Phishing Example 146: Message from UMN Payroll Department (SCAM!)

Received May 2016

From: Payroll Department < do_not_reply_emory_edu @ some other domain>
Date: Tue, May 31, 2016 at 10:26 AM
Subject: Message from UMN Payroll Department
To:


Your Pay Advice is now ready for online review on Employee Self-Service:
hxxps://idp2.shib.umn.edu/idp/umn/login
< goes to  hxxp:// some other domain in australia /idp2_shib_umn_edu/idp/umn/login.html>

If you have any questions, please contact your Payroll Department.


PLEASE DO NOT REPLY TO THIS MESSAGE. IT WAS SENT FROM AN AUTOMATED SYSTEM
AND REPLIES WILL NOT BE ANSWERED.

NOTES:

• EMAIL DOES *NOT* COME FROM UMN ADDRESS
• EMAIL TEXT SHOWS UMN LOGIN LINK,**BUT** GOES ELSEWHERE
• VERY GOOD COPY OF UMN LOGIN SCREEN

Phishing Example 145: Greetings................Nnnnn Mmmmmmmm

Received May 2016

From: Nnnnn Mmmmmm ( mmmxxxx @ umn.edu)
Date: Fri, May 13, 2016 at 6:54 AM
Subject: Greetings................Nnnnn Mmmmmmmm
To:


How are you doing? i just sent you the transfer details please Click Here
<hxxp : //tinyurl . com/ xxxx> to view the transfer receipt

Thanks

Mmmmmm

Notes:

• Tinyurl redirects to a compromised web page pretending to be Dropbox
• Compare (below real dropbox login with fake one)
• Sent from a compromised UMN account, subject line has user's name, "signed" from the user.
• Delivered from multiple compromised accounts

Fake login - note display of multiple email providers to choose from.

Real Dropbox - note, no change plus captcha challenge.

Phishing Example 144: Xxxxx Yyyyyy sent you a document....

Received May 2016

From:
Date: May 8, 2016 9:24 AM
Subject: Xxxxx Yyyyyy sent you a document....
To:
Cc:

Xxxxxx Yyyyyy  has invited you to *view* the following shared documents.

A very common sender is one UMN user who was compromised (other compromised accounts have even sent this mail "as" that user)  but we have seen "from" other false names as well.

Open <hxxp : / /  bit.ly/xxxxxxxxxxx>

NOTES:

• May come "from" a real colleague (whose email account was compromised)
• "Shared Document" is linked using a URL shortener like bit.ly
• Link pulls a javascript file from dropbox to display a web page. but examination of the address bar DOES NOT show a conventional URL, instead you'll see something starting with "data:text"

Phishing Example 143: (3) UNREAD MESSAGES

Received May 2016

Subject:    (3) UNREAD MESSAGES
Date:   Thu, 5 May 2016 09:09:18 -0700
From:   OFFICE 365
Reply-To:
To:     OFFICE 365

Dear Microsoft office 365 email  user,
 
Your inbox has exceeded its quota/limit download and open the file
attached to this mail and login to retrieve your missing messages.


Notes:

• Attached file is obfuscated javascript that loads a login page

• No branding
• Unlikely to apply to UMN users of Gmail products (not Office 365)

Phishing Example 142: RE: IT Services

Received May 2016

From:
Date: Thu, May 5, 2016 at 12:34 PM
Subject: RE: IT Services
To:



*Attention,*

*   Your Password Expires in 2hour(s) You are to change your Password below
via the ACCOUNT MANAGEMENT PAGE.   Click on CHANGE-PASSWORD
<hxxps ://xxxxxxxxxxxxxxxxxxx/dp.asp?AppKey=58b940000a06ba50292d4e2ba1b4>
 If Password is not change in the next 2hour(s) Your next log-in Access
will be declined.      Regards, IT Services   Many Thanks,
------------------------------------------------   Remote Desktop Services
Co-coordinator Windows Operations (ITS) *

Note:

• Form labeled "Sample_Contacts"
• Not UMN branded
• Email does NOT come from generic "Remote Desktop Services"

Advisory: FBI: $2.3 Billion Lost to CEO Email Scams

Recent reports have highlighted a different kind of phishing scam, as Brian Krebs notes:

The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/ 

We've seen variations on this at the University of Minnesota, the most recent one attempting to collect all the W2 data from the U:

The good news is our staff has been appropriately skeptical of such attempts and never responded (at all) to the attackers. The takeaway is:

• Always question unusual requests, even if they DO come from the email of a colleague or management
• When in doubt, reach out and report such email to phishing@umn.edu

Phishing Example 141: Checking in

Received May 2016


From: [Compromised UMN account]
Sent: Monday, May 02, 2016 7:22 AM
Subject: Checking in

Please see Attached Below
Regards


Email includes an attached PDF that looks like this:

The link (which is all this document delivers) takes you to a fake Google Doc login:

NOTE:

• PDF included to deliver a URL
• URL leads you to a forged Google Doc login
• Fake Google login includes NOT Google logo
• Fake Google login offers multiple email logins - something Google never includes
• Form delivers a "Wealth Management" document if you do log in

Phishing Example 140: Maintenance_Notice

Received May 2016

Subject:Maintenance_Notice
Date: Mon, 2 May 2016 13:37:52 +0000
From: =info @ umn.edu [NO, not really]


<  A href="hxxp:// fernanxxxxxxxxx/web/umn.htm">
           Manage your status here
<  /A>

NOTE:

• Spoofed "From:" address
• VERY GOOD copy of UMN login page (even has live links back to real UMN pages)
• Filling in page directs you to umn.edu home page