Go to the U of M home page

Friday, August 29, 2014

Advisory: Beware of Impersonation Fraud

Don't be afraid to question communications that claim to come from "official" sources. A common tactic in phishing and other scams is a claim to be or represent some important official.


  • Email from the "help desk" claiming you need to re-authenticate your account. This is a common tactic used to trick people into giving up their Internet ID and password.
  • Phone messages from "Microsoft support" telling you that your computer is infected. This trick usually involves telling the victim that they need to let the caller examine their computer remotely - usually aimed at installing malicious software.
  • Email or text messages telling you that you need to install "special software" to chat with your help desk. Again, the aim of such tactics is to trick you into installing malicious software.

If you receive messages like these, don't be afraid to challenge them. You should be able to confirm official communications through other channels. For technical issues, visit http://it.umn.edu and use the search function to confirm that a caller or email is official. Likewise the search function on  UMN home page at http://www.umn.edu will help you. (Don't forget about http://search.umn.edu!)

For examples of other common fraud methods, see the FBI's page on Common Fraud Schemes at http://www.fbi.gov/scams-safety/fraud.

Thursday, August 28, 2014

Phishing Example 62: Alert!

Received August 2014

Message text:

   Subject: Alert!
   Date: Wed, 27 Aug 2014 17:29:00 +0100
   From: Admin Center
   To: undisclosed-recipients:;
   Unusual Sign-in Activity,  
   We've detected something unusual about a recent sign-in to your
   umn.edu <http://umn.edu> E-mail account. Hence, to keep you safe; we've
   required an extra security check Via Validation. You might not be able
   to send or receive new mail until you re-validate your mailbox .To
   re-validate your mailbox.-
   *Click Here* <hxxp://xxxxx.webs.com/> Or Open this link:
   *hxxp://xxxxxx.webs.com/ <hxxp://xxxxx.webs.com/>*
   Thanks for your anticipated co-operation,
   Property: Account Security
   Connected to Googlemail  
   � 2014 Microsoft Corporation. All rights reserved.

Things to note:

  • Passage is hosted at webs.com - not umn.edu OR google.com
  • Login labels have bizarre mispellings
  • Email message includes "connected to Googlemail," AND "Microsoft?" Which is it?

Thursday, August 21, 2014

Phishing Example 61: Help desk

Received August 2014

Message text:

   Subject: Help desk @umn.edu
   Date: Thu, 21 Aug 2014 19:59:50 +0800
   From: Help Desk University of Minnesota
   For your security, this admin has safeguarded your account when there is a possibility that someone other than you is
   attempting to sign on. As part of our ongoing commitment to provide the "Best protection to all our student's and sta$
   security" we therefore ask you fill in your online data correctly to update your account. You'll need to update the
   settings on your email account by clicking on this link:hxxp://www.formget.com/xxx/xxxxxx

  • Looks nothing like UMN,EDU login page
  • Hosted at "formget.com" a free form provider.
  • Password fields not masked

Tuesday, August 19, 2014

Phishing Example 60: Password Protected Malware!

We've had no reports of this in UMN email (yet), but here's a warning:

While legitimate documents may be sent with a password protected file, it is very unlikely that the mail will CONTAIN the password.

Attackers will do this because, if an infected file is encrypted and protected with a password, virus scanners will not be able to detect the infection.

This example comes from blog.appriver.com, who reports:

Early this morning a small malware campaign started up claiming to be daily customer statements from “Berkeley Futures Limited” (real company, but messages are spoofed). The payload was an attached .zip file that was password protected. The password was displayed right in the original message body for the recipient though, which should be a red flag to users. A file will normally be encrypted when a password is used, making scanning inside an archive for malware not possible unless a user inputs the password on their computer to extract it. This can make filtering files like this tricky, but not impossible.

Friday, August 1, 2014

Phishing Example 59: DOCUMENT

Received August 2014:

Message Body:

   Date: Fri, Aug 1, 2014 at 11:12 AM  
   Subject: DOCUMENTS
   I shared a document with you. Goto: hxxps://dropbox.com/
   <http://www.xxxxxx.xx/tarifas/pdf/process1.php> and just sign in with your
   email address to view the document.
   Notice: You will need to sign in with your email address to access the
   Thank you,

Things to note: 
  • Pretends to take you to dropbox
  • Spoofs Google Drive instead
  • Presents bogus login offering what Google doesn't: a list of email providers

IF someone fills it it - it takes you to a real (but useless) Google Doc: