Go to the U of M home page

Tuesday, July 29, 2014

Security Tip: Clear All Sessions!

How can you tell if someone else has used
(IS using!)
your account?

Gmail gives you a tool to answer that question, the “Last Account Activity” control. Even better, you can clear all sessions to prevent someone who has logged in with you password!

Phishing Example 58: Warning

Received July 2014

Message Body:

   Subject: Warning!
      Date: Tue, 29 Jul 2014 05:46:31 -0700
        To: undisclosed-recipients:;
      From: UMN Web Admin
   This is an automatic message by University of Minnesota system to let you
   know that you have to confirm your account information. An Attempt has been
   made to login from a new computer, You might not be able to send or receive
   new mail until you re-validate your mailbox .To re-validate your mailbox.-
   Click Or Open this link to VERIFY your Account:
Thanks for your anticipated co-operation,
   Subscriber! University of Minnesota Customer Care
   Case number: 8949824
   Property: Account Security
   � 2014 Regents of the University of Minnesota. All rights reserved.

Things to note:
  • Attempt to use UMN branding, in message and on web form.
  • Still on a commercial web form provider.
  • Odd language (Pas|WORD for Password) on form.
  • Password shows in clear on form.

Phishing Example 57: Attention

Received July 2014

Message Body:

   Subject: Attention
   Date: Tue, 29 Jul 2014 15:50:12 +0530 (IST)
   From: Webmail Administrator

  Dear eMail User,Your email account is due for upgrade.Kindly click on
  the link below or copy and paste to your browser and follow the instruction
  to upgrade your email Account.

Our webmail Technical Team will update your account. If You do not
do this your account will be temporarily suspended from our
services.Warning!! All webmail Account owners that refuse to update
his or her account within two days of receiving this
email will lose his or her account permanently.Thank you for your cooperation!
Copyright @2014 MAIL OFFICE All rights reserved.

Things to note:
  • Nothing UMN branded
  • IST (India Standard Time Zone)?
  • Served off of a free web page provider ("make your own" link included on page)

Thursday, July 24, 2014

Phishing Example 56: WEBMAIL DATABASE

Received July 2014

Message text:

From: web Admin
   Date: Thu, Jul 24, 2014 at 9:12 AM
   To: info@webmaster.org
   This is to inform you that we are of current plan to upgrade our
   *WEBMAIL DATABASE* and You have to confirm and upgrade your
   Email account by clicking on the link below:
   *http://xxxxx.webs.com/ <http://xxxx.webs.com/> *
   Online Support Team

  • Hosted at webs.com, not umn.edu.
  • No UMN.edu branding.
  • Mail "from" webmaster.org? 

Wednesday, July 23, 2014

Phishing Example 55: New Message

Received July 2014

Message text:

   ---------- Forwarded message ----------
   From: University of Minnesota
   Date: Wed, Jul 23, 2014 at 2:22 PM
   Subject: New Message
   Dear Member,
   You Have 1 New Message
   Click Here To Read
   �2014 University of Minnesota


  • Received from multiple .edu email addresses (not from umn.edu!).
  • Directs to a .com address (NOT umn.edu),
  • Uses a very good copy of the UMN login page.

Tuesday, July 22, 2014

What Are We Doing About Phishing?

On report of phishing attempts – 
  • We block the phisher return email addresses.
  • If a website is used to collect replies, we notify the website administrators that their services are being misused or have been compromised.
  • We block access from the University network to phisher websites.
  • We notify other schools about reported phisher addresses and websites.
  • We work to tune our rules that flag phishing email as spam.
IF you or anyone receive a phishing email that targets University email ACCOUNTS, REPORT it to

Monday, July 21, 2014

Phishing Example 54: Update Alert

Received July 2014

Message Text:

   Date: Mon, Jul 21, 2014 at 2:37 PM
   Subject: Update Alert
   You have exceeded your mail.umn.edu quota limit of 500MB and you need
   to expand the mail.umn.edu quota before the next 48 hours. If you have not
   updated your *mail.umn.edu  *account in 2014,
   you must do it now. You can expand to 10GB mail.umn.edu quota limit.
   Click on the link below to upgrade your account:


   Thanks for your understanding.

Google form used for phish:

Things to notice:

  1. Not branded with standard UMN template
  2. Uses Google forms
  3. INCLUDES Google Form warning not to submit passwords!

Phishing Example 53: Incoming mails noreply@umn.edu

Received July 2014

Message text:
   Date: Mon, Jul 21, 2014 at 8:23 AM
   Subject: Incoming mails noreply@umn.edu
   You have a message click on the link hxxp://xxx-xxxx-umn-edu.webs.com/
   to read


All these factors should tip you off - this is NOT really from the University.

  1. Modest attempt at UMN branding
  2. Tricky add of "noreply@umn.edu to the subject, not the from line.
  3. Hosted at "webs.com" free website provider
  4. Misspelled "Internat ID"
  5. Misspelled "Pascsword"
  6. Shows the password in the clear

Friday, July 18, 2014

Phishing Example 52: I've shared an item with you.

Received July 2014.

This has been sent from a compromised umn.edu account (or accounts), so you may not see the tag ***SPAM*** in the subject line.

Message body:

   Subject: I've shared an item with you.
   To: undisclosed-recipients:;
   *Sent:* Friday, July 18, 2014 12:59 PM
   *Subject:* I've shared an item with you.
   I just shared a document with you using Google Drive. All you have to do is
   go to https://drive.google.com <http://xxx.xxxxx.com/platform/index.htm> to
   view it and sign in with your email address, as it is stored online.
   Note: it's not an attachment, it's a document stored online
   Best Regards

This is what the link takes you to, but it is NOT how a real Google doc will prompt you for your login.
Google docs do not ask you to use Yahoo, Windows or AOL logins:

If you "login" you will be directed to a bogus doc that is in Google.  However your credentials will be in the phishers hands, and your account will be sending spam (probably just like this one).

If you, or someone you know entered an ID and password in this, change that password immediately!

Thursday, July 17, 2014

Reminder: Avoid tech support phone scams

We've recently had a number of reports on campus of people receiving calls from "technical support" (often "Microsoft Technical Support") alerting users to supposed problems with their computers.  If you receive such a call - don't fall for them.  Check with your technical support or help@umn.edu if you have any doubts.

The word from Microsoft:

Avoid tech support phone scams
Cybercriminals don't just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license. Once they have access to your computer, they can do the following:
  • Trick you into installing malicious software that could capture sensitive data, such as online banking user names and passwords. They might also then charge you to remove this software.
  • Convince you to visit legitimate websites (like www.ammyy.com) to download software that will allow them to take control of your computer remotely and adjust settings to leave your computer vulnerable.
  • Request credit card information so they can bill you for phony services.
  • Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.
Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes.
See also the Snope.com page (http://www.snopes.com/fraud/telephone/microsoft.asp) about such scams.

Monday, July 7, 2014

Phishing Example 51: Your mailbox has been temporally suspended

Received July 2014

   Date: Mon, Jul 7, 2014 at 10:21 AM
   Subject: Your mailbox has been temporally suspended

      [ NO text in the message ]

   Download ADMIN.docx
   application/vnd.openxmlformats-officedocument.wordprocessingml.document 10.6k

The attachment, if you opened it (please don't) :

The link in the document takes you to:

A *very* generic login which looks nothing at all like the real deal:

 Looks can be deceiving.  Some phishers (happily, not many) do copy the UMN login page and present you with a very convincing counterfeit.  As always - double (triple!) check the URL when being asked to log into a UMN web page.

Wednesday, July 2, 2014

Phishing Example 50:Webmail Verification

Received July 2014

   Date: Wed, Jul 2, 2014 at 12:42 PM
   Subject: RE: Webmail Verification
   *Dear mailbox user,*
   *Your Email Account have been violated, unsuspicious activities was
   noticed in your email account and your account will be disabled shortly.*
   *you are required to verify your email account to prevent your email
   account from being disabled. click on our ITS-SUPPORT
   <http://xxxxxxxxx.tripod.com/>*to fill out the necessary
   information to secure and verify your account*
   *Additional Info Staff,Student and Faculty Members Only.* *Click on
   Staff and Faculty ACCESS-PAGE <http://xxxxxxxxxx.tripod.com/>*
   *IMPORTANT NOTE**:* *Your account will be disabled if not verified within
   the next 24hours**.*
   *ITS help desk **ADMIN TEAM*
   *�Copyright 2014 Microsoft*

Nope, no UMN branding, advertisements... AND hosted at tripod.com?

Phishing Example 49: Administrative Notice!!!

Very old school - a request for you to email your name and password (please don't!).

Received July 2014
Message body:

  > From: Help Desk
   > Subject: Administrative Notice!!!
   > Date: 2 July 2014 at 10:38:19 CDT
   > To:
   > Reply-To:
   > Help Desk
   > Attention Account User,
   > Scheduled Maintenance & Upgrade
   > Your account is in the process of being upgraded to a newest
   > Windows-based servers and an enhanced online email interface inline with
   > internet infrastructure Maintenance. The new
   > servers will provide better anti-spam and anti-virus functions, along with IMAP Support for mobile    
   >devices to enhance your   usage.
   > To ensure that your account is not disrupted but active during and after this upgrade, you are
   > required to kindly confirm your account by stating the details below:
   > * Domain\user name:
   > * Password:
   > This will prompt the upgrade of your account.
   > Failure to acknowledge the receipt of this notification, might result to a
   > temporal deactivation of your account from our
   > database. Your account shall remain active upon your confirmation of your login details.
   > We do apologize for any inconvenience caused.
   > Sincerely,
   > Your Customer Care Team
   > (c) Copyright 2014, All Rights Reserved.

Phishing Example 48: System Notifications/Account Closure

Received July 2014

Message body:

   From: UMD Email - Support
   Date: Wed, Jul 2, 2014 at 1:10 AM
   Subject: System Notifications/Account Closure
   Dear University of Minnesota Duluth Webmail User
   We hereby announce to you that your email account has exceeded its
   storage limit. You will be unable to send and receive mails and your
   email account will be deleted from our server. To avoid this problem,
   you are advised to verify your email account by clicking on the link
   CLICK HERE <http://xxxxxxxxxxxxxxx/upgrade.php>
   Failure to comply will result to permanent termination of your email account
   Thank you.
   � 2014 Regents of the University of Minnesota Duluth . All rights reserved.
   The University of Minnesota is an equal opportunity educator and employer
   The Webmail Management Team

  • very simple, unbranded form
  • does hide the password when entered
  • not from a ...umn.edu/ URL

Tuesday, July 1, 2014

Welcome To The New Blog! Same As The Old Blog!

We've moved!

With the end of the http://blog.lib.umn.edu/ support, we've moved the UMN Phishing blog to Blogger!

You should find all the past posts here - and new ones as we have more examples of phishers targeting our UMN community.

Phishing Example 47: Library Account

Here's a reminder to question unexpected warnings and double-check that supposed "official" login pages are REALLY hosted at UMN.EDU locations.
Received June 2014:
Email being seen that points at what LOOKS like a UMN URL, but went offshore:
From: Library 
Date: Thu, Jun 26, 2014 at 8:47 AM
Subject: *****SPAM***** Library Account
Dear User,
Your library account has expired, therefore you must reactivate it
immediately or it will be closed automatically. If you intend to use this
service in the future, you must take action at once!
To reactivate your account, simply visit the following page and login wilth
your library account.
Login Page:
University of Minnesota Libraries
499 Wilson Library
309 19th Avenue South
Minneapolis, Minnesota 55455
(612) 624-3321 (voice)
(612) 626-9353 (fax)

Goes to a copy of UMN login page on an offshore website, and claims to "reactivate" your account.
Dangerous, because the phishers copied our real login page - and the page looks identical to, and behaves like a real login page - then puts up a fake "reactivation message" with a link to the UMN library system:

Phishing Example 46: EMAIL UPDATE

Things to note:
  • hosted at a non-umn.edu website
  • displays passwords in clear text

Received June 2014 :
From: UMN Help
Date: Sun, Jun 29, 2014 at 12:35 PM
To: Recipients

Dear User,
Please validate your account. To perform this action CLICK HERE
Thank you.
Help Desk
The University of Minnesota

Phishing Example 45: Warning Warning Warning!!!

Summer time and the phishing continues!
These Phishers are using a free website portal to send an "upgrade" in storage, unaware UMN users already get 30 gig of storage, and make no attempt to brand their form to look like it comes from the University.

Received June 2014:
Subject: RE: Warning Warning Warning!!!
Date: Tue, 24 Jun 2014 12:54:17 +0000
Your mailbox is almost full. <http://xxxxx.xxxx.com/>
461MB <http://xxxxx.xxxx.com/> 500MB
Current size Maximum size
Help desk requires to upgrade your *EMAIL *account *UPGRADE-HERE*
<http://xxxx.xxxx.com/> Update your account for HTK4S
And Allow New Mails to come in Now
IT help desk 2014 <http://xxxx.xxxx.com>
ADMIN TEAM <http://xxxx.xxxx.com/>

Phishing Example 44: Security Alert

Most users should see this marked as spam - but here's a new phish, pointed at a free website provider (not a umn.edu address). There's an interesting attempt at "branding," but with an odd logo that has nothing to do with email.

From: Mail Admin:: University of Minnesota Date: Thu, May 29, 2014 at 8:32 AM Subject: Security Alert: To:
Important information regarding your University of Minnesota account

You have reached your University of Minnesota email maximum data allowance,
you may not be able to send or receive email with your email account again;
Because it has been brought to our attention that your email account has
been accessed and used by a third party to send spam/phishing emails.Kindly
Visit *umn.edua*
Click on *University of Minnesota Login*

now. and Login your account details.

Phishing Warning: Beware "Reset Your eBay Password" Emails

Posted May 2014

Large-scale data breaches that are widely publicized, like the recent eBay breach, offer attackers a new opportunity for malicious emails designed to steal your credentials.
To safely change your eBay password, log directly into eBay and use the change password option.

Phishing Example 43: "Dear Account User." Gmail spoof

A clever email has been making the rounds, using a PDF security notice. It claims to be from gmail, and it directs users to a fake gmail login - the mail reads:
Dear Account User. Attached Account Verification Letter.
The Gmail Support Team!
Attached is a PDF:
IF a user clicks on the link (please don't!) they'll go to a fake (but very plausible) gmail login page:

(note: this web link will no longer work within the University network.)
If that wasn't enough, users who give a name and password, will be asked to supply a phone number and alternate email address!

If you, or anyone you know were deceived by this spam, tell them to go to the my account page at https://www.umn.edu/myaccount and change their password immediately, and report the incident to phishing@umn.edu.

Phishing warning: Heartbleed may generate new scams

Posted April 2014

"Given the growing public awareness of this bug, it's probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question."
For more information on the Heartbleed vulnerability see http://heartbleed.com

Phishing Warning: Google Docs Users Targeted by Sophisticated Phishing Scam

Symantec reports about a new phishing scam that sets up a phishing form that looks like a google sign-in in a google drive document.
"The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages."
  • * If you get an unexpected document from an unknown (or unlikely) collaborator, be suspicious
  • * IF you are already logged in Google in your browser a Google doc should NOT redirect you to a login form.
  • * When UMN Google Apps DO direct you to a login page - they should always include UMN branding.

Phishing example 42: Update

Notes: This is a particularly nasty phishing scam because it is spoofed to come from help@umn.edu, and the link (which is now blocked) was a perfect copy of the University's login page.
From: Helpdesk 
Date: Sat, Mar 1, 2014 at 3:00 PM
Subject: Update
Dear User
Due to high numbers of inactive mail accounts on our server, all email
users are urged to update their email account within 24 hours of receiving this email, by
using the Update
*Click here hxxp://xxxxxxxxxxxxxxxx/idp/umn/login.php *to confirm
that their email account is active.
Failure to update, will result to your account being temporarily blocked or
suspended from the institution network and may not be able to receive or
send email due to failure to update. Do not ignore this message to avoid termination
of your webmail account.
Thanks for your co-operation.
Yours sincerely,
Call: 612-301-4357 (1-HELP)
Email: help@umn.edu

Phishing warning: US Tax Season Phishing Scams and Malware Campaigns

In the past, US-CERT has received reports of an increased number of phishing scams and malware campaigns that seek to take advantage of the United States tax season. The Internal Revenue Service has issued an advisory on its website warning consumers about potential scams.
Tax season phishing campaigns may include, but are not limited to:
  • * Information that refers to a tax refund,
  • * Warnings about unreported or under-reported income,
  • * Offers to assist in filing for a refund, or
  • * Links to counterfeit e-file websites.
For more information see the US-CERT notice

Phishing Example 41: Dear webmail user

Received February 2014
Once again, no, the University really doesn't send messages like this:
From: Date: Fri, Feb 21, 2014 at 10:11 AM Subject: Dear webmail user To:
You have reached the storage limit on your mailbox. Please visit the below
link to restore your email access.
Do not ignore this message to avoid termination of your account.
System Help-desk
Copyright (c) 2013 # * * ALL RIGHTS RESERVED

Phishing Example 40: Umn Email Alert

Received January 2014
From: Email Alert 
Date: Tue, Jan 7, 2014 at 5:57 AM
Subject: Umn Email Alert
To: alert@umn.edu

Note the link leads to an exact duplicate of the University's login page, but the URL does not end in umn.edu. Entry of any credentials leads to the google.com login page.


Phishing Example 39: You have 1 important mail alert!!

Received: December 2013
Subject: You have 1 important mail alert!!
Date: 18 Dec 2013 04:15:37 -0000
To: "recipients"
From: "onlinemessage1"
Dear Account User,
Your mailbox has exceeded the limit of 30 GB, which is as set by your manager, you are currently at 30.9GB, very soon you will not be able to create new e-mail to send or receive again until you validate your mailbox.To re-validate your mailbox, click on the attach link and follow the instruction for your upgrade.
Email Administrator.
You should never click a link to a PDF without verifying that it is safe; it could be installing malware. In this case we scanned the PDF before opening it.
The attached link is a PDF document that opens with a link to a fake login site that looks like this:
When you enter an ID and password, another window comes up asking for verification of your *alternate* email address (Google, Yahoo, etc.), that looks like this:

Phishing Example 38: Your Incident ID is: 130329-018715

Sent November 2013:
From: MyUmn
Date: Fri, Nov 8, 2013 at 7:58 PM
Subject: Your Incident ID is: 130329-018715
Your Incident ID is: 130329-018715
This is an automated message to notify you that we detected a login attempt
with a valid password to your Umn! account from an unrecognized device on
Friday, Nov 8th, 2013 18:33 CEST.
Location: Sweden, Stockholm (IP=
Was this you? If so, you can disregard the rest of this email. If this
wasn't you kindly follow this link
http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ to review your Umn
MyUmn IT HelpDesk
Please do not reply to this message. Mail sent to this address cannot be

Phishing Example 37: faculty/staff

Sent: November 2013
Mailbox Quota Size: 100 %
Current Mailbox Quota: 98.09%
Your mailbox is almost full.
Important Notice: Mailbox SEND or RECIEVE operation will be deactivated at 100% Quota-size clickhere on Faculty-Staff 
© Copyright 2013.
Privacy and Confidentiality Notice: The information contained in this e-mail is intended for the named recipient(s) only. It may contain privileged and confidential information. If you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, we would be grateful if you would notify us immediately. Thank you for your assistance.
Please note that e-mails sent or received by our staff may be disclosed under the Freedom of Information Act (unless exempt).
Note: Password disclosed

Phishing Example 36: FACULTY/STAFF

Received 10/2013
Date: October 31, 2013 9:52:58 AM CDT
To: undisclosed-recipients:;
Body text:
Institutio​n account routine Maintenance
Your mailbox is almost full.
Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails until You Re-Validate It. To RE-VALIDATE [hxxp://xxxxx.webs.com] or If it does not work then copy and past the link. Thank you
ITS help desk

Password shown in the clear

Phishing Example 35: Things to notice on a fake UMN login page

When you are directed to a login page, please look carefully:

This page is an impressive copy of a UMN login page:

  • all the links go back to real UMN pages
  • the look matches UMN pages
  • the password does not show in the clear (that is, when entered, it does NOT display the text)
    HOWEVER notice - it asks you for a birthdate:

  • bogus-aussie1.jpg



    Phishing Example 34: Bogus UMN login page

    A recent phishing page discovered, hosted at a free website provider, underlines why you must pay attention to the URL when you are using the WEB:

    This page has nothing to distinguish it from a real UMN sign-in page. IF you fill it in, it will redirect you to the real - apparently identical - shibboleth login page.

    ALWAYS double check the web address - if the URL for a UMN sign-in does NOT end in "umn.edu" do not use it.

    Phishing Example 33: Webmail Admin. Notification !!

    Subject: Webmail Admin. Notification !!
    Your account safety is our top priority.
    Recently, we have detected some unusual activity on your account and as
    a result,
    all email users are urged to update their email account within 24 hours
    of receiving this e-mail, using the update link: *CLICK HERE
    * to confirm that your
    email account is up to date with the institution requirement.
    Do not ignore this message to avoid termination of your webmail account.
    Our apologies for any inconvenience this may have caused, but your
    account safety and privacy is very important to us.
    Thanks for your co-operation.
    Yours sincerely,
    Webmail Admin.


  • Should be marked as spam in the UMN mail system
  • Web form NOT branded 
  • Password fields not masked.

  • 926jimdo3.jpg
    But at least they care about your privacy!

    Phishing Example 32: Dear Sir/Madam

    Subject: *****SPAM***** Dear Sir/Madam
    Date: Mon, 23 Sep 2013 12:57:47 +0000
    To: Undisclosed recipients:;
    Your mailbox needs to be validated and protected against on going spam activities and
    needs to be expanded. click on this link
    copy and paste the link on your URL fill the form and submit for validation.

  • Very amateur webform set up on free website provider
  • No UMN branding, not hosted at umn.edu site
  • All private information shown in clear
  • Now blocked at the U, website provider has taken this down.
  • Actively used until taken down

  • Phishing Example 31: IT HELPDESK *** IMPORTANT***

    Received September 2013:
    Subject: IT HELPDESK *** IMPORTANT***
    To: Recipients
    From: ADMIN,
    Date: Tue, 17 Sep 2013 20:33:28 +0100

    Hi User,

    This is a compulsory email account verification. CLICK HERE TO VALIDATE AND VERIFY YOUR EMAIL ACCOUNT
    Regards,Abuse/Help Desk
    PLEASE Note!
    Some browsers will show a warning like this one shown below - if you see it, PLEASE don't follow the link, report it to phishing@umn.edu!

    Phishing Example 30: Re: Upgrade Your Mailbox:

    Received: September 2013
    Dear Email User:
    Re: Upgrade Your Mailbox:
    Your mailbox has exceeded the limit of 30 GB, which is as set by the
    administrator, you are currently at 30.9GB, very soon you will not
    be able to send or receive e-mail again until you validate your
    mailbox. To re-validate your mailbox, click on the link below and
    follow the instruction for your upgrade.
    Click Here To Upgrade Your Mailbox: hxxp://xxxxxxxx.com/ne/administrator_restore.htm
    After re-validating your mailbox, your email account will not be
    interrupted and will continue as normal. We thank you for your
    prompt attention to this instruction. Please understand that this is
    a security measure intended to help protect your mailbox. We
    apologies for any inconvenience.
    Failure to upgrade and re-validate your email account membership
    details as directed above, your mailbox will be SUSPENDED!
    Warning Code:VX2G99AAJ
    Email Administrator.
    Note: No University branding, and the password is concealed as you enter it.

    Phishing Example 29: Faculty &Staff Account Notification

    Date: Wed, Sep 11, 2013 at 7:40 AM
    Subject: *****SPAM***** RE: Faculty &Staff Account Notification 
    (Good news! We're tagging it as spam!)
    Institute account Routine System. all institutional mail account
    users are advice to upgrade /Update account now This has been
    made mandatory for all. for assistance click:
    Failure to do this you will have your account suspended on till repor Nothing too new here. Things to note: Password shows in the clear Not UMN branded Hosted at a free website servicet is
    made to the institution authorities.
    *ITS service Team*
    � Copyright 2013.
    All Rights Reserved

    Nothing too new here. Things to note:

  • Password shows in the clear
  • Not UMN branded

  • Hosted at a free website service

  • http://blog.lib.umn.edu/it-comm/phishing/jimdo-091113.jpg

    Phishing Example 28: Important document

    Received September 2013:

    Date: Sat, Aug 31, 2013 at 12:59 PM
    Subject: Important document
    Please view the document I uploaded for you using Google secure doc, Click
    here <hxxp://xxxxxxxxx.eu/2013gdocs/index.htm> and sign in with your email
    to view it's very important.

    No, not a real google doc share.

    Phishing Example 27: Attention: Web-mail User

    Received September 2013
    From: <*******@*********>
    Subject: Attention: Web-mail User
    Date: Mon, 2 Sep 2013 10:24:57 +0000

    *Attention: Web-mail User,*
    *This is to inform you that our web-mail server has been scheduled for
    and maintenance, this is to improve the ability to identify and block
    phishing attempts and anti-virus functions for better online services.*
    *To avoid your e-mail account been terminated during this upgrade, Kindly**
    click the link below and follow the instructions to upgrade.*
    *Your Email access will be disable if you fail to comply with the above.*
    *We do apologize for any inconvenience caused.*
    System Administrator*
    Note: No University branding, passwords in clear text.


    Phishing Example 26: Email Quota Account Upgrade.

    Received: August 2013
    From: "Email Help Desk" <*******@*******.com>
    Subject: Email Quota Account Upgrade.
    Date: 26 August 2013 08:11:32 CDT
    To: Recipients <*******@*******.com>
    Attn: Email User,
    Your mailbox has exceeded the limit of Quota Usage, which was set by your admin panel, and access to your mailbox via our mail portal will be unavailable expect you upgrade your email account against spam.
    To upgrade and re-validate your mailbox, do click on the link to upgrade: Upgrading Link
    System Administrator.
    Note does not mimic UMN login page, but does conceal password.


    Phishing Example 25: UMN : Webmail Upgrade

    Received August 2013:
    this is a variation on one received earlier, but it was sent from a compromised UMN.EDU account, and they added "UMN:" to the subject.
    From: HelpDesk
    Date: Friday, August 30, 2013
    Subject: UMN : Webmail Upgrade
    Dear umn.edu Email user,
    Your e-mail Id needs to be updated with our F-Secure
    new version anti-spam/anti-virus/anti-spyware 2013.
    Click on the link below; Our webmail Team will update your account.
    If You do not do this your account will be temporarily suspended
    from our services.
    Thank you for your cooperation!
    Copyright @2013 MAIL OFFICE All rights reserve
    All rights reserved.

    Phishing Example 24: Mailbox Upgrade Notification

    Received: August 2013

    Date: Thu, Aug 29, 2013 at 5:19 AM
    Subject: Mailbox Upgrade Notification

    Mailbox Upgrade NotificationAs part of our ongoing firm wide upgrade and
    our email servers, we need to migrate your mailbox to a different location
    so it will be compatible with the newer versions of software. During the
    move you won't be able to send/receive email, including via your mobile
    device(s). The downtime should be about 1 hour please *CLICK
    * and follow the instructions on the pop up window to upgrade your email


    Phishing Example 23: Webmail Upgrade

    Received August 2013:
    From: HelpDesk <xxx@um.edu.my> (um.ed.MY? nope not legit!)
    Date: Wed, Aug 28, 2013 at 8:24 PM
    Subject: *****SPAM***** Webmail Upgrade (should be marked as spam)
    Dear Account User,
    Your e-mail Id needs to be updated with our F-Secure R-HTK4S
    new version anti-spam/anti-virus/anti-spyware 2013.
    Click on the link below; Our webmail Team will update your account.
    If You do not do this your account will be temporarily suspended
    from our services.
    hxxp://xxx.xxx.ua/images/IT/upgrade.php (No, the U doesn't host in the Ukraine.)
    Thank you for your cooperation!
    All rights reserved.