Go to the U of M home page

Tuesday, February 28, 2017

Advisory: IRS Identifies Five Easy Ways to Spot Suspicious Calls

Good summary from the IRS on spotting Scam Phone Calls.

IRS tips on phone scams
IRS tips on phone scams

  Print - Click this link to Print this page

Scam Phone Calls Continue; IRS Identifies Five Easy Ways to Spot Suspicious Calls

Update September 2016 — To file a complaint using the FTC Complaint Assistant, choose “Scams and Rip-Offs” and then “Impostor Scams.” 
IR-2014-84, Aug. 28, 2014
WASHINGTON — The Internal Revenue Service issued a consumer alert today providing taxpayers with additional tips to protect themselves from telephone scam artists calling and pretending to be with the IRS.
These callers may demand money or may say you have a refund due and try to trick you into sharing private information. These con artists can sound convincing when they call. They may know a lot about you, and they usually alter the caller ID to make it look like the IRS is calling. They use fake names and bogus IRS identification badge numbers. If you don’t answer, they often leave an “urgent” callback request.
“These telephone scams are being seen in every part of the country, and we urge people not to be deceived by these threatening phone calls,” IRS Commissioner John Koskinen said. “We have formal processes in place for people with tax issues. The IRS respects taxpayer rights, and these angry, shake-down calls are not how we do business.”
The IRS reminds people that they can know pretty easily when a supposed IRS caller is a fake. Here are five things the scammers often do but the IRS will not do. Any one of these five things is a tell-tale sign of a scam. The IRS will never:
  1. Call to demand immediate payment, nor will we call about taxes owed without first having mailed you a bill..
  2. Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  3. Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  4. Ask for credit or debit card numbers over the phone.
  5. Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.
If you get a phone call from someone claiming to be from the IRS and asking for money, here’s what you should do:
  • If you know you owe taxes or think you might owe, call the IRS at 1.800.829.1040. The IRS workers can help you with a payment issue.
  • If you know you don’t owe taxes or have no reason to believe that you do, report the incident to the Treasury Inspector General for Tax Administration (TIGTA) at 1.800.366.4484 or at www.tigta.gov.
  • You can file a complaint using the FTC Complaint Assistant; choose “Other” and then “Impostor Scams.” If the complaint involves someone impersonating the IRS, include the words “IRS Telephone Scam” in the notes.  [See update at top of page.]
Remember, too, the IRS does not use unsolicited email, text messages or any social media to discuss your personal tax issue. For more information on reporting tax scams, go to www.irs.gov and type “scam” in the search box.
Additional information about tax scams are available on IRS social media sites, including YouTube and Tumblr where people can search “scam” to find all the scam-related posts.

Tuesday, February 21, 2017

Example 189 : Information

Email from a non-umn compromised account, with PDF attachment linked to a fake Google login form.

From: Compromised Account <  compromised account  @x x x.edu>Date: Fri, Feb 17, 2017 at 10:41 AM
Subject: Information

I just shared a abstract information with you, Kindly view the attached document below.
Compromised Account
Assistant Professor  
PDF Attachment

Login Forms

Fake Google form linked from PDF
Fake Google form linked from PDF

Fake Google login used
Fake Google login used 

Things to Note

  • Attachment devoid of content - only used to link to login
  • Multi-email login does NOT look like a Google login

Thursday, February 16, 2017

Example 188 : Attention Required!

Forged "csehelp" email sent to CSE students, redirecting to an outside website.

Subject: Attention Required! Date: Thu, 16 Feb 2017 06:17:03 -0600 From: CSE Helpdesk <csehelp@umn.edu> To: csehelpi@umn.edu 
CSE-IT System Webmal Maintenance Window
Please follow the CSE-IT Status recovery Page: https://cseit.umn.edu/recovemyaccount/
Scream your email for an unwanted bug.
     Dear All, A hoax email was has been sent of our UMN Services . Please Click Here to Screen your email of unwanted bug .  <<Link to fraud site
From Sunday , All affect emails may be disabled.
            Sunday, February 19, 2017
            4:00 a.m. - 12:00 p.m.
Services Affected (avoid these during the window)
  • Unix Home Directories
  • Web Servers
  • FastX servers (remote desktop to Ubuntu Linux)
  • Physics Windows profiles shared files
Link to Specific Details on the Affected Services  
Services Not Affected (common services that users often ask about)
  • Email
  • Databases
  • Networking

What is a “system maintenance window”?
In order to provide a more secure and stable computing environment, CSE-IT uses a scheduled maintenance window to allow systems staff to upgrade, repair, and enhance our systems regularly. Our goal is to reduce unplanned outages which negatively impact everyone’s performance, and increase up time which will, among other things, allow researchers to perform long running simulations without unplanned interruptions.
Can I work during the maintenance window?
Avoid using the affected services during the maintenance window. Affected systems identified above may be available during the maintenance window, but they can and will be shut down without warning and may be unavailable for hours at a time. So, use only at your own risk.
Can’t this be done without disrupting service?
Certain tasks require server reboots and/or physically unplugging electricity. We do our best to group these tasks so service impact is minimized
How do I find out more?
Visit the CSE-IT status page at https://cseit.umn.edu/recovemyaccount/
If you have any questions or concerns, contact us at (612) 625-0876 or csehelp@umn.edu.
College of Science and Engineering
Keller Hall Room 1-201
Phone: (612) 625-0876
Email: csehelp@umn.edu

fake physics email login page
fake physics email login page

Things to note:

  • Email contains many valid links and information from the College of Science and Engineering (CSE)
  • "click here" text links to fake login form
  • No URL displayed - uses javascript in address bar to build page
  • Page copies existing physics and astronomy email server page.

Example 187: Update account

Email invitation with link to fake portal to "view your W2." 

Message Text

From: ADP PORTAL <xxxxx@yyy.zzz.ec>Date: Thu, Feb 16, 2017 at 12:38 AMSubject: Update accountTo: 

The Human Resources/Payroll Department has completed the final pay-stub changes for 2017 tax year.
To view the changes to your pay-stub information and view/download your W-2 forms (2014 - 2016 tax years), go to: Adp Portal
or :
https://adpportalupdate1. freeform-provider
We hope you find the changes to your pay-stub information useful and welcome any comments you may have.
Yours Sincerely.

Login Form
fake ADP login form on free form service
fake ADP login form on free form service

Things to note:
  • Comes from a non-umn account
  • Links to a free online form service
  • Very spare, unbranded login page - includes links to form service "to make your own"
  • Password shows in clear if you fill it out (please DON'T!)

Thursday, February 9, 2017

Example 186: fraudulent card charge

Fraudulent email complaint challenging a "credit card charge"; aims to deliver malware.


Date: Wed, Feb 8, 2017 at 9:20 AM
Subject: fraudulent card charge
To: name @ umn.edu

Who the XXXX are you and why is there a charge from umn.edu on my card?
Here you can view my statement , get back to me asap.
<hxxp:// www. xxxx .co.jp/api/get.php?id=xxx    >
Thank you
Tyler Holmes

  • multiple recipients
  • email to "name@umn.edu" has a link to bofa_card_statement_name.doc that really attempts to download an infected Word document
  • payload now blocked on UMN network
  • IMPORTANT: anyone who downloaded and opened the document should contact their tech support to check their computer.

Thursday, February 2, 2017

Example 185: Invoice Payment

From external AND compromised UMN emails; PDF with link to a fake Dropbox login in Sweden


From: "University of Minnesota" <compromised UMN user@umn.edu>Date: Feb 2, 2017 07:42Subject: Invoice PaymentTo: Cc: 
PDF ATTACHED (Important%20Document.-11.pdf)

PDF with link to fake Dropbox site
PDF with link to fake Dropbox site


fake Dropbox login on compromised website
fake Dropbox login on compromised website