Go to the U of M home page

Wednesday, November 30, 2016

ADVISORY:US-CERT Alerts Users to Holiday Phishing Scams and Malware Campaigns

US-CERT Alerts Users to Holiday Phishing Scams and Malware Campaigns

Original release date: November 30, 2016
US-CERT reminds users to remain vigilant when browsing or shopping online this holiday season. Ecards from unknown senders may contain malicious links. Fake advertisements or shipping notifications may deliver infected attachments. Spoofed email messages and fraudulent posts on social networking sites may request support for phony causes.
To avoid seasonal campaigns that could result in security breaches, identity theft, or financial loss, users are encouraged to take the following actions:
  • Avoid following unsolicited links or downloading attachments from unknown sources.
  • Visit the Federal Trade Commission's Consumer Information page on Charity Scams.
If you believe you are a victim of a holiday phishing scam or malware campaign, consider the following actions:
  • Report the attack to the police and file a report with the Federal Trade Commission.
  • Contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
  • Immediately change any passwords you might have revealed and do not use that password in the future. Avoid reusing passwords on multiple sites.



Tuesday, November 22, 2016

Example 174: INVITATION TO ACCESS NECESSARY DOCUMENT [DOCX..313]

PDF from compromised user, goes to fake Google login
Received November 2016

Things to note

  • Email comes from a compromised umn.edu user's account
  • Multiple subject lines used, all about "document" requiring review
  • Attached PDF contains a link to a fake website (we've seen multiple including from the UK and Italy) that has a fake Google login form
  • Filling in page redirects to real Google Drive or a dummy document.


Message:

From: "X Xxxxx" <xxxxx @ umn.edu>
To: Subject: INVITATION TO ACCESS NECESSARY DOCUMENT [DOCX..313]
Date: Tue, 22 Nov 2016 11:22:13 -0400
Hello,
Please go through file report which i just shared with you,
it's need your prompt attention,
 Access Attached document and let me know if you have questions

PDF with link

dummy PDF used to deliver link to phishing form
dummy PDF used to deliver link to phishing form


Fake Login Form
Fake Google Login / includes multiple email providers (Google DOES NOT)
Fake Google Login / includes multiple email providers (Google DOES NOT)

Monday, November 21, 2016

Example 173: Code of Conduct / Final Update Required For All Staffs

PDF from compromised user, forged as from Pres. Kaler.
Received November 2016

Things to note


  • Email comes from a compromised umn.edu user's account, but used Pres. Kaler's name.
  • ALSO seen from an outside address, and from another outside address with the subject "Final Update Required For All Staffs"
  • NO text in email, instead there is an image of a notice regarding a new policy.
  • Attached PDF contains a link to a brazillian website that has a fake Google login form
  • Filling in page redirects to real Google Drive.


Message:

Image used for phishing message - claims to link to a pdf / google doc
Image used for phishing message - claims to link to a pdf / google doc

PDF with link

dummy PDF used to deliver link to phishing form
dummy PDF used to deliver link to phishing form

Fake Login Form

Fake Google Login / includes multiple email providers (Google DOES NOT)
Fake Google Login / includes multiple email providers (Google DOES NOT)

Friday, November 18, 2016

Example 172: Upgrade

Fake UMN warning from compromised user
Received November 2016

Things to note

  • Email comes a compromised umn.edu user's account
  • Link to "UMN" goes to a .com site
  • Copied UMN login page warns about going to non-umn sites - like their own page
  • Filling in page redirect to UMN TC home page
  • University email storage is UNLIMITED - there is no "15 GB" limit.

Message Text:
From: University Of Minnesota <compromised user @ umn.edu>
Date: Fri, Nov 18, 2016 at 9:39 AM
Subject: Upgrade
To:
Dear UMN user,
Your Email space is about to be used up. Please upgrade to 15GB mailbox
space below so that you can receive your new pending emails.

http://umn.edu/login
<http:// xxxx xxxx.com/unm/Sign%20In_%20University%20of%20Minnesota.html>

Fake Login Form
fake UMN login - note: includes warning about going to fake sites
fake UMN login - note: includes warning about going to fake sites


Wednesday, November 16, 2016

Example 171: Resource Info


PDF from compromised user - spam "mystery shopper" offer
Received November 2017

Things to note


  • Email comes a compromised umn.edu user's account
  • Attachment contains a PDF - only to deliver an ad for secret shopper offer
  • This is not the first such offers - the pdf is the same but the link is different from the others
  • This is NOT a legitimate offer - the application is designed for identity theft



Message Text:

From: Compromised User < xxx  @ umn.edu>
Date: Wed, Nov 16, 2016 at 6:14 AM
Subject: Resource Info
To:
Good Morning,
I participated in this survey and made some extra pay, kindly go through
the included info for details.
Thanks.

PDF with link to login form

pdf with link to bogus sign-up page
pdf with link to bogus sign-up page


Linked Sign Up on Compomised Site
screen shot of secret shopper sign up form
screen shot of secret shopper sign up form




Thursday, November 10, 2016

Example 170: University Of Minnesota Required Update For All Staffs

PDF forged as from President Kaler, links to fake dropbox doc with a "Google" login.
Received November 2017

Things to note

  • Email comes "from" President Kaler, but really sent by a compromised user's account
  • Attachment contains a PDF - only to deliver a link to a fake  login
  • Attachment says "dropbox" doc, but goes to fake Google login
  • "Logging in" flips to real Google Drive - if user is logged in to Google, they will see their own drive - otherwise they'll see a Google login


Message Text:

From: compromised user < xxxx@ .umn.edu>
Date: Thu, Nov 10, 2016 at 9:59 AM
Subject: University Of Minnesota Required Update For All Staffs
To:
 
Office of the President
Dear All,
Attached is an important update for you,  Download and verify your email
identity.
P.S: If you do not verify your email identity, there will be restrictions
accessing your email.

Sincerely,
Eric W. Kaler
President
------------------------------
This email was sent to faculty, staff and students at the University of
Minnesota, Morris by: Office of the President, 202 Morrill Hall, 100 Church
St S.E., Minneapolis, MN, 55455, USA. Read our privacy statement
<http :// click.ecommunications2.umn.edu/.... copied link to make it look real> 

PDF with link to login form
fake Dropbox pdf with link to fake login page
fake Dropbox pdf with link to fake login page

Fake Login 
Fake "Google" login page with multiple email providers
Fake "Google" login page with multiple email providers


"Error" message following login
Error message after filling in login form
Error message after filling in login form

Sends to REAL Google Drive/Docs
Real Google Drive login presented if user not logged in to Google
Real Google Drive login presented if user not logged in to Google

Tuesday, November 8, 2016

Example 169:  View Sent Info

PDF "from" compromised U account with PDF linked to fake adobe doc login
Received November 2017

Things to note


  • Attachment contains a PDF - only to deliver a link to a fake Adobe login
  • Adobe login not *at* adobe.com
  • "Logging in" to form presents Adobe error message, no document.



Message Text:
From: Xxxxx Xxxxxxxx < compromised user @umn.edu>Date: Tue, Nov 8, 2016 at 6:28 AMSubject: View Sent InfoTo: Xxxxx Xxxxxxxx < compromised user @umn.edu>
Good Morning,I need you to look through the included info and share your thoughts.

PDF with link to login form

oddly branded PDF with a link to a fake login page
oddly branded PDF with a link to a fake login page

Fake Login 

Fake (not hosted at adobe.com) Adobe login
Fake (not hosted at adobe.com) Adobe login

"Error" message following login


"Error" message that kicks you out at the end (no document delivered)
"Error" message that kicks you out at the end (no document delivered) 

Monday, November 7, 2016

Example 168: Kxxxx Hxxxx has shared the following document

PDF "from" non U source with PDF linked to fake google doc login
Received November 2017

Things to note

  • Attachment contains a PDF - only to deliver a link to a fake Google login
  • Google login (not *at* google.com) presents multiple email provider choices - Google doesn't do that
  • "Logging in" to form presents Adobe error message, no document.


Message Text:
From:
Date: Mon, Nov 7, 2016 at 5:41 AM
Subject: Kxxxx Hxxxx has shared the following document 
To:

Hi,
Kindly review the attached file report urgently.
FReportbook504.pdf
Regards.
Google Drive: Have all your files within reach from any device. 

PDF with link to login form
PDF containing phishing form URL link
PDF containing phishing form URL link



Fake Login Choices
Fake Google multiple email choice login
Fake Google multiple email choice login - Google DOES NOT do this

Fake Login Form

Non-Standard Google Login Form
Non-Standard Google Login Form

"Error" message following login

Error presented after login
Error presented after login


Friday, November 4, 2016

Example 167: Please view classified information to all staffs

PDF "from" Pres. Kaler with link to fake Google login
Received November 2016

Things to note

  • Message says "from President Kaler" but sender email is a compromised student account
  • Attachment contains a PDF only to deliver a link to a fake Google login
  • Google login (not *at* google.com) presents multiple email provider choices - Google doesn't do that

Message Text:
From: President Eric W. Kaler <  compromised user account@umn.edu>
Date: Fri, Nov 4, 2016 at 12:49 PM
Subject: Please view classified information to all staffs
To:

Hi,
please go through file report which i just shared with you,
it's need your prompt attention, Access Attached document
let me know if you have questions.
Sincerely
ERIC W. KALER
President
PDF with link to login form
PDF send to deliver link to phishing form
PDF send to deliver link to phishing form

Fake Login Form
Fake Google login - including non-Google email choices
Fake Google login - including non-Google email choices