Go to the U of M home page

Monday, February 22, 2016

Phishing Example 128:IT@UMN.EDU Employee Secur...

Received February 2016

From:"DoIT UMN.edu" <umn-mail@it.umn.edu> <<-FORGED
Date:Mon, 22 Feb 2016 05:08:16 -0700
Subject:IT@UMN.EDU Employee Secur...
To:
  Department of Information Technology
There has been a security breach on our servers recently, we strongly recommend
that all employees undergo a compulsory security verification upgrade.

This process is easy and takes no more than a minute to complete. The upgrade
process is necessary to ensure maximum security and prevent possible account
compromise by Trojans/Malicious programs.
if you cant click the button above, kindly follow this link hzzp://zzz/1VyIP3H to access the
verification page.


 All Rights Reserved University of Minnesota © 2016     Minneapolis, MN 55455, United States

NOTES:
  • VERY similar (not exact) to UMN LOGIN
  • USES BIT.LY to hide real location
  • FORGES FROM: as umn-mail@it.umn.edu

IF YOU FILLED THIS OUT, CHANGE YOUR PASSWORD 

IMMEDIATELY!
    


IF you filled it out (please don't) , the next thing you'd see is:


IF you filled that out (please, please don't!) you'd see:


The last link takes you to the REAL UMN home page.

AGAIN, IF YOU FILLED THIS OUT, CHANGE YOUR PASSWORD 

IMMEDIATELY!



Tuesday, February 16, 2016

Phishing Example 127: Secure Folio

Received February 2016

From: FirstName Lastname <flastname @someplace .org>
Date: Tue, Feb 16, 2016 at 10:44 AM
Subject: Secure folio
To:

FirstName used Dropbox to share Custom Files!

Custom Files . <- tinyurl link, to fake google login page

© 2016 Dropbox

Things to note:


  • Custom files link "to Dropbox" was really a tinyurl .com link.
  • Tinyurl Link resolves to a page NOT at Dropbox
  • Login page looks like (but isn't) a google doc, not Dropbox page



Phishing Example 126: Warning & Very Urgent

Received February 2016


From: UMN.EDU <xxxxxxx @asu.edu>
Date: Tuesday, February 16, 2016
Subject: Warning & Very Urgent
To: 


upgrade your email account immediately to avoid account suspension / De-activation. To get started, please Click Here <link to goumn-x-weebly.NOT a UMN site>

This email has been sent from a virus-free computer protected by Avast. 
www.avast.com

NOTES:

  • Does a nice job of branding
  • NOT from a UMN address (asu.edu)
  • Goes to commercial webform provider .weebly.com
  • WARNS you not to change your password for 72 hours - oh, really?
  • Avast probably doesn't offer you much protection here





Thursday, February 11, 2016

Phishing Example 125: Your Details Update

Received February 2016

From: UMN Service Center <xxxxx@comcast.net>
Date: Thu, Feb 11, 2016 at 10:55 AM
Subject: Your Details Update
To:



We're experiencing difficulty updating your details, these may leads to data loss.
You're required to secure and update your details below

Support  (Link goes to an offshore, compromised website)

Thanks,
University of Minnesota

NOTES:

  •     Link goes to non-UMN SITE
  •     LOGIN is a copy of our login page
  •     Mail came from a COMCAST address

IF YOU FILLED THIS OUT, CHANGE YOUR PASSWORD 

IMMEDIATELY!
    


Wednesday, February 10, 2016

Phishing Example 124: the Outlook / Exchange email

Received February 2016

Things to note:

  • references Outlook/Exchange - not gmail
  • no UMN branding
  • Weblink went to a NON-umn.edu website (and not gmail, either)
  • Received on 2/10, dated 2/11 - sender was in Australia


*From:*
*Sent:* Thursday, 11 February 2016 3:17 AM
*To:*
*Subject:* the Outlook / Exchange email

*ATTENTION*

*Impacted Groups: 2016 Outlook/Exchange Users*

*Monday Feburary 10, 2016 from 07:00pm to 2:00am*

*If you are receiving this message, the Outlook / Exchange email servers
that provide your email service will undergo scheduled
maintenance tonight, Feburary 10, 2016 from 07:00pm to 2:00am *

*Please Click here <hxxp://xxxxxxxx/outlookapp/main.html> and log in to
your Outlook client prior before 07:00 PM today to enable auto backup
of all information's on your mailbox, if you do not log into the auto
backup portal, you may lose the connection to your mailbox including all
your information's during the maintenance. *

*If you find it difficult to send or receive messages from your Outlook
client after the maintenance period, or tomorrow morning, please close
Outlook and then log in again. *

*We regret this inconvenience and appreciate your patience.*


*----------------------------------------------------------------------------
PLEASE DO NOT REPLY DIRECTLY TO THIS MESSAGE.*


*This is a Broadcast e-mail sent on behalf of the Sender and/or Department.
If you wish to respond, please follow the contact instructions in the
message ONLY.*


Monday, February 1, 2016

Phishing Example 123: Please Review

Received February 2016

From: NOTE: May come from an @umn.edu address: be very careful!
Date: February 1, 2016 at 1:06:38 PM CST
To: undisclosed-recipients:;
Subject: Please Review

I've Shared a secure file with you, attached with Google icon. Check Here
to view. <hxxp://bit.ly/xxxxxxxxxxx>

NOTES:
  • We are seeing MANY copies of this.
  • Very plausible google login - BUT LOOK AT THE URL, it ISN'T GOOGLE.COM!
  • Many people have actually fallen for it - IF YOU FILLED IN THIS FORM, 
CHANGE YOUR PASSWORD ASAP
  • The link in these points to multiple bit.ly shortened addresses - the URL IS shown in this image is the real target, in the domain manomaaa.com - which should NOT be accessible on the umn.edu network.