Go to the U of M home page

Wednesday, June 21, 2017

Example 201: Library Services

Well crafted email directs recipient to a forgery of the UMN login page.

Message

 Dear User,
 This message is to inform you that your access to your library account
 will soon expire. You will have to login to your account to continue to
 have access to the library services.
 You need to reactivate it just by logging in through the following URL. A
 successful login will activate your account and you will be redirected to
 your library profile.

 hxxp://www.lib.umn.cave.gq/login_xxxxxxxxxxxxxxx
 If you are not able to login, please contact Emily Bonnell at
 enbonnell@umn.edu for immediate assistance.
 Sincerely,
 Emily Bonnell
 University of Minnesota Libraries
 (612) 624-xxxx
 enbonnell@umn.edu

Webform

Forged UMN login page - NOT hosted at UMN.EDU
Forged UMN login page - NOT hosted at UMN.EDU

Thing to Note

  • Email comes from a Gmail account, not UMN.EDU
  • "Emily Bonnell" is not a real UMN staff member - the umn.edu email referenced does not exist
  • Forged web page NOT hosted at umn.edu
  • Logging into page redirects to the real login page (or a UMN service page if you ARE logged in)

Tuesday, June 20, 2017

Example 201: Security Updrade Strongly Required

Phish with security warning, going to very good copy of UMN login.

Message:

From: Help Desk <compromised user@umn.edu>
Date: Mon, Jun 19, 2017 at 6:20 PM
Subject: Security Updrade Strongly Required
To:
 
 
University of Minnesota Account Help Desk  is having a problem with your Account.You will not be able to receive any new emails until you Upgrade your account  to avoid suspension.
Kindly be informed that we'll not be held responsible for your account deactivation once you fail to upgrade your account after this Final Warning. To remove your account from our deactivation list kindly click Upgrade below: 
Upgrade <hxxp://xxxxxxxxxx.ru/love.php>
Regards,
- Identity Management Team
Web Form
Forged MyU login page - hosted at a .com site
Forged MyU login page - hosted at a .com site

Things to Note
  • Email comes from a compromised UMN account
  • URL in email points to a Russian (".ru") URL, but redirects to a .COM site for login
  • Logging into the page redirects to the REAL MyU login page (nearly identical to their fake page)

Tuesday, June 13, 2017

Advisory: Logging into University Google resources.

Note: This is an updated reminder of what logging into Google resources should look like (June, 2017). 

From time to time, you will see phishing schemes that claim to be a Google Doc. Most recently, many have received a scam letter titled "I've shared an item with you." The "google link" in the email doesn't go to Google, of course - and it may present a login that looks like this:


Currently, a REAL Google login should look like this:

Current Google App Login (May 2017)
Current Google App Login (June 2017)


But, be careful. Looking like this is not enough.

(PLEASE note - if you are  already logged in to gmail, following a link to a google doc should NOT present you with a login - you're already logged in.)

When

  1. You ARE prompted to login to a resource for the University, 
  2. AND you receive the Google prompt,
  3. DO NOT enter your password.
  4. Just present your email address, e.g. internet-id@umn.edu
Like this:
Logging into Google with an @umn.edu account
Logging into Google with an @umn.edu account



If it's legitimate, you may next see:
(You'll see this if Google thinks you have two versions of NAME@umn,edu, Choose "Organizational")
You'll be sent to the U's authentication system where you will do your real Internet ID + Password login on this screen: 

University Login page

Remember, if legitimate, THIS login page will be hosted at an address that ends in "umn.edu." If it isn't, it is unlikely to be a real login page and you should report it to phishing@umn.edu.



(note: We present this post on a regular basis so that it reflects the current user experience for logging into Google resources. When there are updates to the Google or University experience, we will update it. The current version will be linked at http://z.umn.edu/RealLogon)

Monday, June 12, 2017

Example 201: Your email (name)@umn.edu, has low storage.

Scam email sent to steal user passwords with "low storage" warning.

Message text:

To (name)@umn.edu 
You are running out of email storage space and this could prevent you from
receiving other important mails!
Please Click Here to verify your email to lift your email storage limit.
Yours Sincerely,
Account Team
Web form:


Things to Note:

  • Email to "name@umn.edu" embeds email address in form
  • Nothing related to UMN.EDU in email, or form

Friday, June 9, 2017

Example 200: All Faculty and Staff Must Read

Notes: From a non-UMN address, tinyurl resolves to a site with a fake UMN login page.
 
Text of message:

From: Health Care Center <xxxxxx@students.towson.edu>
Date: Fri, Jun 9, 2017 at 9:41 AM
Subject: All Faculty and Staff Must Read
To:
Dear Faculty and Staff
You have an important Health message from University Of Minnesota Faculty and Staff Health Center. Please Click [hxxp://tinyurl.com/y8ng5sxf] Here to read it
[Real UMN Professor Name]
612-xxx-xxxx
xxx Morrill Hall
100 Church St. S.E.
Minneapolis MN 55455
Web Form:
Fake UMN.EDU login, hosted at a .com site
Fake UMN.EDU login, hosted at a .com site
Things to Note:
  • Close, but not exact, copy of the UMN login page
  • Webform linked using tinyurl.com link to hide true location
  • Email comes from a different EDU, not umn.edu

Friday, June 2, 2017

Example 199: Kindly Verify Your Account!!

Spam email with link to non-branded, simple form claiming to "upgrade" accounts.


 Message Text

Subject: Kindly Verify Your Account!! 
From: umni@xxxx.be
INFORMATION TECHNOLOGY SERVICES
Information and Communication Technology Accessibility Policy, Verify your email below to avoid the lose of your  account.
Account Verification
 ©2017 The University of Minnesota Terms of Use.

Web Form

Web form aimed at stealing passwords - note password not obscured
Web form aimed at stealing passwords - note password not obscured
 Things to note:

  • No UMN branding
  • Not from a UMN address (although the username sprinkles umn in the sender's ID)
  • Password not obscured