Go to the U of M home page

Tuesday, March 22, 2016

Advisory: Phone Scams Continue to be a Serious Threat, Remain on IRS “Dirty Dozen” List of Tax Scams

Phone Scams Continue to be a Serious Threat, Remain on IRS Dirty Dozen 
 List of Tax Scams for the 2016 Filing Season





We've received numerous reports of students receiving calls from the "IRS" telling them that they owe money due to not paying taxes on student loans. These are bogus:
The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.     (https://www.irs.gov/uac/Report-Phishing)
For tips for IRS-related phishing, visit the IRS page (https://www.irs.gov/uac/Report-Phishing) :


Phishing Example 137: We noticed a login attempt to your UMN account

Received March 2016


From: University of Minnesota <noreply@umn.edu>
Date: Tue, Mar 22, 2016 at 1:13 PM
Subject: We noticed a login attempt to your UMN account
To: Recipient <noreply@umn.edu>

We noticed a login attempt to your UMN account from an unrecognized device on Tue, March 22, 2016. As part of our Security Agreement we have place your account on "Limitation". Please follow the link below to keep your UMN account safe: Click to verify your account password

Thanks for taking these additional steps to keep your account safe. 

©2016 UMN students and staffs Affairs.

NOTES
  • No personalization
  • No specifics other than date
  • Links to a Russian (.ru) website for you to log into
  • Webform clearly not UMN branded

Phishing Example 136: Your New Seven Pending Incoming Mails...

Received March 2016

Subject:    Your New Seven Pending Incoming Mails...
Date:   Tue, 22 Mar 2016 05:56:40 -0700
From:   University of Minnesota Twin Cities < supports @  umn.edu>


Dear Umn.edu Member,

University of Minnesota Twin Cities Technical Team have placed your
seven incoming mails on pending status because of the new update to our
server. We are sorry for this, but this will make email experience more
enjoyable to all Staff and Students.

To receive all the emails on pending status, please Click here
<hxxp://www.xxxxxxx.xcom.tr/wp-content/UMN.php> to login and wait for
response from our email support team in order to receive the pending new
messages.

We apologize for any inconveniences this might have caused.


Notes:

  • Variation of scam seen earlier "x pending emails"
  • Claims to come from "supports" @umn.edu non existent address
  • Really comes from a different sender
  • Direct you to a page in Turkey (.tr)
  • Presents simple login, copied from a UMN partner's webmail page
  • Sends you to that real webmail page when you fill it out

Friday, March 18, 2016

Phishing Example 135: Hello

Received March 2016

Date: Fri, 18 Mar 2016 16:26:08 +0600

Subject: Hello
From: 
To: 
I shared a document with you. Go to:

hxxps:// www. docusign.com <hxxp://bit.ly/xxxxxxxx> and just sign in with

your email address to view the document.The file

is too large so I couldn't attach it let me know

what you think.


NOTES:


  • Sent from compromised UMN account
  • Uses bit.ly to hide destination .au address.



Tuesday, March 15, 2016

Phishing Example 134: Detecting Fake Google Doc Logins ("Shared PDF")

Detected March 2016

A fake google drive login is being sent to the UMN community - via this email.

Subject: Shared PDF
From:
To:
Hello,
 It's not an attachment -- it's stored online at Google Drive. To open
 this document,Go to hxxp://drive.com <hxxp : //ow.ly/xxxxx> and just sign in
with your email to view.
Best Regards.
NOTE: 
  • claims to go to google, links instead via ow.ly to hide the real URL


The login page looks like this:

NOTE: 

  •    There is NO Google logo.
  •    This offers a place to provide Email AND Password
  •    This has a drop-down menu for MULTIPLE email services
GOOGLE LOGINS DO NOT LOOK LIKE THIS!

Here is what a real Google login would look like:



NOTE:
  •  New san-serif logo at top
  • Only asks for email address
  • Offers NO choices of mail provider

Phishing Example 133: Your New Five Pending Incoming Mails...

Received March 2016

From: University of Minnesota Twin Cities Email Support
Date: Tue, Mar 15, 2016 at 12:27 PM
Subject: Your New Five Pending Incoming Mails...
To:


Dear University of Minnesota Twin Cities Member,


We have placed your five incoming mails on pending status because of the
new update to our server. We are sorry for this, but this will make email
experience more enjoyable to all our Customers.

To receive all the emails on pending status, please Click here
<hxxp:// xxxxxxxxxx.it/wp-content/uploads/umn.php> to login and wait for
response from our email support team in order to receive the pending new
messages.

We apologize for any inconveniences this might have caused.



NOTES:


  • Fake "from:" - says support @ umn.edu, but actually lists a different email
  • Web page hosted at a Greek (",gr") site
  • VERY simple login interface, which copies webmail used by a UMN affiliate institution
  • Attempt to login redirects you to the real webmail for that institution


    

Friday, March 11, 2016

Phishing Example 132: [ UMNmail ]

Received March 2016

From: UMN Help Desk < compromised accoun @ some other school.edu>
Date: Fri, Mar 11, 2016 at 12:07 PM
Subject: [ UMNmail ]
To:


Hello user

Malicious content has put your account at risk of losing your emails, click
on continue and update you account

You are required to update through the link below.

CONTINUE <hxxp:// bit.ly/  xxxxxxxxxx>

Thanks

The UMN account team


NOTES:

  • URL hidden with bit.ly
  • Copy of UMN login page
  • URL obscured on target page


Wednesday, March 9, 2016

Phishing Example 131: amended payroll information

Received March 2016

From:
Date: Thu, Mar 3, 2016 at 7:08 AM
Subject: amended payroll information
To:

attention:

This document was sent previously but there was an encryption error.

Please review and update.

Thank you

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

NOTES

  •      This email comes from a NON-UMN.EDU source (paychex.com)
  •      The Attachment is called "DOCUMENTS.xls.HTM" <-an HTML file pretending to be a spreadsheet
  •       If you open it, it can run javascript code that runs a trojan
IF you received this, and if you opened it, contact your technical support to help determine if your computer has been compromised.

Tuesday, March 8, 2016

Phishing Example 130: [ UMN ] NetID

Received March 2016


From: UMN Help Desk <XX Compromised USER @ umn.edu>
Date: Tue, Mar 8, 2016 at 8:32 AM
Subject: [ UMN ] NetID
To:
     
Hello user ,

We have placed a temporal hold on two incoming mails to your account due to
insufficient validation.

To continue receiving messages,  follow https://mail.umn.edu
<hxxp://bit.ly/  address> and validate your service.

This helps us stop automated programs from sending junk email.

We apologize for any inconvenience and appreciate your understanding.

Thanks,

UMN account team.


Notes:

  • sent from a compromised UMN.EDU user account
  • uses bit.ly  to obscure the destination (yeattsdirect.com)
  • Very good copy of UMN login page
  • URL obscured in the browser (see image below)




click to expand - not obscured URL

Monday, March 7, 2016

Phishing Example 129: Your University of Minnesota Email account will expire at the end of Today.

Received March 2016

From: "Gmail Team" <xxxx-compromised-email-account@ umn edu>
Date: Mar 7, 2016 7:52 AM
Subject: Your University of Minnesota Email account will expire at the end of Today.
To: 
Cc: 

University of Minnesota
Note:

Your University of Minnesota Email account will expire at the end of Today. Order to remain active, Use the following link to update your account

  Re-Activate Your University of Minnesota Email

Thank you for using University of Minnesota Email
Email Account.
Copyright 2016 Email. All Rights Reserved


Note:

  • DOES come from a UMN,EDU address, they used compromised user accounts to send this
  • Uses SSL to connect to a NON-UMN, NON-GOOGLE site
  • Uses OLD Google Logo on "sign-in" screen. This is subtle, but look carefully at the screen shots below. Google uses a non-serif font, but the first two screen have their old "Google" lettering, but the LAST screen is the REAL Google login
  • Google Login screens DO NOT have Email and PASSWORD on the initial screen, ONLY EMAIL. Again, see the final screen below which shows a real Google login
       FAKE LOGIN SCREEN - COPY OF OLD LOGIN

If you fill it out (please don't) you'll see this screen next: (again, see the old logo)

If you fill THAT one out, they will be sent to the REAL Google login screen. IF your browser is already logged in FOR REAL, then you won't see a login screen. If you are in a non-logged in browser, you'll see this:

Note: Logo is san serif font, and ONLY ASKS FOR EMAIL