Go to the U of M home page

Monday, January 30, 2017

Example 184: Email Urgent Update

Forged "Office of President" email, from compromised UMN account; PDF attachment redirects to a fake Google login.

MESSAGE TEXT

From: Office of the President < xxx compromised accoun xxx@umn.edu>
Subject: Email Urgent Update
Date: January 30, 2017 at 1:29:24 PM CST
To: undisclosed-recipients:;
University of Minnesota Driven to DiscoverOffice of the President

 Dear Staffs,
 To protect your email service, you have been required to verify your email by downloading the attached file and login in your email.
 Note: There will be restriction to your email if you do not do this within 72 hours.
 Thanks for the co-operation.
 Eric W. Kaler
 President

This email was sent to faculty, staff and students at the University of Minnesota, Morris by: Office of the President, 202 Morrill Hall, 100 Church St S.E., Minneapolis, MN, 55455, USA. Read our privacy statement.


PDF attached

PDF with "President" message - links to login form
PDF with "President" message - links to login form


Login Form Linked

Fake login form linked from "President" PDF
Fake login form linked from "President" PDF

Example 183: IT Support Center

Scam message from compromised UMN user, link directs to a Russian-hosted copy of the UMN login page.

MESSAGE TEXT:
From: University of Minnesota < compromise UMN user@umn.edu>Date: Mon, Jan 30, 2017 at 10:22 AM
Subject: IT Support Center
To:

A recent upgrade on the university website may cause some features to malfunction.Please  
log on to your email account to make sure its still working.Report any errors immediately.


Thank you, 
UMN.EDU IT Support Center
WEB FORM

Copy of UMN login page, hosted at ".RU" site
Copy of UMN login page, hosted at ".RU" site

Friday, January 27, 2017

Example 181: Urgent 72 hrs Email Update (For only Staffs)

From compromised UMN accounts, forged as from Office of the President, PDF goes to fake login page. Some variation in subject. 

Message Text

From: Office of the President < xxx compromised account xxx@umn.edu>
Date: Fri, Jan 27, 2017 at 10:02 AM
Subject: Urgent 72 hrs Email Update (For only Staffs)
To:

University of Minnesota Driven to DiscoverOffice of the President
 Dear Staffs,
 To protect your email service, you have been required to verify your email by downloading the attached file and login in your email.
 Note: There will be restriction to your email if you do not do this within 72 hours.
 Thanks for the co-operation.
 Eric W. Kaler
 President
This email was sent to faculty, staff and students at the University of Minnesota, Morris by: Office of the President, 202 Morrill Hall, 100 Church St S.E., Minneapolis, MN, 55455, USA. Read our privacy statement.


PDF attached

PDF with "President" message - links to login form
PDF with "President" message - links to login form


Login Form Linked

Fake login form linked from "President" PDF
Fake login form linked from "President" PDF

Thursday, January 26, 2017

Example 180: Final warning for all staffs

From compromised UMN account, forged as from Office of the President, PDF goes to fake login page

Message Text

From: Office of the President <xxx compromised account xxx@umn.edu>Date: Thu, Jan 26, 2017 at 11:06 AM
Subject: Final warning for all staffs
To:

University of Minnesota Driven to Discover
Office of the President
Your email service is scheduled for maintenance. You are advise to update your email service within 48hrs to keep you active in the system with attachment.
If you do not login within 48hrs, you will be locked out of all services provided.

This email was sent to faculty, staff and students at the University of Minnesota, Morris by: Office of the President, 202 Morrill Hall, 100 Church St S.E., Minneapolis, MN, 55455, USA. Read our privacy statement.
PDF attached

PDF with "President" message - links to login form
PDF with "President" message - links to login form


Login Form Linked

Fake login form linked from "President" PDF
Fake login form linked from "President" PDF

Wednesday, January 25, 2017

Security Advisory: Malicious Chrome Extension

Security Advisory: Malicious Chrome Extension

Tuesday, December 20, 2016

A Chrome Extension, OneClass, is part of an unauthorized application that could affect your Canvas account. If installed,  OneClass may masquerade as you to send email and attempt to collect your login credentials.
The OneClass Extension is not available directly in the Chrome Extensions Store but students at other institutions are being phished with an installation link in direct email messages. During installation, the extension requests permissions to "Read and change all your data on the websites you visit." Although OneClass is not affiliated with Canvas, when users install the browser extension, it displays a button in the browser window encouraging the user to "Invite Your Classmates to OneClass." If clicked, OneClass will use Canvas's Conversations tool ("Inbox") to email all the users in your courses and phish them to install the extension, too, using the following message:
"Hey guys, I just found some really helpful notes for the upcoming exams for University of Minnesota courses at <URL>. I highly recommend signing up for an account now that way your first download is free!"
Please DO NOT install this extension, and if you receive an email like the one above DO NOT click anything in the email, just delete the message. If you have already installed the OneClass extension in Chrome, please uninstall it immediately (for information on how to remove Chrome extensions, see the "Uninstall an extension" section in the document: https://support.google.com/chrome_webstore/answer/2664769).
We will continue to monitor this issue and provide updates to you as new information becomes available.

Tuesday, January 24, 2017

Example 179: UMN 2017 / UMN EMAIL SERVICES / Final Update Required For All Staffs

From multiple non-UMN accounts, forged as from President Kaler, PDF goes to fake login page, multiple subject lines.

Message:

From: Eric W. Kaler <xxxx@plu.edu>Date: Tue, Jan 24, 2017 at 1:22 PM
Subject: UMN EMAIL SERVICES
To:

Your email service is scheduled for maintenance. You are advise to update your email service within 48hrs to keep you active in the system with attachment.
If you do not login within 48hrs, you will be locked out of all services provided.


This email was sent to faculty, staff and students at the University of Minnesota, Morris by: Office of the President, 202 Morrill Hall, 100 Church St S.E., Minneapolis, MN, 55455, USA. Read our privacy statement.

PDF Attachment:

PDF with "Kaler" message - links to login form
PDF with "Kaler" message - links to login form


FORM
Fake login form linked from Kaler PDF
Fake login form linked from Kaler PDF

Friday, January 6, 2017

Example 178: UMN Account Warning

From Member Services (compromised UMN account) leads ow.ly leads to Russian site with fake copy of our New login page

Message:
From: Member Services <IID@umn.edu>
Date: Thu, Jan 5, 2017 at 7:40 PM
Subject: UMN Account Warning
To:


We received your request to opt out from receiving mails from University of
Minnesota, if you didn't make such request and you are seeing this by
mistake, you are required to correct such errors by clicking the link below.

RECTIFY
<http://ow.ly/9K93307JEnv>