Go to the U of M home page

Tuesday, September 23, 2014

Phishing Example 68: Faculty and staff Email notification

Received September 2014

Message text:

   From:
   Date: Tue, Sep 23, 2014 at 11:06 AM
   Subject: Faculty and staff Email notification
   To:
   Dear user,
   We currently upgraded to 15GB space. Please log-in to your account in
   order to validate
   E-space. Your emails won't be delivered by our server, unless email account
   is confirmed.
   Click on Faculty and staff email confirmation
   <hxxp://xxxxxxxx.tripod.com/> to confirm details of your
   email account.
   Note that failure to confirm your email with this notification, would lead
   to dismissal of your
   user account. Protecting your email account is our primary concern.
   This has become necessary to serve you better.
   Copyright �2014 IT Help Desk.
   The information contained in this transmission contains privileged and
   confidential information. It is intended only for the use of the person
   named above. If you are not the intended recipient, you are hereby notified
   that any review, dissemination, distribution or duplication of this
   communication is strictly prohibited. If you are not the intended
   recipient, please contact the sender by reply email and destroy all copies
   of the original message.
   *CAUTION*: Intended recipients should NOT use email communication for
   emergent or urgent health care matters.


Things to note:
  • Hosted at tripod.com, not umn.edu;
  • Has advertisements(!) on the page;
  • Includes captcha verification;
  • No UMN branding

Monday, September 15, 2014

Phishing Example 67: VALIDATE

Received September 2014

Message text:


   From:
   Date: Mon, Sep 15, 2014 at 11:42 AM
   Subject: VALIDATE
   To:
   Dear UMN users,
   This message was sent automatically by our web server to inform you of the
   current validation of your web-mail account and help protect your account,
   we recommend you follow this link: *hxxp://XXX.lixter.com/  
   <hxxp://XXX.lixter.com/>* to complete the validation process.
   NOTE: Failure to comply may lead to confiscation of account.
   Regards,
   UMN I.T Web-mail Admin.

Things to note:

  • VERY good copy of the University login page - ALL links off of the page go to the appropriate UMN.EDU location.
  • NOT hosted at the University - hosted at "lixter.com"

Wednesday, September 10, 2014

Phishing Example 66: Faculty/Admin/Staff and Student Mailbox

Received September 2014

Message text:

   Subject: RE: Faculty/Admin/Staff and Student Mailbox
   Date: Wed, 10 Sep 2014 11:29:48 +0000
   From:
   To:
   *
   *Staff and Faculty Mailbox Message !*
   495MB
   *500*MB
   *This is to notify all Faculty Members and Staff on the end of year
   Mailbox Quota Cleanup, If you are a staff or faculty member log on to
   your staff and faculty **ACCESS-PAGE
   <w>**to clean up mailbox.*
   *Staff and Faculty Members mailbox quota size increase in progress click
   on**ACCESS-PAGE
   <hxxp://xxx-xxxxx-portal.jigsy.com/>**<hxxp://xxx-xxxxx-portal.jigsy.com/>
   to complete.*
   *Mailbox Sending/Receiving authentication will be disabled at 490MB*
   *ITS help desk*
   *_ADMIN TEAM_*
   *
   *
   *


Things to note:
  • Site hosted at jigsy.com, not umn.edu
  • Advertisement on page
  • Password field not obscured
  • Headings have odd spellings

Monday, September 8, 2014

Phishing Example 65: Sign-in Alerts

Received September 2014


Message text:
From: University of Minnesota Duluth Date: Mon, Sep 8, 2014 at 8:39 AM
Subject: Sign-in Alerts 
To: Recipients
*Dear Student/Staff,*
*We detected a login attempt with valid password to your UMN account froman unrecognized device on Tue, Sep 08, 2014 6:19 PM IST.*

*Location: India (IP=178.137.239.184)*  [note: REALLY that's from Ukraine.]
*Note: The location is based on information from your Internet service orwireless carrier provider.*
*Was this you? If so, you can disregard the rest of this email.*
*If this wasn't you, please Kindly **CLICK HERE*<hxxp://www.123contactform.com/xxxxxxxxx/University-Of-Minnesota-Duluth>*to protect your UMN Webmail account information from potential futureaccount compromise:*
** Activate second sign-in verification with your Computer* Review yourlogin activity* Re-Validate your account information *
*To learn how sign-in alerts like this one can help you to protect youraccount information, please visit IT@UMN <http://it.umn.edu/index.htm> >Help .*
*Sincerely,*
*ITS UMN*



NOTES:
  • Hosted at 123contactform.com - not umn.edu
  • NOT a secure site
  • Passwords in the clear
  • Odd spellings of common words

Phishing Example 64: Validate Now (also "Validate", "I T Service")

Received September 2014

Message text:

   From: UMN Admin <xxxxxxxxxxxxxxx@york.ac.uk>
   Date: Mon, Sep 8, 2014 at 9:14 AM
   Subject: Validate now
   To:
   Dear umn user,
   validate umn.edu <hxxp://some-home-domain.NOT.UMN.EDU/validate.umn.edu/>


Things to note:

  • Sign in page resembles, but not identical to login page
  • Top bar links and search bar are IMAGES, not active
  • Not hosted at UMN.EDU - tricky use of "validate.umn.edu" as the end of the URL, but domain is actually at a ".cc" home.


Wednesday, September 3, 2014

Phishing Example 63: Warning Message !!!

Received September 2014

Message text:

  From: Helpdesk Upgrade
   Date: Wed, Sep 3, 2014 at 5:13 AM
   Subject: *****SPAM*****  Warning Message !!!
   To:
   Dear Customer,
   Your *Email *account has exceeded its storage limit as set by
   our Administrator. Please, Re-Validate your account to avoid
   suspension.
   Please click on the link below to Re-Validate your *Email* account Update
   Click here <http://xxxxxxxxx,xxxxxxx,xx/>
   Thanks,
   The webmail account team




Things to note:
  • No University Branding
  • NOT at a University website
  • Mail should be tagged as spam