Example 166: Accounts Processing 11

Fake umn login on Moonfruit free website builder site

Received October 2016

Things to note

• Email address from colby.edu, not umn.edu
• Email text presents a bit.ly link obscuring the real site at formcrafts.com, a free website builder website
• Minimal UMN branding - but NOT the real UMN login page

Message Text:

From: UMN < xxx @colby.edu>Date: Sun, Oct 30, 2016 at 1:40 PMSubject: Accounts Processing 11To:

System message: UMN is phasing out the use of UMN Username.
From October 31 Employees and Students that have not yet done thereUMN account verification will be wiped out completely during an updatemandatory for  establishing a connection LV, 8:00 a.m. to 4:00 pm,kindly follow the instructions below to complete the update page UMNSecurity ID. Use this link below bit.ly/xxxxxx
After completing this update you will be automatically connected tothe UMN services with your ID and password.

Fake Login Form

Fake UMN login from Moonfruit.com website builder site

Example 165: Helpful Resource

Fake umn login on Formcrafts free website builder site

Received October 2016

Things to note

• Email address from colby.edu, not umn.edu
• Email text presents a bit.ly link obscuring the real site at formcrafts.com, a free website builder website
• Minimal UMN branding - but NOT the real UMN login page

Message Text:

From: *UMN BOARD ROOM* < xxx @colby.edu>
Date: Thursday, October 27, 2016
Subject: Helpful Resources
To:

Please verify your account because due to recent update on our data
base as the Administrator of University of Minnesota it seems that you
have multiple accounts and this as serve as an issue on our database
hence after 28-10-2016 If you do not submit your Umn account you wont
be able to access your Umn email next time. To Verify use this link
bit.ly/xxxxxxxxx 

Note that we will not be able to process your application unless you
have submitted an accepted way. This message sound as a notice and
failure to comply account will be disabled

© 2016 Regents of the University of Minnesota All rights reserved.

Fake Login Form

Fake site on FormCrafts.com

Example 164: Your Pending Emails

Fake umn login on foreign website 

Received October 2016

Things to note

• Email address says it comes "from" purdue.edu (but really sent by compromised UMN user)
• Email text presents a link "at" umn.edu (but really linkied to an Australian website)
• Copy of old UMN login missing "M" logo

Message Text:

From: Purdue University <online @ purdue.edu>
Date: Thu, Oct 20, 2016 at 9:53 AMSubject: Your Pending EmailsTo: 

Dear UMN user,
Please login below to upgrade your mailbox space in order for you to receive your recent pending emails.
http://www.umn.edu/Login <= link to fake login hidden with umn.edu text
Thanks
© 2016 Regents of the University of Minnesota. All rights reserved.     

Fake Login Form

Fake UMN login page - no branding, hosted in Australia

Example 163: Email Account Update

Fake login warning pointing to a foreign website - Received October 2016

Things to Note:

• Sender is a University member (not any IT office)
• Refers to iCloud - not a University service
• The University (and Google) do not send messages like this.
• See z.umn.edu/whoused to identify (and clear) logins to your account

MESSAGE TEXT:

From: [from compromised account]
Date: Wed, Oct 12, 2016 at 9:04 AMSubject: Email Account UpdateTo: 

Someone else was trying to use your University of Minnesota ID to sign into iCloud via a web browser.
Date and Time: 11 October 2016, 1:38 AMBrowser: FirefoxOperating System: WindowsLocation:Thailand
If the information above looks familiar, you can disregard this email. If you have not recently and believe someone may be trying to access your account, you should click here to upgrade your network
Sincerely,Technical Support Team

FAKE FORM:

Fake, unbranded UMN login (hosted in Iran, not UMN.EDU)

Example 162: Web-mail Security update

Attached PDF with link to fake UMN login - Received October 2016

Things to note:

• Comes from "Mail Server," but email link is to a user account.
• Includes a PDF attachment (see below) carrying a link to the fake login.
• Login page copies (not exactly) the NEW UMN login page (see below). Fake page is missing wordmark and small icons seen in the real page. 
• Fake page not hosted at umn.edu
• The University does NOT send PDFs just to point users to a login page - this was a trick to avoid spam filters.

MESSAGE TEXT:

From: Mail Server < compromised user account @ umn.edu>
Date: Mon, Oct 10, 2016 at 4:46 PM
Subject: Web-mail Security update
To:
Preview 'attached' document and act as instructed to keep you safe from online threat.

ATTACHED PDF:

FAKE LOGIN PAGE:

REAL LOGIN PAGE:

Example 161: Please Check

Fake UMN login page hosted in India - Received October 2016

Things to note:

• Email claims to be from a (non-existent) umn.edu address "details"
• Email really sent from a umn.edu user account that was hijacked/compromised
• Link in email appears to go to a umn.edu address - real link goes to a website in India
• "Unread Email" message IS NOT SOMETHING UMN email ever sends.

MESSAGE TEXT:

From: UMN <details @ umn.edu> <compromised UMN account>Date: Mon, Oct 10, 2016 at 6:42 AM
Subject: Please Check
To:

Dear UMN user,
You have an unread emails on your inbox. Please login below to receive this email.
http://web.umn.edu/login

© 2016 Regents of the University of Minnesota. All rights reserved.     

EMAIL SENDS USERS TO A FAKE UMN.EDU LOGIN:

As noted - copy of University login is actually hosted in India (".in" ending in the address).