Go to the U of M home page

Tuesday, July 29, 2014

Security Tip: Clear All Sessions!


How can you tell if someone else has used
(IS using!)
your account?

Gmail gives you a tool to answer that question, the “Last Account Activity” control. Even better, you can clear all sessions to prevent someone who has logged in with you password!





Phishing Example 58: Warning

Received July 2014

Message Body:


   Subject: Warning!
      Date: Tue, 29 Jul 2014 05:46:31 -0700
        To: undisclosed-recipients:;
      From: UMN Web Admin
   This is an automatic message by University of Minnesota system to let you
   know that you have to confirm your account information. An Attempt has been
   made to login from a new computer, You might not be able to send or receive
   new mail until you re-validate your mailbox .To re-validate your mailbox.-
   Click Or Open this link to VERIFY your Account:
      http://xxxx-xxx-xxx.com/
 
Thanks for your anticipated co-operation,
   Subscriber! University of Minnesota Customer Care
   Case number: 8949824
   Property: Account Security
   � 2014 Regents of the University of Minnesota. All rights reserved.


Things to note:
  • Attempt to use UMN branding, in message and on web form.
  • Still on a commercial web form provider.
  • Odd language (Pas|WORD for Password) on form.
  • Password shows in clear on form.

Phishing Example 57: Attention

Received July 2014

Message Body:

   Subject: Attention
   Date: Tue, 29 Jul 2014 15:50:12 +0530 (IST)
   From: Webmail Administrator

  Dear eMail User,Your email account is due for upgrade.Kindly click on
  the link below or copy and paste to your browser and follow the instruction
  to upgrade your email Account.
              http://wadministrator.xxxxxx..xxx/webmailtechnicalteam

Our webmail Technical Team will update your account. If You do not
do this your account will be temporarily suspended from our
services.Warning!! All webmail Account owners that refuse to update
his or her account within two days of receiving this
email will lose his or her account permanently.Thank you for your cooperation!
Sincere regards,WEB MAIL ADMINISTRATOR
Copyright @2014 MAIL OFFICE All rights reserved.
   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Things to note:
  • Nothing UMN branded
  • IST (India Standard Time Zone)?
  • Served off of a free web page provider ("make your own" link included on page)



Thursday, July 24, 2014

Phishing Example 56: WEBMAIL DATABASE

Received July 2014

Message text:

From: web Admin
   Date: Thu, Jul 24, 2014 at 9:12 AM
   Subject: WEBMAIL DATABASE
   To: info@webmaster.org
   This is to inform you that we are of current plan to upgrade our
   *WEBMAIL DATABASE* and You have to confirm and upgrade your
   Email account by clicking on the link below:
   *http://xxxxx.webs.com/ <http://xxxx.webs.com/> *
   Regards
   Online Support Team

Notes:
  • Hosted at webs.com, not umn.edu.
  • No UMN.edu branding.
  • Mail "from" webmaster.org? 




Wednesday, July 23, 2014

Phishing Example 55: New Message

Received July 2014

Message text:

   ---------- Forwarded message ----------
   From: University of Minnesota
   Date: Wed, Jul 23, 2014 at 2:22 PM
   Subject: New Message
   To:
   Dear Member,
   You Have 1 New Message
   Click Here To Read
   <http://xxxxx.xxxt.com/openemr/library/classes/umn.edu.htm>
   Regards,
   �2014 University of Minnesota

Notes:

  • Received from multiple .edu email addresses (not from umn.edu!).
  • Directs to a .com address (NOT umn.edu),
  • Uses a very good copy of the UMN login page.





Tuesday, July 22, 2014

What Are We Doing About Phishing?

On report of phishing attempts – 
  • We block the phisher return email addresses.
  • If a website is used to collect replies, we notify the website administrators that their services are being misused or have been compromised.
  • We block access from the University network to phisher websites.
  • We notify other schools about reported phisher addresses and websites.
  • We work to tune our rules that flag phishing email as spam.
IF you or anyone receive a phishing email that targets University email ACCOUNTS, REPORT it to
phishing@umn.edu 

Monday, July 21, 2014

Phishing Example 54: Update Alert

Received July 2014

Message Text:

   From:
   Date: Mon, Jul 21, 2014 at 2:37 PM
   Subject: Update Alert
   To:
   You have exceeded your mail.umn.edu quota limit of 500MB and you need
   to expand the mail.umn.edu quota before the next 48 hours. If you have not
   updated your *mail.umn.edu  *account in 2014,
   you must do it now. You can expand to 10GB mail.umn.edu quota limit.
   Click on the link below to upgrade your account:

   https://docs.google.com/forms/d/....xxxxxxxx

   Thanks for your understanding.

Google form used for phish:




Things to notice:

  1. Not branded with standard UMN template
  2. Uses Google forms
  3. INCLUDES Google Form warning not to submit passwords!

Phishing Example 53: Incoming mails noreply@umn.edu

Received July 2014

Message text:
   From:
   Date: Mon, Jul 21, 2014 at 8:23 AM
   Subject: Incoming mails noreply@umn.edu
   To:
   You have a message click on the link hxxp://xxx-xxxx-umn-edu.webs.com/
   to read




Notes:

All these factors should tip you off - this is NOT really from the University.

  1. Modest attempt at UMN branding
  2. Tricky add of "noreply@umn.edu to the subject, not the from line.
  3. Hosted at "webs.com" free website provider
  4. Misspelled "Internat ID"
  5. Misspelled "Pascsword"
  6. Shows the password in the clear

Friday, July 18, 2014

Phishing Example 52: I've shared an item with you.

Received July 2014.

This has been sent from a compromised umn.edu account (or accounts), so you may not see the tag ***SPAM*** in the subject line.


Message body:

   Subject: I've shared an item with you.
   From:
   To: undisclosed-recipients:;
   *Sent:* Friday, July 18, 2014 12:59 PM
   *Subject:* I've shared an item with you.
   Hello,
   I just shared a document with you using Google Drive. All you have to do is
   go to https://drive.google.com <http://xxx.xxxxx.com/platform/index.htm> to
   view it and sign in with your email address, as it is stored online.
   Note: it's not an attachment, it's a document stored online
   Best Regards


This is what the link takes you to, but it is NOT how a real Google doc will prompt you for your login.
Google docs do not ask you to use Yahoo, Windows or AOL logins:


If you "login" you will be directed to a bogus doc that is in Google.  However your credentials will be in the phishers hands, and your account will be sending spam (probably just like this one).


If you, or someone you know entered an ID and password in this, change that password immediately!

Thursday, July 17, 2014

Reminder: Avoid tech support phone scams

We've recently had a number of reports on campus of people receiving calls from "technical support" (often "Microsoft Technical Support") alerting users to supposed problems with their computers.  If you receive such a call - don't fall for them.  Check with your technical support or help@umn.edu if you have any doubts.

The word from Microsoft:

Avoid tech support phone scams
Cybercriminals don't just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license. Once they have access to your computer, they can do the following:
  • Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
  • Convince you to visit legitimate websites (like www.ammyy.com) to download software that will allow them to take control of your computer remotely and adjust settings to leave your computer vulnerable.
  • Request credit card information so they can bill you for phony services.
  • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.
Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.
See also the Snope.com page (http://www.snopes.com/fraud/telephone/microsoft.asp) about such scams.

Monday, July 7, 2014

Phishing Example 51: Your mailbox has been temporally suspended

Received July 2014

From:
   Date: Mon, Jul 7, 2014 at 10:21 AM
   Subject: Your mailbox has been temporally suspended
   To:
   --

      [ NO text in the message ]

   Download ADMIN.docx
   application/vnd.openxmlformats-officedocument.wordprocessingml.document 10.6k

The attachment, if you opened it (please don't) :


The link in the document takes you to:



A *very* generic login which looks nothing at all like the real deal:

Note: 
 Looks can be deceiving.  Some phishers (happily, not many) do copy the UMN login page and present you with a very convincing counterfeit.  As always - double (triple!) check the URL when being asked to log into a UMN web page.


Wednesday, July 2, 2014

Phishing Example 50:Webmail Verification

Received July 2014

 From:
   Date: Wed, Jul 2, 2014 at 12:42 PM
   Subject: RE: Webmail Verification
   To:
   *Dear mailbox user,*
   *Your Email Account have been violated, unsuspicious activities was
   noticed in your email account and your account will be disabled shortly.*
   *you are required to verify your email account to prevent your email
   account from being disabled. click on our ITS-SUPPORT
   <http://xxxxxxxxx.tripod.com/>*
   <http://xxxxxxxxx.tripod.com/>*to fill out the necessary
   information to secure and verify your account*
   *Additional Info Staff,Student and Faculty Members Only.* *Click on
   Staff and Faculty ACCESS-PAGE <http://xxxxxxxxxx.tripod.com/>*
   *IMPORTANT NOTE**:* *Your account will be disabled if not verified within
   the next 24hours**.*
   *ITS help desk **ADMIN TEAM*
   *�Copyright 2014 Microsoft*


Nope, no UMN branding, advertisements... AND hosted at tripod.com?




Phishing Example 49: Administrative Notice!!!

Very old school - a request for you to email your name and password (please don't!).

Received July 2014
Message body:


  > From: Help Desk
   > Subject: Administrative Notice!!!
   > Date: 2 July 2014 at 10:38:19 CDT
   > To:
   > Reply-To:
   >
   > Help Desk
   >
   > Attention Account User,
   >
   > Scheduled Maintenance & Upgrade
   >
   > Your account is in the process of being upgraded to a newest
   > Windows-based servers and an enhanced online email interface inline with
   > internet infrastructure Maintenance. The new
   > servers will provide better anti-spam and anti-virus functions, along with IMAP Support for mobile    
   >devices to enhance your   usage.
   >
   > To ensure that your account is not disrupted but active during and after this upgrade, you are
   > required to kindly confirm your account by stating the details below:
   >
   > * Domain\user name:
   > * Password:
   >
   > This will prompt the upgrade of your account.
   >
   > Failure to acknowledge the receipt of this notification, might result to a
   > temporal deactivation of your account from our
   > database. Your account shall remain active upon your confirmation of your login details.
   >
   > We do apologize for any inconvenience caused.
   >
   > Sincerely,
   >
   > Your Customer Care Team
   >
   >
   > (c) Copyright 2014, All Rights Reserved.
   

Phishing Example 48: System Notifications/Account Closure

Received July 2014

Message body:

   From: UMD Email - Support
   Date: Wed, Jul 2, 2014 at 1:10 AM
   Subject: System Notifications/Account Closure
   To:
   Dear University of Minnesota Duluth Webmail User
   We hereby announce to you that your email account has exceeded its
   storage limit. You will be unable to send and receive mails and your
   email account will be deleted from our server. To avoid this problem,
   you are advised to verify your email account by clicking on the link
   below.
   CLICK HERE <http://xxxxxxxxxxxxxxx/upgrade.php>
   Failure to comply will result to permanent termination of your email account
   Thank you.
   � 2014 Regents of the University of Minnesota Duluth . All rights reserved.
   The University of Minnesota is an equal opportunity educator and employer
   The Webmail Management Team



Notes:
  • very simple, unbranded form
  • does hide the password when entered
  • not from a ...umn.edu/ URL

Tuesday, July 1, 2014

Welcome To The New Blog! Same As The Old Blog!


We've moved!

With the end of the http://blog.lib.umn.edu/ support, we've moved the UMN Phishing blog to Blogger!

You should find all the past posts here - and new ones as we have more examples of phishers targeting our UMN community.


Phishing Example 47: Library Account

Here's a reminder to question unexpected warnings and double-check that supposed "official" login pages are REALLY hosted at UMN.EDU locations.
Received June 2014:
Email being seen that points at what LOOKS like a UMN URL, but went offshore:
From: Library 
Date: Thu, Jun 26, 2014 at 8:47 AM
Subject: *****SPAM***** Library Account
To:
Dear User,
Your library account has expired, therefore you must reactivate it
immediately or it will be closed automatically. If you intend to use this
service in the future, you must take action at once!
To reactivate your account, simply visit the following page and login wilth
your library account.
Login Page:
xxxxxxxxxxxxxxxxxx
Sincerely,
University of Minnesota Libraries
499 Wilson Library
309 19th Avenue South
Minneapolis, Minnesota 55455
(612) 624-3321 (voice)
(612) 626-9353 (fax)



---
Goes to a copy of UMN login page on an offshore website, and claims to "reactivate" your account.
Dangerous, because the phishers copied our real login page - and the page looks identical to, and behaves like a real login page - then puts up a fake "reactivation message" with a link to the UMN library system:

Phishing Example 46: EMAIL UPDATE

Things to note:
  • hosted at a non-umn.edu website
  • displays passwords in clear text




Received June 2014 :
From: UMN Help
Date: Sun, Jun 29, 2014 at 12:35 PM
Subject: EMAIL UPDATE
To: Recipients

Dear User,
Please validate your account. To perform this action CLICK HERE
Thank you.
Help Desk
The University of Minnesota

Phishing Example 45: Warning Warning Warning!!!


Summer time and the phishing continues!
These Phishers are using a free website portal to send an "upgrade" in storage, unaware UMN users already get 30 gig of storage, and make no attempt to brand their form to look like it comes from the University.



Received June 2014:
Subject: RE: Warning Warning Warning!!!
Date: Tue, 24 Jun 2014 12:54:17 +0000
From:
To:
Your mailbox is almost full. <http://xxxxx.xxxx.com/>
461MB <http://xxxxx.xxxx.com/> 500MB
<http://xxxx.xxxx..com/>
Current size Maximum size
Help desk requires to upgrade your *EMAIL *account *UPGRADE-HERE*
<http://xxxx.xxxx.com/> Update your account for HTK4S
Anti-Virus/Anti-Spam.
And Allow New Mails to come in Now
IT help desk 2014 <http://xxxx.xxxx.com>
ADMIN TEAM <http://xxxx.xxxx.com/>


Phishing Example 44: Security Alert


Most users should see this marked as spam - but here's a new phish, pointed at a free website provider (not a umn.edu address). There's an interesting attempt at "branding," but with an odd logo that has nothing to do with email.

From: Mail Admin:: University of Minnesota Date: Thu, May 29, 2014 at 8:32 AM Subject: Security Alert: To:
Important information regarding your University of Minnesota account

You have reached your University of Minnesota email maximum data allowance,
you may not be able to send or receive email with your email account again;
Because it has been brought to our attention that your email account has
been accessed and used by a third party to send spam/phishing emails.Kindly
Visit *umn.edua*
Or
Click on *University of Minnesota Login*

now. and Login your account details.


Phishing Warning: Beware "Reset Your eBay Password" Emails


Posted May 2014

Large-scale data breaches that are widely publicized, like the recent eBay breach, offer attackers a new opportunity for malicious emails designed to steal your credentials.
To safely change your eBay password, log directly into eBay and use the change password option.

Phishing Example 43: "Dear Account User." Gmail spoof



A clever email has been making the rounds, using a PDF security notice. It claims to be from gmail, and it directs users to a fake gmail login - the mail reads:
Dear Account User. Attached Account Verification Letter.
Sincerely,
The Gmail Support Team!
Attached is a PDF:
IF a user clicks on the link (please don't!) they'll go to a fake (but very plausible) gmail login page:

(note: this web link will no longer work within the University network.)
If that wasn't enough, users who give a name and password, will be asked to supply a phone number and alternate email address!



If you, or anyone you know were deceived by this spam, tell them to go to the my account page at https://www.umn.edu/myaccount and change their password immediately, and report the incident to phishing@umn.edu.

Phishing warning: Heartbleed may generate new scams


Posted April 2014


"Given the growing public awareness of this bug, it's probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question."
For more information on the Heartbleed vulnerability see http://heartbleed.com

Phishing Warning: Google Docs Users Targeted by Sophisticated Phishing Scam


Symantec reports about a new phishing scam that sets up a phishing form that looks like a google sign-in in a google drive document.
"The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages."
FakeGoogle032014.jpg
NOTE:
  • * If you get an unexpected document from an unknown (or unlikely) collaborator, be suspicious
  • * IF you are already logged in Google in your browser a Google doc should NOT redirect you to a login form.
  • * When UMN Google Apps DO direct you to a login page - they should always include UMN branding.

Phishing example 42: Update

Notes: This is a particularly nasty phishing scam because it is spoofed to come from help@umn.edu, and the link (which is now blocked) was a perfect copy of the University's login page.
From: Helpdesk 
Date: Sat, Mar 1, 2014 at 3:00 PM
Subject: Update
Dear User
Due to high numbers of inactive mail accounts on our server, all email
users are urged to update their email account within 24 hours of receiving this email, by
using the Update
*Click here hxxp://xxxxxxxxxxxxxxxx/idp/umn/login.php *to confirm
that their email account is active.
Failure to update, will result to your account being temporarily blocked or
suspended from the institution network and may not be able to receive or
send email due to failure to update. Do not ignore this message to avoid termination
of your webmail account.
Thanks for your co-operation.
Yours sincerely,
Call: 612-301-4357 (1-HELP)
Email: help@umn.edu

Phishing warning: US Tax Season Phishing Scams and Malware Campaigns


In the past, US-CERT has received reports of an increased number of phishing scams and malware campaigns that seek to take advantage of the United States tax season. The Internal Revenue Service has issued an advisory on its website warning consumers about potential scams.
Tax season phishing campaigns may include, but are not limited to:
  • * Information that refers to a tax refund,
  • * Warnings about unreported or under-reported income,
  • * Offers to assist in filing for a refund, or
  • * Links to counterfeit e-file websites.
For more information see the US-CERT notice
US-Tax-Season-Phishing-Scams-and-Malware-Campaigns.

Phishing Example 41: Dear webmail user


Received February 2014
Once again, no, the University really doesn't send messages like this:
From: Date: Fri, Feb 21, 2014 at 10:11 AM Subject: Dear webmail user To:
You have reached the storage limit on your mailbox. Please visit the below
link to restore your email access.
httx:/xxxxxxxxxxxxxxx/xmail/UPGRADE/
Do not ignore this message to avoid termination of your account.
System Help-desk
Copyright (c) 2013 # * * ALL RIGHTS RESERVED

Phishing Example 40: Umn Email Alert


Received January 2014
From: Email Alert 
Date: Tue, Jan 7, 2014 at 5:57 AM
Subject: Umn Email Alert
To: alert@umn.edu

Note the link leads to an exact duplicate of the University's login page, but the URL does not end in umn.edu. Entry of any credentials leads to the google.com login page.

RT329176_phish-form.GIF

Phishing Example 39: You have 1 important mail alert!!


Received: December 2013
Subject: You have 1 important mail alert!!
Date: 18 Dec 2013 04:15:37 -0000
To: "recipients"
From: "onlinemessage1"
Dear Account User,
Your mailbox has exceeded the limit of 30 GB, which is as set by your manager, you are currently at 30.9GB, very soon you will not be able to create new e-mail to send or receive again until you validate your mailbox.To re-validate your mailbox, click on the attach link and follow the instruction for your upgrade.
Sincerely,
Email Administrator.
Notes:
You should never click a link to a PDF without verifying that it is safe; it could be installing malware. In this case we scanned the PDF before opening it.
The attached link is a PDF document that opens with a link to a fake login site that looks like this:
http://blog.lib.umn.edu/it-comm/phishing/RT328298_phish-form1.GIF
When you enter an ID and password, another window comes up asking for verification of your *alternate* email address (Google, Yahoo, etc.), that looks like this:
http://blog.lib.umn.edu/it-comm/phishing/RT328298_phish-form2.GIF

Phishing Example 38: Your Incident ID is: 130329-018715


Sent November 2013:
From: MyUmn
Date: Fri, Nov 8, 2013 at 7:58 PM
Subject: Your Incident ID is: 130329-018715
To:
Your Incident ID is: 130329-018715
This is an automated message to notify you that we detected a login attempt
with a valid password to your Umn! account from an unrecognized device on
Friday, Nov 8th, 2013 18:33 CEST.
Location: Sweden, Stockholm (IP=204.79.146.0)
Was this you? If so, you can disregard the rest of this email. If this
wasn't you kindly follow this link
http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ to review your Umn
account
Sincerely,
MyUmn IT HelpDesk
[---001:000564:57449---]
Please do not reply to this message. Mail sent to this address cannot be
answered.
110813-yola.jpg

Phishing Example 37: faculty/staff

Sent: November 2013
FACULTY/STAFF: NOVEMBER - DECEMBER MAILBOX QUOTA CLEAN-UP
Mailbox Quota Size: 100 %
Current Mailbox Quota: 98.09%
Your mailbox is almost full.
465MB
500MB
Important Notice: Mailbox SEND or RECIEVE operation will be deactivated at 100% Quota-size clickhere on Faculty-Staff 
ADMIN
ITS HELP DESK,
© Copyright 2013.
Privacy and Confidentiality Notice: The information contained in this e-mail is intended for the named recipient(s) only. It may contain privileged and confidential information. If you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, we would be grateful if you would notify us immediately. Thank you for your assistance.
Please note that e-mails sent or received by our staff may be disclosed under the Freedom of Information Act (unless exempt).
Note: Password disclosed
http://blog.lib.umn.edu/it-comm/phishing/RT325219_phishing_form.GIF

Phishing Example 36: FACULTY/STAFF


Received 10/2013
Subject: FACULTY/STAFF
Date: October 31, 2013 9:52:58 AM CDT
To: undisclosed-recipients:;
Body text:
Institutio​n account routine Maintenance
Your mailbox is almost full.
465MB
500MB
Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails until You Re-Validate It. To RE-VALIDATE [hxxp://xxxxx.webs.com] or If it does not work then copy and past the link. Thank you
ITS help desk

ADMIN TEAM
Notes:
Password shown in the clear

Phishing Example 35: Things to notice on a fake UMN login page

When you are directed to a login page, please look carefully:

bogus-aussie0.jpg
This page is an impressive copy of a UMN login page:


  • all the links go back to real UMN pages
  • the look matches UMN pages
  • the password does not show in the clear (that is, when entered, it does NOT display the text)
    HOWEVER notice - it asks you for a birthdate:

  • bogus-aussie1.jpg

    AND IT'S NOT HOSTED AT UMN.EDU!

    bogus-aussie2.jpg

    Phishing Example 34: Bogus UMN login page

    A recent phishing page discovered, hosted at a free website provider, underlines why you must pay attention to the URL when you are using the WEB:
    090313-googdoc2.bmp

    This page has nothing to distinguish it from a real UMN sign-in page. IF you fill it in, it will redirect you to the real - apparently identical - shibboleth login page.

    ALWAYS double check the web address - if the URL for a UMN sign-in does NOT end in "umn.edu" do not use it.

    Phishing Example 33: Webmail Admin. Notification !!

    To:
    Subject: Webmail Admin. Notification !!
    Your account safety is our top priority.
    Recently, we have detected some unusual activity on your account and as
    a result,
    all email users are urged to update their email account within 24 hours
    of receiving this e-mail, using the update link: *CLICK HERE
    * to confirm that your
    email account is up to date with the institution requirement.
    Do not ignore this message to avoid termination of your webmail account.
    Our apologies for any inconvenience this may have caused, but your
    account safety and privacy is very important to us.
    Thanks for your co-operation.
    Yours sincerely,
    Webmail Admin.

    Notes:




  • Should be marked as spam in the UMN mail system
  • Web form NOT branded 
  • Password fields not masked.



  • 926jimdo3.jpg
    But at least they care about your privacy!


    Phishing Example 32: Dear Sir/Madam



    Subject: *****SPAM***** Dear Sir/Madam
    Date: Mon, 23 Sep 2013 12:57:47 +0000
    From:
    To: Undisclosed recipients:;
    Your mailbox needs to be validated and protected against on going spam activities and
    needs to be expanded. click on this link
    hxxp://xxxxxxxxxxxxxxxxor
    copy and paste the link on your URL fill the form and submit for validation.


    Notes:
  • Very amateur webform set up on free website provider
  • No UMN branding, not hosted at umn.edu site
  • All private information shown in clear
  • Now blocked at the U, website provider has taken this down.
  • Actively used until taken down

    092313-websitewizard.jpg
  • Phishing Example 31: IT HELPDESK *** IMPORTANT***



    Received September 2013:
    Subject: IT HELPDESK *** IMPORTANT***
    To: Recipients
    From: ADMIN,
    HELPDESK
    Date: Tue, 17 Sep 2013 20:33:28 +0100

    Hi User,


    This is a compulsory email account verification. CLICK HERE TO VALIDATE AND VERIFY YOUR EMAIL ACCOUNT
    Regards,Abuse/Help Desk
    091913-eco.jpg
    PLEASE Note!
    Some browsers will show a warning like this one shown below - if you see it, PLEASE don't follow the link, report it to phishing@umn.edu!
    chrome-warn.jpg

    Phishing Example 30: Re: Upgrade Your Mailbox:


    Received: September 2013
    Dear Email User:
    Re: Upgrade Your Mailbox:
    Your mailbox has exceeded the limit of 30 GB, which is as set by the
    administrator, you are currently at 30.9GB, very soon you will not
    be able to send or receive e-mail again until you validate your
    mailbox. To re-validate your mailbox, click on the link below and
    follow the instruction for your upgrade.
    Click Here To Upgrade Your Mailbox: hxxp://xxxxxxxx.com/ne/administrator_restore.htm
    After re-validating your mailbox, your email account will not be
    interrupted and will continue as normal. We thank you for your
    prompt attention to this instruction. Please understand that this is
    a security measure intended to help protect your mailbox. We
    apologies for any inconvenience.
    Failure to upgrade and re-validate your email account membership
    details as directed above, your mailbox will be SUSPENDED!
    Warning Code:VX2G99AAJ
    Sincerely,
    Email Administrator.
    Note: No University branding, and the password is concealed as you enter it.
    http://blog.lib.umn.edu/it-comm/phishing/RT319365_phish_form.GIF

    Phishing Example 29: Faculty &Staff Account Notification


    From: 
    Date: Wed, Sep 11, 2013 at 7:40 AM
    Subject: *****SPAM***** RE: Faculty &Staff Account Notification 
    (Good news! We're tagging it as spam!)
    To: 
    Institute account Routine System. all institutional mail account
    users are advice to upgrade /Update account now This has been
    made mandatory for all. for assistance click:
    ITS<hxxp://xxxxxxxxxxxxx.jimdo.com/>
    Failure to do this you will have your account suspended on till repor Nothing too new here. Things to note: Password shows in the clear Not UMN branded Hosted at a free website servicet is
    made to the institution authorities.
    *ITS service Team*
    � Copyright 2013.
    All Rights Reserved



    Nothing too new here. Things to note:

  • Password shows in the clear
  • Not UMN branded


  • Hosted at a free website service

  • http://blog.lib.umn.edu/it-comm/phishing/jimdo-091113.jpg

    Phishing Example 28: Important document



    Received September 2013:

    From:
    Date: Sat, Aug 31, 2013 at 12:59 PM
    Subject: Important document
    To:
    Hello,
    Please view the document I uploaded for you using Google secure doc, Click
    here <hxxp://xxxxxxxxx.eu/2013gdocs/index.htm> and sign in with your email
    to view it's very important.
    Regards.



    No, not a real google doc share.








    Phishing Example 27: Attention: Web-mail User




    Received September 2013
    From: <*******@*********>
    Subject: Attention: Web-mail User
    Date: Mon, 2 Sep 2013 10:24:57 +0000

    *Attention: Web-mail User,*
    *This is to inform you that our web-mail server has been scheduled for
    upgrade**
    and maintenance, this is to improve the ability to identify and block
    spam,**
    phishing attempts and anti-virus functions for better online services.*
    *To avoid your e-mail account been terminated during this upgrade, Kindly**
    click the link below and follow the instructions to upgrade.*
    *CLICK HERE* 
    *Your Email access will be disable if you fail to comply with the above.*
    *We do apologize for any inconvenience caused.*
    *Thanks**
    System Administrator*
    Note: No University branding, passwords in clear text.

    http://blog.lib.umn.edu/it-comm/phishing/RT318618_phish_form.gif

    Phishing Example 26: Email Quota Account Upgrade.


    Received: August 2013
    From: "Email Help Desk" <*******@*******.com>
    Subject: Email Quota Account Upgrade.
    Date: 26 August 2013 08:11:32 CDT
    To: Recipients <*******@*******.com>
    Attn: Email User,
    Your mailbox has exceeded the limit of Quota Usage, which was set by your admin panel, and access to your mailbox via our mail portal will be unavailable expect you upgrade your email account against spam.
    To upgrade and re-validate your mailbox, do click on the link to upgrade: Upgrading Link
    Thanks
    System Administrator.
    Note does not mimic UMN login page, but does conceal password.

    http://blog.lib.umn.edu/it-comm/phishing/RT318528_phish_form.gif

    Phishing Example 25: UMN : Webmail Upgrade

    Received August 2013:
    this is a variation on one received earlier, but it was sent from a compromised UMN.EDU account, and they added "UMN:" to the subject.
    From: HelpDesk
    Date: Friday, August 30, 2013
    Subject: UMN : Webmail Upgrade
    To:
    Dear umn.edu Email user,
    Your e-mail Id needs to be updated with our F-Secure
    new version anti-spam/anti-virus/anti-spyware 2013.
    Click on the link below; Our webmail Team will update your account.
    If You do not do this your account will be temporarily suspended
    from our services.
    hxxp://xxxx.xxx.ua/images/security/upgrade.php
    Thank you for your cooperation!
    Regards,
    WEB MAIL ADMINISTRATOR
    Copyright @2013 MAIL OFFICE All rights reserve
    All rights reserved.
    http://blog.lib.umn.edu/it-comm/phishing/ua-083013.jpg

    Phishing Example 24: Mailbox Upgrade Notification

    Received: August 2013

    Text:
    Date: Thu, Aug 29, 2013 at 5:19 AM
    Subject: Mailbox Upgrade Notification
    To:

    Mailbox Upgrade NotificationAs part of our ongoing firm wide upgrade and
    our email servers, we need to migrate your mailbox to a different location
    so it will be compatible with the newer versions of software. During the
    move you won't be able to send/receive email, including via your mobile
    device(s). The downtime should be about 1 hour please *CLICK
    HERE:[hxxp://www.***.*****/form/0B5pLYhlLTxsDYS1ELXhtb1drX3M]
    * and follow the instructions on the pop up window to upgrade your email
    account

    http://blog.lib.umn.edu/it-comm/phishing/RT318379_phishing_form.GIF

    Phishing Example 23: Webmail Upgrade

    Received August 2013:
    From: HelpDesk <xxx@um.edu.my> (um.ed.MY? nope not legit!)
    Date: Wed, Aug 28, 2013 at 8:24 PM
    Subject: *****SPAM***** Webmail Upgrade (should be marked as spam)
    To:
    Dear Account User,
    Your e-mail Id needs to be updated with our F-Secure R-HTK4S
    new version anti-spam/anti-virus/anti-spyware 2013.
    Click on the link below; Our webmail Team will update your account.
    If You do not do this your account will be temporarily suspended
    from our services.
    hxxp://xxx.xxx.ua/images/IT/upgrade.php (No, the U doesn't host in the Ukraine.)
    Thank you for your cooperation!
    Regards,
    WEBMAIL ADMINISTRATOR
    C2012-2013
    All rights reserved.