Go to the U of M home page

Thursday, December 31, 2015

Phishing Example 119: DOCS

Received December 2015

From: **Compromised UMN account**
Date: Thu, Dec 31, 2015 at 4:05 AM
Subject: DOCS

3  files named "Confidential Letter" has been shared with you and will be
available in Google Drive, you can access them anytime below
Drive_Statement <hxxp://xxxxxxx.in/u.php>
Google Drive: create, share, and keep all your stuff in one place.

1) Leads to a typical fake Google Drive login: (Not .IN (India) URL)

2) Again this is NOT how Google does logins - they do not use other email services to authenticate:

3) New wrinkle, fake animation for "opening" the drive

(Leads to a PDF with a financial document report - probably nothing you'd be interested in.)

Wednesday, December 9, 2015

Advisory: Legitimate Tech Support Known to Transfer to Scammers

This month we had a report of a customer who contacted the legitimate tech support number listed on the bill for a major Internet service provider. In the course of that call, the support analyst determined that his options for helping the customer had been exhausted and transferred the customer to another support line.

The secondary support (Technicalsupport4u in India) took remote control of the victim's computer, asked for a credit card number and ended up charging $399 (from a bank in Paris) to that credit card. Frighteningly, that "support analyst" called to follow up the next day; although the problems were still not solved, that follow-up call adds to the seeming legitimacy of the scam. When the victim contacted the ISP, they said that they would never do such a thing or charge that much to a credit card. The victim ended up having to cancel that credit card and change bank routing numbers, which is a huge hassle.

We followed up with the security team at the ISP, as it is alarming that while most telephone scams begin with the scammers contacting the victim, in this case the victim contacted a legitimate, trusted service and ended up connected to the scammers. They acknowledged that while their tech support has a list of vetted contacts for other support teams, sometimes the support analyst just Googles for support numbers instead of using the list, and transfers the customer in order to be helpful. They said they would investigate.

Important take away: Constant vigilance! Even if the starting point is trusted, beware transfers to other locations.

Monday, December 7, 2015

Advisory: Seven Steps for Making Identity Protection Part of Your Routine

Posted December 2015, by IRS.GOV

Seven Steps for Making Identity Protection Part of Your Routine

IRS Security Awareness Tax Tip Number 3, December 7, 2015
The theft of your identity, especially personal information such as your name, Social Security number, address and children’s names, can be traumatic and frustrating. In this online era, it’s important to always be on guard. ...
´┐╝IRS Identity Protection tips
IRS Identity Protection tips

Friday, December 4, 2015

Phishing Example 118: ALERT!!!

Received December 2015

From: "Help Desk"
Date: Dec 4, 2015 7:39 AM
Subject: ALERT!!!
Email Account User,
Your UMN account Certificate expired on the 4th-12-2015, This may interrupt your email delivery configuration, and account POP settings, page error when sending message.
To re-new your UMN Certificate, Kindly:
account will work as normal after the verification process, and your UMN
Certificate will be re-newed.
Sincerely,UMN Minnesota Help Desk.

  • NOT hosted at umn.edu ("moonfruit.com," is not a UMN partner!)
  • Modest attempt at branding - does not match UMN login page.
  • May appear to "fail" when filled in, this may *still* expose credentials. If you filled it in, CHANGE YOUR PASSWORD ASAP!

Tuesday, December 1, 2015

Phishing Example 117: Secured Doc from Carlos Abente

Received December 2015

Sent from a compromised UMN account (not Carlos Abente)

Date: Tue, 1 Dec 2015 17:39:47 +0200
Subject: Secured Doc from Carlos Abente
From: Carlos Abente
To: undisclosed-recipients:;

Carlos Abente shared the following PDF:
Secured File Via Google Drive <hxxp://xxxxxxxxxx/lite.htm>
Open <hxxp://xxxxxxxxxx/lite.htm>

Note - this one actually shows the current Google logo:

Takes you to a fake login:

If you fill it in... It takes you to a real Google doc (which you likely have no interest in)