Go to the U of M home page

Monday, October 2, 2017

Example 207: You have an Important message to review

Fake health message email directs to a forged UMN login site in Russia

Message Text:

 From: UMN - Health Care <xxxx @ Some-other-school.edu>
 Subject: You have an Important message to review
 Date: October 2, 2017 at 1:58:48 PM CDT
 To:
 You have an important Health message from University of Minnesota Health Center. Click  Here
      hxxp:// news-xxxxx.ru/login.umn.edu/
  authentication is required to read this message
  We apologize for any inconvenience.
 Thank You.. 
 Allen Brianna
 Health Care Center
 University of Minnesota
Login Form:

Russian hosted forged umn login site
Russian hosted forged umn login site

Things to Note:

Thursday, September 21, 2017

Advisory: FTC Releases Alerts on Protecting Against Identity Theft

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

09/20/2017 04:58 PM EDT

The Federal Trade Commission (FTC) has released two alerts to educate consumers on recommended protections against identity theft after the recent data breach at Equifax. Users should consider placing security freezes with the three major credit reporting agencies: Equifax, Transunion, and Experian. Alternative security recommendations include using fraud alerts and free credit monitoring from Equifax. 
US-CERT encourages users to refer to the FTC alerts on Equifax credit freezes and fraud alerts vs. credit freezes. See the US-CERT Tip on Preventing and Responding to Identity Theft for more information.

Thursday, September 7, 2017

Advisory: Potential Hurricane Harvey Phishing Scams

Reminder from US-CERT that recent disasters will lead to scam "fund-raising" emails.

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

09/08/2017 01:56 PM EDT

Original release date: September 08, 2017
As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.
To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:

Tuesday, September 5, 2017

Example 206: Urgent Notice

Fake "warning" leads to forged UMN login page aimed at stealing passwords.

Message text:

From: UMN Admin <noreply@xxx.edu>
Date: Tue, Sep 5, 2017 at 4:52 PM
Subject: Urgent Notice
 
To:
 
To all staffs/employees and UMN users, we have observed that there are some
non-active email address in our database recently serving as a loop to
hackers trying to hijack our server. User are advised to CLICK
<hxxp://umn-edu.xxxx.biz/index.html> here to login and validate their email
address and continue with their normal activity as their login information
will not be altered or shared.
If you receive this message as spam, kindly move message to your inbox
before you click. Failure to comply with this demand will be regarded
as non active user and will lead to deletion after 48 hours of
reception of this email.
Sorry for the inconveniences.
Admin.
Web Form

Fake UMN login hosted at .biz address
Fake UMN login hosted at .biz address

Things to Note:

  • Email forged as coming from a .edu address - but NOT umn.edu
  • Web form hosted at a ".biz" address - NOT umn.edu
  • Filling in the form redirect to the login.umn.edu web page

Monday, August 14, 2017

Example 205: ITS Support/Help desk

Fake support message leading to deceptive login page to steal name and password.

Message text:

From: Help Desk Support [mailto: non-UMN.EDU address]
Sent: Monday, August 14, 2017 10:09 AM
To: undisclosed-recipients:
Subject: ITS Support/Help desk

Dear Faculty and Staff,

Important information from Web Access Security Service.

An upgrade was made to the university’s authentication structure. The upgrade was required to prepare systems for compliance with State Security Standards, and the implementation of multi-factor authentication. Now, when you lo-gin. You will be required to enter your Network Username and password into the link that will be provided below.

Due to the upgrade that was made. Your lo-gin page will be changing. However, to avoid loss of your email address and password LOGIN your account now.

Thank you for your cooperation and patience as we take steps to further protect university data.

Thank you,
Division of Information Technology.
Login form:

fake login page aimed at stealing account credentials
fake login page aimed at stealing account credentials
 Things to note:

  • No UMN branding in message or webform
  • Email not from umn.edu address
  • Web form not hosted at a umn.edu site

Wednesday, August 2, 2017

Example 204: Notice ! Notice !!

Fake warning "from" google leads to a well crafted fake google login page

Message Text:

Spam Warning email - attached to PDF containing link to Fake Google login
Spam Warning email - attached to PDF containing link to Fake Google login


Web Form

Fake Google Login page
Fake Google Login page

Filling it out redirects to a REAL Google account login:
Real Google Login - with CORRECT "Google" text font
Real Google Login - with CORRECT "Google" text font

Things to Note:

  • Link not in email text - you have to open a PDF to find link
  • Link is hosted at an advertising website, NOT Google.com
  • Forged login uses an older font for "Google" - real google.com uses a san serif font
  • Filling in the form redirect to a REAL Google login page, with CORRECT font



Monday, July 31, 2017

Example 203: Unrecognized Login Location Alert For xxx@umn.edu

Spoof security alert message aimed at capturing login credentials.


Message Text
Date: 29 Jul 2017 18:27:07 -0400
Subject: Unrecognized Login Location Alert For xxx@umn.edu
To: xxx@umn.edu
From: " E-mail Security Alert" <xxx@xxx.xx.cn
(note: EMAIL From Non-UMN.EDU address!)
for - Account User: xxx@umn.edu 
This is to notify you that someone from an unrecognized location tried logging into your e-Mail (xxx@umn.edu ) few minutes ago. 
Was this done by you? 
For your account security, we strongly recommend that you verify your account now, else you account will be blocked without further notice. 
Click here to Verify your E-mail account now
After verification, extra security features will be activated in your email settings and your account will be safe for use again.
Source: Email Security Team

Things to Note

  • No University of Minnesota text or branding
  • Email source NOT @umn.edu 
  • Personalized report includes recipient email, which is also embedded in the form link (this lets the form come up with your ID already filled in)
  • Form link NOT at UMN.EDU (it was actually on a doggie day care website)
  • Sorry, no picture of the form, which was already removed by the time it was reported


Monday, July 10, 2017

Example 202: umn.edu


Simple message leading to a fake UMN login page on a free web service

Message Text
From: helpdesk>support <xxxxxxx14@gmail.com>Date: Fri, Jul 7, 2017 at 3:31 PMSubject: umn.eduTo: 

Your umn.edu e-mail account have exceed its limit click the below linkhxxp://umn-xxxxxxxx.myfreesites.net/ to re-validate. UMN<help-surport> Thanks
Login Form
Fake UMN login page hosted at freesites.net
Fake UMN login page hosted at freesites.net

Improved version included in some spam messages
Improved version included in some spam messages






Things to note


  • Email sent from a gmail.com email address
  • Some copies sent from compromised UMN.EDU addresses
  • Mild branding with UMN logo, but not hosted at UMN.EDU
  • Web page advertises free web page building service
  • Password entry displays passwords in the clear


Wednesday, June 21, 2017

Example 201: Library Services

Well crafted email directs recipient to a forgery of the UMN login page.

Message

 Dear User,
 This message is to inform you that your access to your library account
 will soon expire. You will have to login to your account to continue to
 have access to the library services.
 You need to reactivate it just by logging in through the following URL. A
 successful login will activate your account and you will be redirected to
 your library profile.

 hxxp://www.lib.umn.cave.gq/login_xxxxxxxxxxxxxxx
 If you are not able to login, please contact Emily Bonnell at
 enbonnell@umn.edu for immediate assistance.
 Sincerely,
 Emily Bonnell
 University of Minnesota Libraries
 (612) 624-xxxx
 enbonnell@umn.edu

Webform

Forged UMN login page - NOT hosted at UMN.EDU
Forged UMN login page - NOT hosted at UMN.EDU

Thing to Note

  • Email comes from a Gmail account, not UMN.EDU
  • "Emily Bonnell" is not a real UMN staff member - the umn.edu email referenced does not exist
  • Forged web page NOT hosted at umn.edu
  • Logging into page redirects to the real login page (or a UMN service page if you ARE logged in)

Tuesday, June 20, 2017

Example 201: Security Updrade Strongly Required

Phish with security warning, going to very good copy of UMN login.

Message:

From: Help Desk <compromised user@umn.edu>
Date: Mon, Jun 19, 2017 at 6:20 PM
Subject: Security Updrade Strongly Required
To:
 
 
University of Minnesota Account Help Desk  is having a problem with your Account.You will not be able to receive any new emails until you Upgrade your account  to avoid suspension.
Kindly be informed that we'll not be held responsible for your account deactivation once you fail to upgrade your account after this Final Warning. To remove your account from our deactivation list kindly click Upgrade below: 
Upgrade <hxxp://xxxxxxxxxx.ru/love.php>
Regards,
- Identity Management Team
Web Form
Forged MyU login page - hosted at a .com site
Forged MyU login page - hosted at a .com site

Things to Note
  • Email comes from a compromised UMN account
  • URL in email points to a Russian (".ru") URL, but redirects to a .COM site for login
  • Logging into the page redirects to the REAL MyU login page (nearly identical to their fake page)

Tuesday, June 13, 2017

Advisory: Logging into University Google resources.

Note: This is an updated reminder of what logging into Google resources should look like (June, 2017). 

From time to time, you will see phishing schemes that claim to be a Google Doc. Most recently, many have received a scam letter titled "I've shared an item with you." The "google link" in the email doesn't go to Google, of course - and it may present a login that looks like this:


Currently, a REAL Google login should look like this:

Current Google App Login (May 2017)
Current Google App Login (June 2017)


But, be careful. Looking like this is not enough.

(PLEASE note - if you are  already logged in to gmail, following a link to a google doc should NOT present you with a login - you're already logged in.)

When

  1. You ARE prompted to login to a resource for the University, 
  2. AND you receive the Google prompt,
  3. DO NOT enter your password.
  4. Just present your email address, e.g. internet-id@umn.edu
Like this:
Logging into Google with an @umn.edu account
Logging into Google with an @umn.edu account



If it's legitimate, you may next see:
(You'll see this if Google thinks you have two versions of NAME@umn,edu, Choose "Organizational")
You'll be sent to the U's authentication system where you will do your real Internet ID + Password login on this screen: 

University Login page

Remember, if legitimate, THIS login page will be hosted at an address that ends in "umn.edu." If it isn't, it is unlikely to be a real login page and you should report it to phishing@umn.edu.



(note: We present this post on a regular basis so that it reflects the current user experience for logging into Google resources. When there are updates to the Google or University experience, we will update it. The current version will be linked at http://z.umn.edu/RealLogon)

Monday, June 12, 2017

Example 201: Your email (name)@umn.edu, has low storage.

Scam email sent to steal user passwords with "low storage" warning.

Message text:

To (name)@umn.edu 
You are running out of email storage space and this could prevent you from
receiving other important mails!
Please Click Here to verify your email to lift your email storage limit.
Yours Sincerely,
Account Team
Web form:


Things to Note:

  • Email to "name@umn.edu" embeds email address in form
  • Nothing related to UMN.EDU in email, or form

Friday, June 9, 2017

Example 200: All Faculty and Staff Must Read

Notes: From a non-UMN address, tinyurl resolves to a site with a fake UMN login page.
 
Text of message:

From: Health Care Center <xxxxxx@students.towson.edu>
Date: Fri, Jun 9, 2017 at 9:41 AM
Subject: All Faculty and Staff Must Read
To:
Dear Faculty and Staff
You have an important Health message from University Of Minnesota Faculty and Staff Health Center. Please Click [hxxp://tinyurl.com/y8ng5sxf] Here to read it
[Real UMN Professor Name]
612-xxx-xxxx
xxx Morrill Hall
100 Church St. S.E.
Minneapolis MN 55455
Web Form:
Fake UMN.EDU login, hosted at a .com site
Fake UMN.EDU login, hosted at a .com site
Things to Note:
  • Close, but not exact, copy of the UMN login page
  • Webform linked using tinyurl.com link to hide true location
  • Email comes from a different EDU, not umn.edu

Friday, June 2, 2017

Example 199: Kindly Verify Your Account!!

Spam email with link to non-branded, simple form claiming to "upgrade" accounts.


 Message Text

Subject: Kindly Verify Your Account!! 
From: umni@xxxx.be
INFORMATION TECHNOLOGY SERVICES
Information and Communication Technology Accessibility Policy, Verify your email below to avoid the lose of your  account.
Account Verification
 ©2017 The University of Minnesota Terms of Use.

Web Form

Web form aimed at stealing passwords - note password not obscured
Web form aimed at stealing passwords - note password not obscured
 Things to note:

  • No UMN branding
  • Not from a UMN address (although the username sprinkles umn in the sender's ID)
  • Password not obscured

Wednesday, May 31, 2017

Phishing Alert: Lawsuit Phone Scam

Scam phone calls deliver an automated lawsuit threat.

We've had reports from our community that match this scam reported by the University of Pittsburgh:

....a new phishing phone scam that has been received by members of the University community. The scam uses an automated voice message that instructs you to call a phone number before a lawsuit is filed against you with the county courthouse.
The following is a transcript of the fraudulent phone scam. If you receive this message (or any message similar to it), delete the voice message without replying or calling back the number. 
*************************************************************
We are calling you about a lawsuit, which has been filed on your name. So before we go with legal matter and send this case to the local county courthouse, kindly call us back on our number which is [number removed]. Thank you and goodbye.
*************************************************************

Friday, May 12, 2017

Krebs: U.K. Hospitals Hit in Widespread Ransomware Attack

A timely reminder to make sure your computer is updated.

The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.
The ransom note left behind on computers infected with the Wanna Decryptor ransomware strain. Image: BleepingComputer.

U.K. Hospitals Hit in Widespread Ransomware Attack

At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware, a type of malicious software that encrypts a victim’s documents, images, music and other files unless the victim pays for a key to unlock them.
It remains unclear exactly how this ransomware strain is being disseminated and why it appears to have spread so quickly, but there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft.


In a statement, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks.
“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said. “At this stage we do not have any evidence that patient data has been accessed.”
According to Reuters, hospitals across England are diverting patients requiring emergency treatment away from the affected hospitals, and the public is being advised to seek medical care only for acute medical conditions.
NHS said the investigation is at an early stage but the ransomware that hit at least 16 NHS facilities is a variant of Wanna Decryptor (a.k.a. “WannaCry“), a ransomware strain that surfaced roughly two weeks ago.
Lawrence Abrams, owner of the tech-help forum BleepingComputer, said Wanna Decryptor wasn’t a big player in the ransomware space until the past 24 hours, when something caused it to be spread far and wide very quickly.
“It’s been out for almost two weeks now, and until very recently it’s just been sitting there,” Abrams said. “Today, it just went nuts. This is by far the biggest outbreak we have seen to date.”
For example, the same ransomware strain apparently today also hit Telefonica, one of Spain’s largest telecommunications companies. According to an article on BleepingComputer, Telefonica has responded by “desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.”
An alert published by Spain’s national computer emergency response team (CCN-CERT) suggested that the reason for the rapid spread of Wanna Decryptor is that it is leveraging a software vulnerability in Windows computers that Microsoft patched in March.
According to CCN-CERT, that flaw is MS17-010, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another.
That SMB flaw has enabled Wanna Decryptor to spread to more than 36,000 Windows computers so far, according to Jakub Kroustek, a malware researcher with Avast, a security firm based in the Czech Republic.
“So far, Russia, Ukraine, and Taiwan leading,” the world in new infections, Kroustek wrote in a tweet. “This is huge.”
Abrams said Wanna Decryptor — like many ransomware strains — encrypts victim computer files with extremely strong encryption, but the malware itself is not hard to remove from infected computers. Unfortunately, removing the infection does nothing to restore one’s files to their original, unencrypted state.
“It’s not difficult to remove, but it also doesn’t seem to be decryptable,” Abrams said. “It also seems to be very persistent. Every time you make a new file [on an infected PC], it encrypts that new file too.”
Experts may yet find a weakness in Wanna that allows them to way to decode the ransomware strain without paying the ransom. For now, however, victims who don’t have backups of their files have one option: Pay the $300 Bitcoin ransom being demanded by the program.
Wanna Decryptor is one of hundreds of strains of ransomware. Victims who are struggling with ransomware should pay a visit to BleepingComputer’s ransomware help forum, which often has tutorials on how to remove the malware and in some cases unlock encrypted files without paying the ransom. In addition, the No More Ransom Project also includes an online tool that enables ransomware victims to learn if a free decryptor is available by uploading a single encrypted file.

Tuesday, May 9, 2017

Advisory: FTC Promotes Privacy Awareness Week

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

05/08/2017 10:39 PM EDT

Original release date: May 08, 2017
The Federal Trade Commission (FTC) has released an announcement on Privacy Awareness Week, celebrated this week in the U.S. The theme of this year’s initiative is “Share with Care,” and the FTC is offering privacy tips, including how to safeguard your information online, improve your computer security, and limit unwanted emails.
US-CERT encourages users and administrators to review FTC’s post on Privacy Awareness Week and these related resources from US-CERT:

https://www.us-cert.gov/ncas/current-activity/2017/05/08/FTC-Promotes-Privacy-Awareness-Week

Monday, May 8, 2017

Example 198: Email Update!

Scam email update sent from a compromised UMN account

Message text
Subject:    Email Update!
Date:   Mon, 8 May 2017 20:03:37 +0100
From:   compromised UMN account <xxx @umn.edu>
Reply-To:   gmail account



We are using this opportunity to notify the Students, Staffs and Alumni
of University of Minnesota that an update is being done on all accounts.
We strongly advise that you update <hxxp:// tinyurl.com/ xxxxx > your
account promptly to avoid closure/inconvenience on your account, kindly
do this immediately.
Sincerely,
IT Admin
Login form

Minnesota bogus branded simple login form
Minnesota bogus branded simple login form


Things to note

  • Form uses tinyurl to mask non-umn login address
  • Form is modestly branded
  • Form shows password in the clear

Example 197: Your Edu Webmail Expired on 05.08.2017,Update

 Non-branded email and form claiming to warn about email account.

Message text

Subject:    Your Edu Webmail Expired on 05.08.2017,Update
Date:   Mon, 8 May 2017 12:40:19 +0000
From:
Your Webmail Edu account certificate expired on 05.08.2017, it may
interrupt your email delivery configuration, and POP account settings
page error when messaging. To re-new your webmail certificate, please
take a moment to update your records per link below or copy and paste link.
hxxp://helpdesk1.xxx.xx/
Account will function as normal after the verification process, webmail
and your certificate will be re-newed.
Web form

non-branded, simplistic phishing form
non-branded, simplistic phishing form

Thursday, May 4, 2017

Advisory: NO, no one has shared a document on Google Docs with you

Email Attack Hits Google: What to Do if You Clicked







Photo

A screen shot of an email received by a New York Times reporter on Wednesday that included a link that appeared to be for a Google document. (Identifying information has been redacted.)



Google said it was investigating an email scam winding its way through inboxes across the country and had disabled the accounts responsible for the spam.
The scheme emerged Wednesday afternoon, when spammers dispatched malicious email, appearing to come from people the recipients knew, beckoning them to click on what appeared to be a shared Google document.                    ........
If you receive suspicious email, here are some tips:
1. Do not click, even when the email is from your mother.
2. Turn on multifactor authentication.
       (this is coming for all UMN users soon, stay tuned)
3. Shut it down.
Go to https://myaccount.google.com/permissions
Revoke access to “Google Docs” (the app will have access to contacts and drive).
4. Change your passwords ... again.
5. Report it.
Report any phishing attacks to Google by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.” Companies count on those reports to investigate such scams and stop them.
...

See also:
http://money.cnn.com/2017/05/03/technology/google-docs-phishing-attack/
https://www.washingtonpost.com/news/the-switch/wp/2017/05/03/why-this-google-docs-phishing-attack-is-particularly-sneaky/


Thursday, April 20, 2017

Advisory: Unexpected Emails

An example of  spam emails that may be trolling for personal information!

Message Text

Subject: New resources for education

Hello!

Apple-Edu would like to share a special opportunity to you - a sweepstakes offering resources and equipment you can use! Please share anyone with who may wish to consider this - thanks!

    Learn More <<-link

Sincerely,

   

Web Form
Web form used to troll for user email addresses
Web form used to troll for  user email addresses

Things to Note


  • Is this message plausible? Is there any reason that you would receive this message?
  • If the message is delivered to your email - why does their form request your email address?
  • If this message was sent from a specific organization/company - where is the URL hosted?
  • Is the person sending it from the company represented?
Actions
  • Use "mark as spam" - this will help filter such messages in the future
  • Report suspicious email to University Information Security - phishing@umn.edu

Tuesday, April 18, 2017

Advisory: BBB Scam Tracker

The Better Business Bureau maintains an information and reporting tool for scams at https://www.bbb.org/scamtracker



Spot a business or offer that sounds like an illegal scheme or fraud? Tell the BBB about it. Help  investigate and warn others by reporting what you know.

Monday, April 17, 2017

Example 196: ID:431 -Account Reset Notification

Account termination warning aimed to get your password.

Message Text:

From:
Sent: 17 April 2017 17:25
To:
Subject: ID:431 -Account Reset Notification
      This message is sent from a trusted sender.
Account Confirmation
Dear User,
We received a request from you yesterday to terminate your account
permanently and we are working on that now. but first we need to confirm, If
you did not request this, please follow this link to
hxxp://xxxxxxxxxxxxxxx/help-desk.html   to cancel the
request immediately.
If you actually request to delete your account, please ignore this email.
Thank you for using Microsoft services . .
Web Form

Fake login page - with working captcha!
Fake login page - with working captcha!

scammer provided "privacy policy"
scammer provided "privacy policy"

Things to note:

  • Web form and message have no U of Mn branding
  • Form refers to Microsoft Outlook mail - UMN uses Google
  • Form has a working "captcha" - you have to enter the right info to proceed
  • Form even has a "privacy policy" telling you YOU ARE SAFE (no, you are not if you enter your password here).