Go to the U of M home page

Wednesday, June 22, 2016

Phishing Example 153: Fake PDF attachment "For your Perusal"

Received June 2016

From: [compromised @umn.edu account]
Date: Tue, Jun 21, 2016 at 12:41 PM

This file is sent for your perusal


(Attached is a PDF with a link: )

Clicking on PDF will go to a URL that downloads a javascript form

Form to capture email address and password
  • Mail sent from a compromised UMN account belonging to someone you might know
  • Mail includes an attached PDF that has an active URL link
  • The URL goes to a website that loads a javascript form - the address bar on the form will not show a proper URL (see picture)

Friday, June 17, 2016

Phishing Example 152: University of Minnesota Staff and Student Notice

Received June 2016

Subject: University of Minnesota Staff and Student Notice
Date: Fri, 17 Jun 2016 08:52:54 +0000
From:Jjjjjjjjj Hhhhhhh < Jjjjjj.Hhhhhh@ uottawa.ca > [note comes from a compromised account in 
[University of Minnesota block M and wordmark]

Secured Information for all Staff and Student
Login to access details. MyU: For Students, Faculty, and Staff

University of Minnesota.
News Update 2016

Fake login - hosted in Singapore - note the URL ends in ".sg"

"logging in" takes you to a REAL UMN web page

  • Email comes from "ottawa.ca" - not a UMN.EDU sender
  • Email link sends you to a fake login page HOSTED IN SINGAPORE, not umn.edu
  • Filling in the page (please don't!) sends you to a UMN.EDU info page (that doesn't really require a login - you can go directly to https://shb.umn.edu/health-plans/gahp-home)


Wednesday, June 8, 2016

Advisory Classic - Logging on to University Google resources

Note: This is an updated reminder of what logging into Google resources should look like (May, 2017). You may have been directed here after receiving a test phishing message.

From time to time, you will see phishing schemes that claim to be a Google Doc. Most recently, many have received a scam letter titled "I've shared an item with you." The "google link" in the email doesn't go to Google, of course - and it may present a login that looks like this:

Currently, a REAL Google login should look like this:

Current Google App Login (May 2017)
Current Google App Login (May 2017)

But, be careful. Looking like this is not enough.

(PLEASE note - if you are  already logged in to gmail, following a link to a google doc should NOT present you with a login - you're already logged in.)


  1. You ARE prompted to login to a resource for the University, 
  2. AND you receive the Google prompt,
  3. DO NOT enter your password.
  4. Just present your email address, e.g. internet-id@umn.edu
Like this:
Logging into Google with an @umn.edu account
Logging into Google with an @umn.edu account

If it's legitimate, you may next see:
(You'll see this if Google thinks you have two versions of NAME@umn,edu, Choose "Organizational")
You'll be sent to the U's authentication system where you will do your real Internet ID + Password login on this screen: 

Remember, if legitimate, THIS login page will be hosted at an address that ends in "umn.edu." If it isn't, it is unlikely to be a real login page and you should report it to phishing@umn.edu.

Phishing Example 151: Your Pending Emails

Received June 2016

From: UMN.EDU <helpdesk @ umn.edu not really!> <some compromised user @ umn.edu>
Date: Wed, Jun 8, 2016 at 9:41 AM
Subject: Your Pending Emails

University of Minnesota Driven to Discover
Important Notice


Please login here UMN online.to receive your pending emails on your inbox
© 2016 Regents of the University of Minnesota. All rights reserved.

  • good copy of UMN login page
  • "form" hosted at a .com address, not umn.edu

Phishing Example 150: Payment question (*or* "One of these things is not like the other")

Received June2016

*also* sent with subjects:  “major provider”, “many things”, and “pay attention”

From: [Compromised UMN account]
Date: Tue, Jun 7, 2016 at 6:53 PM
Subject: Payment question

I've attached the 12 questions  for June in PDF
<hxxp :// xxxxx/aep/pdf/accessvalidate/es>  the file is also
available in Google drive and adobe
<hxxp://   xxxxxxx /aep/pdf/accessvalidate/es> file reader

Look at this side-by-side comparison - on the left, a real google login, on the right the phisher's version:
Left side REAL GOOGLE docs login, Right side *FAKE*


  • Probably comes from someone you know (the phisher bcc's all contacts)
  • Claims to go to a Google Drive - aka "docs," and presents a fake login.
  • Fake Login DOES NOT HAVE Google logo
  • Fake Login Offers multiple email providers in a drop down - real Google DOES NOT
  • See phishing advisory showing what a NORMAL login to Google/UMN resources looks like

Friday, June 3, 2016

Phishing Example 149: Umn update

Received June 2016

Date: Fri, Jun 3, 2016 at 3:25 PM
Subject: Umn update

You have exceeded your mail.umn.ed quota limit of 500MB and you need to
 expand the mail.umn.ed quota before the next 48 hours. If you have not
updated your mail.umn.edu account in 2016, you must do it now. Click here:
<hxxps : // docs.google.com/forms/dxxxxxxxxxxxxxx/viewform>
to upgrade your account.

Email Services | IT@UMN


  • Email talks about a 50MB email limit - UMN ACCOUNTS HAVE NO LIMIT
  • Uses a Google form to collect info - note Google warning not to submit passwords
  • Passwords display in the clear
  • No UMN branding

Thursday, June 2, 2016

Phishing Example 148:URGENT / Upgrade Notice

Received June 2016

Subject: Upgrade Notice
Date: Thu, 2 Jun 2016 14:39:38 -0400 (EDT)
From: UMN.EDU < helpdesk  @ umn.edu>  [NO, not really]
Dear UMN.EDU <http://umn.edu/> user,

Please upgrade to our newest 15GB mailbox space inorder for you to receive
your awaiting emails:http://www.umn.edu/15GB/upgrade-information


  • Multiple versions of subjects
  • Multiple URLs - secondary URLs are redirecting to the origininal URL
  • Precise copy of our login page
  • "Come-on" message offers "15GB" upgrade - but UMN accounts ARE UNLIMITED ALREADY (see below)

Wednesday, June 1, 2016

Phishing Example 147: Message from UMN Payroll Department (ANOTHER SCAM!)

Received June 2016

Date: Wed, 1 Jun 2016 07:51:00 -0700
Subject: Message from UMN Payroll Department
From: compromised UMN account

[image: University of Minnesota Driven to Discover]
Payroll Services

hxxps://  www.myu.umn.edu/  NOTE: displays this URL, but goes to the compromised one
<hxxp://  COMPROMISED-WEBSERVER.com/idp2_shib_umn_edu/idp/umn/login.html>

2016 Payroll Department of the University of Minnesota. All rights reserved.

Document: 0121


  • Likely a repeat scam from the same group as on 5/31
  • Perfect copy of our sign-in - LOOK AT THE URL, it ISN'T from "umn.edu"