is a UMN.EDU account
  • Sender IS NOT Donalee Attardo
  • URL goes to a NON-UMN.EDU address




Monday, September 19, 2016

Advisory: Fraud Advisory for Educational Institutions

Alert received September 2016
Well organized fraudsters are running a scam using social media and word-of-mouth primarily targeting international students at U.S. colleges and universities. The fraudsters offer discounts on school tuition if the victim makes a tuition payment via the fraudsters. Victims are subsequently asked to provide their credentials to the school's online tuition payment portal in order for fraudsters to make a payment on behalf of the victims. A tuition payment is made by the fraudsters and the Victim is able to verify this payment in the school's online portal. The victim then transmits funds to reimburse the fraudsters, only to find out that the tuition payment was made with stolen credit card information, which results in a chargeback of the fraudulent card payment. Fraudsters have successfully recruited unwitting students to help promote this tuition scam to their friends in the student body, adding an appearance of legitimacy. This scheme has resulted in students unable to pay tuition while left with little recourse in recovering their funds. While this scam is concentrated around a few universities at the moment, it is quickly proliferating to other educational institutions.
We urge educational institutions and their law enforcement departments to advise students of this fraud scheme and to strongly caution students to never share their  online credentials with anyone. In addition, students should only use payment methods and third parties approved by their college or university. Students should also advise their parents/guardians not to respond to any third party solicitations for payment of tuition fees at a discount.

To learn more about scams and fraud that may threaten students, please visit:

To report phishing or possible fraud, please email phishing@umn.edu

See news items about this in the Seattle Times and Forbes.

Friday, September 16, 2016

Phishing Example 159: NOTICE: Important Immediate Action Required [Email Admin]

Received: September 2016

Body Text:
[image: Xfinity Logo, Before and After]

A message to terminate your email account

The process has begun by our administrator.

Because we have detected an irregular activity.

Please give us 2 hours to terminate your account OR.

Sign in here to cancel termination <hxxp://www.musijm.xxx/umn.edu.html>

Failure to cancel termination will result to closure of your account

Thanks
University of Minnesota


The link leads to a copy of the University's new login page, the one with the notice that it will be changing. The bad URL will be hard to spot on mobile devices. Be extra careful of login screens on your mobile device.


Monday, September 12, 2016

Scam Impersonates Microsoft

 Seen: September 2016

This scam impersonates Microsoft and is not delivered by email. It is malware and may be delivered by a malicious advertisement on a web site.
  • Do not call the phone number, as compromise of your computer and credit cards will result.
  • If you see this message on your computer, immediately shut down the machine, then run a virus scanner to remove the malware.

Wednesday, September 7, 2016

Advisory: IRS Warns of Back-to-School Scams; Encourages Students, Parents, Schools to Stay Alert

IRS Warns of Back-to-School Scams; Encourages Students, Parents, Schools to Stay Alert
WASHINGTON — The Internal Revenue Service today warned taxpayers against telephone scammers targeting students and parents during the back-to-school season and demanding payments for non-existent taxes, such as the “Federal Student Tax.”
People should be on the lookout for IRS impersonators calling students and demanding that they wire money immediately to pay a fake “federal student tax.” If the person does not comply, the scammer becomes aggressive and threatens to report the student to the police to be arrested. As schools around the nation prepare to re-open, it is important for taxpayers to be particularly aware of this scheme going after students and parents.    


Monday, August 29, 2016

Phishing Example 158: Fraudulent Wire Transfer Request: Request

Received: August 2016
A true email thread reported to us by a UMN faculty member.
Notes: The Reply-To address is president2009@yahoo.com; there may be many other false reply-to addresses as well. The fact that this email is current shows that attackers are trying to trick finance people into wiring funds. Please be suspicious about these requests. Do not answer, and forward them to phishing@umn.edu


*From:* UMN Finance person <IID@umn.edu>
*Date:* August 29, 2016 at 1:58:08 PM CDT
*To:* UMN Faculty person@umn.edu
*Subject:* *Fwd: Request*

Should I wire the money directly to your international bank account?

Begin forwarded message:

*From:* "UMN Faculty person@umn.edu"
*Date:* August 29, 2016 at 1:53:42 PM CDT
*To:* UMN Finance person@umn.edu
*Subject:* *Request*
*Reply-To:* "UMN Faculty Person" <president2009@yahoo.com>


Hi [Finance Person],

I need a favor, can you help me make a payment of $1400 to a vendor today?
I will reimburse you back your money by Thursday. Please let me know if
this is convenient.

Thanks,
UMN Faculty Person

Wednesday, August 24, 2016

Phishing Example 157: University Of Minnesota

Received August 2016

From: umn.edu Security <xxxxx  @gmail.com> <<- From fake GMAIL address
Date: Wed, Aug 24, 2016 at 9:18 AM
Subject: University Of Minnesota
To:


Inline image 1


Unusual sign-in activity
We detected something unusual about a recent sign-in to the***@umn.edu . To help keep you safe, we required an extra security challenge.
Sign-in details:Country/region: United States
IP address: 172.58.144.197
Date: 8/24/2016 09:00 AM
If this was you, then you can safely ignore this email.If you're not sure this was you, a malicious user might have your password. Please review your recent activity  Click Here.

To opt out or change where you receive security notifications,

Thanks
The University Of Minnesota.

Notes:

  • Copy of current UMN login page - delivered via javascript load
  • Filling in form redirects to real page

Tuesday, August 23, 2016

Advisory: FTC Releases Alert on Louisiana Flood Disaster Scams


Original release date: August 23, 2016
The Federal Trade Commission (FTC) has released an alert on scams that cite the recent flood disaster in Louisiana. These charity scams take many forms, including emails containing links or attachments that direct users to phishing or malware-infected websites. Donation requests from fraudulent charitable organizations commonly appear after major natural disasters.
US-CERT encourages users to take the following measures to protect themselves:
  • Review the FTC alert and its information on Charity Scams.
  • Do not follow unsolicited web links or attachments in email messages.
  • Keep antivirus and other computer software up-to-date.
  • Check this Better Business Bureau (BBB) list for helping Louisiana flood victims before making any donations to this cause.
  • Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index.
  • Refer to Security Tip ST04-014 – Avoiding Social Engineering and Phishing Attacks – for more information on social engineering attacks.

Saturday, August 20, 2016

Tips on Reporting Phishing


When you report a phishing email to phishing@umn.edu, it is extremely helpful if you can give us the complete email, with  headers and all the links intact. This helps us identify the email and put measures in to protect our community members from such scams.

       
Gmail
         To view headers in Gmail, click the arrow next to the Reply button in the upper right-corner of the message to open the pull-down menu. Select Show original. Save the result as a text file and send as an attachment.

       
Other e-mail clients         
 SpamCop offers a page of links showing how to view header information for a large number of e-mail clients:        


        IMPORTANT: Because Google now triggers on the content when you report phishing - you need to send the report as an attachment - see


\

Friday, August 19, 2016

Phishing Example 156: IMPORTANT

received August 2016


From: University Of Minnesota <help@umn.edu> <<<-FORGED
Date: Fri, Aug 19, 2016 at 8:07 AM
Subject: IMPORTANT
To: 

Your mailbox size has reached 14900.93MB, which is over 90% of your 15360.00MB quota. Please click here to Increase your mailbox quota to avoid exceeding your quota.  <<<Multiple versions with different URLs

© Regents of the University of Minnesota. All rights reserved

Directs to a forged copy of our login page:



Notes:
  1. there IS NO QUOTA on UMN email accounts
  2. comes from multiple email addresses, pretending to come from "help @umn.edu" 
  3. web form has an outdated copy of the UMN login page
  4. web form hosted at multiple URLS, all end with  "/ww/ww.htm"

Thursday, August 18, 2016

Phishing Example 155: Signed Doc Agreement

Received August 2016


From: 
Date: Thu, Aug 18, 2016 at 9:50 AM
Subject: Signed Doc Agreement
To: 

Please find the letter for your approval and signature.
Kindly sign under your name and return.
View | Download
457 KB

Thank You
 
xxxxx
 
Notes:

  • Email came from a compromised user that had been working with the U on business
  • Link goes to fake google login (below)
  • IF you are logged into google, you shouldn't SEE a login to view the doc
  • Login page doesn't take you to a UMN login screen
  • Fake login page missing "Google" logo at top.
COMPARE TO A REAL GOOGLE LOGIN:

Logging into UMN Google resources: