Example 201: Library Services

Well crafted email directs recipient to a forgery of the UMN login page.

Message

 Dear User,
 This message is to inform you that your access to your library account
 will soon expire. You will have to login to your account to continue to
 have access to the library services.
 You need to reactivate it just by logging in through the following URL. A
 successful login will activate your account and you will be redirected to
 your library profile.

 hxxp://www.lib.umn.cave.gq/login_xxxxxxxxxxxxxxx
 If you are not able to login, please contact Emily Bonnell at
 enbonnell@umn.edu for immediate assistance.
 Sincerely,
 Emily Bonnell
 University of Minnesota Libraries
 (612) 624-xxxx
 enbonnell@umn.edu

Webform

Forged UMN login page - NOT hosted at UMN.EDU

Thing to Note

• Email comes from a Gmail account, not UMN.EDU
• "Emily Bonnell" is not a real UMN staff member - the umn.edu email referenced does not exist
• Forged web page NOT hosted at umn.edu
• Logging into page redirects to the real login page (or a UMN service page if you ARE logged in)

Example 201: Security Updrade Strongly Required

Phish with security warning, going to very good copy of UMN login.

Message:

From: Help Desk <compromised user@umn.edu>
Date: Mon, Jun 19, 2017 at 6:20 PM
Subject: Security Updrade Strongly Required
To:
 
 
University of Minnesota Account Help Desk  is having a problem with your Account.You will not be able to receive any new emails until you Upgrade your account  to avoid suspension.
Kindly be informed that we'll not be held responsible for your account deactivation once you fail to upgrade your account after this Final Warning. To remove your account from our deactivation list kindly click Upgrade below: 

Upgrade <hxxp://xxxxxxxxxx.ru/love.php>
Regards,
- Identity Management Team

Web Form

Forged MyU login page - hosted at a .com site

Things to Note

• Email comes from a compromised UMN account
• URL in email points to a Russian (".ru") URL, but redirects to a .COM site for login
• Logging into the page redirects to the REAL MyU login page (nearly identical to their fake page)

Advisory: Logging into University Google resources.

Note: This is an updated reminder of what logging into Google resources should look like (June, 2017). 

From time to time, you will see phishing schemes that claim to be a Google Doc. Most recently, many have received a scam letter titled "I've shared an item with you." The "google link" in the email doesn't go to Google, of course - and it may present a login that looks like this:

Currently, a REAL Google login should look like this:

Current Google App Login (June 2017)

But, be careful. Looking like this is not enough.

(PLEASE note - if you are  already logged in to gmail, following a link to a google doc should NOT present you with a login - you're already logged in.)

When

1. You ARE prompted to login to a resource for the University, 
2. AND you receive the Google prompt,
3. DO NOT enter your password.
4. Just present your email address, e.g. internet-id@umn.edu

Like this:

Logging into Google with an @umn.edu account

If it's legitimate, you may next see:

(You'll see this if Google thinks you have two versions of NAME@umn,edu, Choose "Organizational")

You'll be sent to the U's authentication system where you will do your real Internet ID + Password login on this screen: 

Remember, if legitimate, THIS login page will be hosted at an address that ends in "umn.edu." If it isn't, it is unlikely to be a real login page and you should report it to phishing@umn.edu.

(note: We present this post on a regular basis so that it reflects the current user experience for logging into Google resources. When there are updates to the Google or University experience, we will update it. The current version will be linked at http://z.umn.edu/RealLogon)

Example 201: Your email (name)@umn.edu, has low storage.

Scam email sent to steal user passwords with "low storage" warning.

Message text:

To (name)@umn.edu 

You are running out of email storage space and this could prevent you from
receiving other important mails!
Please Click Here to verify your email to lift your email storage limit.
Yours Sincerely,
Account Team

Web form:

Things to Note:

• Email to "name@umn.edu" embeds email address in form
• Nothing related to UMN.EDU in email, or form

Example 200: All Faculty and Staff Must Read

Notes: From a non-UMN address, tinyurl resolves to a site with a fake UMN login page.
 
Text of message:

From: Health Care Center <xxxxxx@students.towson.edu>
Date: Fri, Jun 9, 2017 at 9:41 AM
Subject: All Faculty and Staff Must Read
To:
Dear Faculty and Staff
You have an important Health message from University Of Minnesota Faculty and Staff Health Center. Please Click [hxxp://tinyurl.com/y8ng5sxf] Here to read it
[Real UMN Professor Name]
612-xxx-xxxx
xxx Morrill Hall
100 Church St. S.E.
Minneapolis MN 55455

Web Form:

Fake UMN.EDU login, hosted at a .com site

Things to Note:

• Close, but not exact, copy of the UMN login page
• Webform linked using tinyurl.com link to hide true location
• Email comes from a different EDU, not umn.edu

Example 199: Kindly Verify Your Account!!

Spam email with link to non-branded, simple form claiming to "upgrade" accounts.

 Message Text

Subject: Kindly Verify Your Account!! 

From: umni@xxxx.be

INFORMATION TECHNOLOGY SERVICES

Information and Communication Technology Accessibility Policy, Verify your email below to avoid the lose of your  account.

Account Verification

 ©2017 The University of Minnesota Terms of Use.

Web Form

Web form aimed at stealing passwords - note password not obscured

 Things to note:

• No UMN branding
• Not from a UMN address (although the username sprinkles umn in the sender's ID)
• Password not obscured