Go to the U of M home page

Wednesday, January 16, 2019

New Year! New Blog Home!!!

We've moved the University of Minnesota Phishing blog to a new home - come visit us at it.umn.edu/phishing! Don't worry - the content here won't go away, but new posts will be at our new home, it.umn.edu/phishing! (AND, the handy z-link z.umn.edu/phishing points to the new home).

Monday, December 10, 2018

Example 225: Doc701234.docx

Google doc containing phishing link sent to steal login information.

Message Text:

From: Some Name (via Google Drive) <SomeName@gmail.com>
Date: Mon, Dec 10, 2018 at 12:08 PM
Subject: Doc701234.docx
To:
Cc:
SomeName@gmail.com has shared the following document:
Doc701234.docx
<https://drive.google.com/file/d/xxxxx>
[image: Unknown profile photo]John Coleman as shared a file with you
Open
<https://drive.google.com/file/d/XXXXX>
SomeName@gmail.com is outside your organization.
Google Drive: Have all your files within reach from any device.
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA [image:
Logo for Google Drive] <https://drive.google.com>
Linked Doc/ Login Page:

Image of Google Doc and linked Fake Login Form
Image of Google Doc and linked Fake Login Form
Things to Note:

  • Email really comes from a Gmail account (anonymized here as "SomeName")
  • Link in email takes user to a real Google Doc 
  • Google Doc goes to a Forged Office 365 web login
Recommended Action:

Tuesday, December 4, 2018

Example 224: WEBMAIL UPGRADE

Simple phishing attempt offering "email upgrade"

Message Text:

Subject:  WEBMAIL UPGRADE
To: "Recipients"
From: "IT HELP DESK" <webmaster@xxxx-info>
Date: Mon, 03 Dec 2018 22:54:22 -0800
Your webmail quota has exceeded the set quota which is 2GB. you are currently running on 2.3GB to re-activate and increase your webmail quota please verify and update your webmail Account by clicking the link hxxp://www.some-domain-here.cf/ fill the form for upgrade.

Webform:


fake login webform from CF domain
fake login webform from CF domain

Things to Note:

  • No "UMN" branding
  • Email not from a @umn.edu sender
  • Message really comes from a gmail.com address, but reads "From" a .info address
  • Webform not encrypted - not https, but http - most browsers warn against putting passwords in such forms
  • Form hosted at a .cf (Central African Republic) address, not UMN.EDU

Monday, December 3, 2018

Advisory: Protecting Against Identity Theft

Timely reminder from US-CERT regarding identity theft risks from online shopping.

As the holidays draw near, many consumers turn to the internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:
If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan.

Wednesday, November 28, 2018

Advisory: Risks of Falling for a Phishing Scam

Advice on what happens if you get phished. From it.umn.edu:

You are popular. REALLY popular. Right now, there are people all over the world writing email, building websites for you
Unfortunately a lot of this work is aimed at one thing - collecting passwords tied to your email address. 
Now, getting into your email alone is kind of a big deal. Just think about all the business we conduct - personal or work-related - and how it flows through email. But that’s only the start of what can happen when you lose control of that password. 
At the University our email address and password are the keys that unlock paychecks, student loans, library resources, and network access. That’s a nice treasure chest of loot for the would be cyber pirate - but wait, there’s more! 
It’s not unusual to use the same password on multiple sites - we’ve all got so many to remember, right? And, oh! What do most sites use for login ID - yes, your email address! So, when some crook nabs your email address and password, they’re free to try it at Amazon, Apple, Netflix, Spotify or you name it. If you use the same password across multiple sites you’ve just created a skeleton key that opens way too many accounts.

There’s hope!

With the roll out of Duo Security at the University of Minnesota, we’ve put a significant roadblock in front of the phishers. Once you enable Duo Security on your account, your password alone will not grant access to your UMN resources (though some, for example, VPN and WiFi are not protected by Duo Security). 
Many, if not most, non-UMN resources can use two factor authentication. Take some time to protect your other accounts. Check out https://twofactorauth.org/ for information on what you can do to add this important tool to your other accounts. 
Next - stop using the same password on multiple accounts. Get a system to manage your passwords - even a paper notebook is a solution. But tools like Lastpass, Password Safe, or Keepass will give you a lot of power in managing your many accounts. Also, be sure to set up a strong password or passphrase, here are some tips
And remember - a very strong way to assert control over your accounts is to change your password. If ever you are concerned that your password has been stolen - change it! It’s as simple as going to my-account.umn.edu
One last tip from Brad Paisley: “The Internet Is Forever.” In other words, do not reuse old passwords. There is a worldwide active market in stolen passwords - once stolen, the passwords on those lists never go out of circulation. So don’t go back to that favorite password from long ago!

Monday, November 12, 2018

Advisory: "The Boss Needs iTunes Gift Cards For Customers... NOW"

Good summary of scam emails "from" the boss requesting purchase of iTune (or other) gift cards.

NOTE: This is not hypothetical - we've seen multiple attempts to use this fraud against the University of Minnesota community.

From blog.knowbe4.com:

If you ever wondered if those iTunes gift card phishes really work, see the below email exchange.
Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.
All told poor Emily bought TWENTY $100.00 iTunes gift cards for these criminals. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!
Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily.
Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted.com" and was spoofed by the bad guys.  



From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:20 AM
To: Emily Walker <ewalker@distracted.com>
Subject: Respond
Let me know when you are available. There is something I need you to do.
I am going into a meeting now with limited phone calls, so just reply my email.
John Carpenter
Sent from my iPad
-----------------------------
Subject: RE: Respond
Date: 6 September 2018 at 21:24:35
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Did you intend to send this to me?
Emily Walker
Project Manager
Sent from my iPhone
-----------------------------
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:28 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond
Yes Emily, can you get this done ASAP? I need some couple of gift cards.
There are some listed clients we are presenting the gift cards. How
quickly can you arrange these gift cards because i need to send them
out in less than an hour. I would provide you with the type of gift
cards and amount of each.

Sent from my iPad
---------------------
Subject: RE: Respond
Date: 6 September 2018 at 21:48:03
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Can do now. I’ll put on my credit card. Send me the following:
Type
Number
Amount
Emily Walker
Project Manager

Sent from my iPhone
-------------
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:52 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond

The type of card I need is Apple iTunes gift cards. $100 denomination,
I need $100 X 20 cards. You might not be able to get all in one store,
you can get them from different stores. When you get the cards, Scratch
out the back to reveal the card codes, and email me the codes. How soon
can you get that done? Its Urgent.
Sent from my iPad
--------------------------

Subject: RE: Respond
Date: 6 September 2018 at 21:55:17
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
I can do now. Do you want me to do online instead?
Emily Walker
Project Manager

Sent from my iPhone
-------------------------

On Sep 6, 2018, at 11:57 AM, John Carpenter <officeexec.mails@inbox.lv> wrote:
I need you get physical card from the store
Sent from my iPad
---------------------------
Subject: Re: Respond
Date: 6 September 2018 at 22:01:32
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
On my way to store now. What time need by?
Sent from my iPhone
---------------------

On Sep 6, 2018, at 12:05 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
As soon as you can. I will await codes
Sent from my iPad

--------------------------
Subject: Re: Respond
Date: 6 September 2018 at 22:13:37
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
If choice between the two do you want $15 or $25?
Sent from my iPhone
---------------------

On Sep 6, 2018, at 12:16 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
$100
Sent from my iPad
----------------

Subject: Re: Respond
Date: 6 September 2018 at 22:51:58
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

Just texted you the first 11 codes. Heading to another store now. 5 and 6 limit per store.
Sent from my iPhone
------------------------
On Sep 6, 2018, at 12:54 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
Email the codes to me
Sent from my iPad
---------- 
End of email thread. One hour and twenty five minutes later, the bad guys had 2 thousand dollars in iTunes gift cards in their hands and Emily had charged all of them on her personal credit card. OUCH!
I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:
The bad guys are getting creative with hybrid giftcard  / CEO Fraud scams, There is a massive campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. N ever comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the boss!
Can Your Domain Be Spoofed?

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.
 
https://blog.knowbe4.com/scam-of-the-week-the-boss-needs-itunes-gift-cards-for-customers...-now

Wednesday, October 3, 2018

Advisory: Facebook breach: what to do next

FTC advice regarding the recent Facebook breach.

Facebook breach: what to do next

Facebook recently announced the largest breach in the company’s history. The breach affected about 50 million users, allowing hackers to take over their accounts. If you use Facebook, you may be wondering what to do next. Here are a few steps you can take.
First, you probably want to know more about the breach. According to Facebook, the attackers took advantage of a weakness in the “View As” feature, which lets people see what their profile looks like to others. The hackers stole digital keys that keep you logged in to Facebook so you don’t need to re-enter your password every time. Facebook says they’ve fixed the vulnerabilities and reset digital keys on 50 million affected accounts, plus an additional 40 million accounts that used the “View As” function.
To better protect yourself after this breach:
  • Watch out for imposter scams. With access to your Facebook account, hackers can get a lot of information about you. That information could be used to impersonate people you know or companies you do business with. If someone calls you out of the blue, asking for money or personal information, hang up. Then, if you want to know for sure if the person calling you was really your family member or was really from a company you know and trust, call them back at a number you know to be correct before you give any information or money. And remember: anyone who demands that you pay by gift card or by wiring money is scamming you. Always.
     
  • Consider changing your password. Facebook says that it fixed the vulnerability, so there’s no need to change your password. But, to be safe, log in and change your password anyway. If you use the same password other places, change it there, too. Don’t forget to change your security questions, as well – especially if the answers include information that could be found in your Facebook account.
For more information about what to do after a data breach, visit IdentityTheft.gov/databreach and watch the FTC’s video on What to Do After a Data Breach.
If you learn that someone has misused your personal information, go to IdentityTheft.gov to report identity theft and get a personal recovery plan. Because recovering from identity theft – and data breaches – is easier with a plan.