Go to the U of M home page

Thursday, March 23, 2017

US-CERT Advisory: Aviation Phishing Scams

Warning of reports of email-based phishing campaigns targeting airline consumers.

Aviation Phishing Scams

Original release date: March 23, 2017
US-CERT has received reports of email-based phishing campaigns targeting airline consumers. Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information.
US-CERT encourages users and administrators to review an airline Security Advisory(link is external) and US-CERT's Security Tip ST04-014 for more information on phishing attacks.

US-CERT warning about aviation phishing
US-CERT warning about aviation phishing

Tuesday, March 21, 2017

Advisory: IRS Warns of Last-Minute Tax Scams

Timely reminder from US-CERT of tax-time related phishing.

IRS Warns of Last-Minute Tax Scams

Original release date: March 17, 2017
The Internal Revenue Service (IRS) has released an alert warning of phishing email scams targeting last-minute tax filers. The alert describes common features of these cyber crimes and includes recommendations to protect against them: strengthen passwords, recognize phishing attempts, and forward suspicious emails to phishing@irs.gov(link sends e-mail).
Tax payers and tax professionals are encouraged to review the IRS alert and US-CERT's advice on Avoiding Social Engineering and Phishing Attacks.

US-CERT web page with warning.
US-CERT web page with warning.

Tuesday, March 14, 2017

Example 193: New Payroll Information !

Forged message displaying plausible URL, really linked to a fake UMN login page hosted off umn.edu.  (NOTE: you may have been directed to this page from an educational "phish" message you received recently)

From: University of Minnesota <notification@umn.edu>
Date: Mon, Mar 13, 2017 at 7:16 PM
Subject: New Payroll Information !
To: xxxxx@umn.edu

Dear Member
U have 1 New Notification Regarding Your New Payroll
Best Regards,
University of Minnesota

Forged UMN sign in page
Forged UMN sign in page
  • Email appears to come from "notification@umn.edu," a non-existent address
  • Email appears to show a umn.edu web address (that does NOT exist), but really goes through a Polish server that redirects to another server to present a
  • Web form that presents a copy of the umn login page, hosted at a compromised .org address

Monday, March 13, 2017

Advisory: How the "tech support" scam works

Interesting research and details about a widely used scam.

How the "tech support" scam works

Security researchers at Stony Brook deliberately visited websites that try to trick visitors into thinking that their computers are broken, urging them to call a toll-free "tech support" number run by con artists that infect the victim's computer with malware, lie to them about their computer's security, and con them out of an average of $291 for "cleanup services."

The researchers presented their findings -- including recordings and transcripts of their interactions with the con artists -- in a paper called Dial One for Scam: A Large-Scale Analysis of Technical Support Scams, which they presented at this year's Network and Distributed Systems Security Symposium. Over the course of 60 calls, they found that the con artists all followed a narrow script. By backtracking the con artists' connections to their PCs, the researchers were able to determine that the majority of the scammers (85%) are in India, with the remainder in the USA (10%) and Costa Rica (5%).

The researchers found 22,000 instances of the scam, but they all shared about 1,600 phone numbers routed primarily through four VoIP services: Twilio, WilTel, RingRevenue, and Bandwidth. They also used multiple simultaneous dial-ins and counted the busy signals as a proxy for discovering which numbers led to the most organized gangs.

Once connected, the scammers would click around the would-be victim’s computer and ask about recent usage, implying that whatever the caller had done had led to the machine’s corruption. They’d praise the computer’s underlying hardware, to give the victim a sense that cleaning up its infections would be worth the money. Then they’d point to entirely normal but obscure features of the operating system—listing Windows’ “stopped” services, Netstat scans, Event Viewer, and so on—as evidence of malware or hacker intrusions. Finally, they’d tell the victims about pricing plans for cleanup services, which averaged $291.

Dial One for Scam: A Large-Scale Analysis of Technical Support Scams [Najmeh Miramirkhani, Oleksii Starov and Nick Nikiforakis/Stony Brook]

Listen to ‘Tech Support’ Scam Calls That Bilk Victims Out of Millions [Andy Greenberg/Wired]

Thursday, March 9, 2017

Example 192: Documents to Review

email from compromised @umn user with pdf attachment linking to fake Google login.

From: Compromised USER < xxx xxx @umn.edu>Date: Tue, Mar 7, 2017 at 7:16 AMSubject: Documents to ReviewTo: 

Please the attached to this message is an important document that need your review.
Thank you,

Compromised USER

simple pdf attachment, with link to fake google login
simple pdf attachment, with link to fake google login


fake google login
fake google login
Things to note:

  • PDF attachment has no content other than a link (which could have been in the email)
  • Linked login form is NOT a umn or google hosted form
  • Linked login form offers other email providers for login - google doesn't do that
  • Anyone who filled in this form should immediately change their password and check account activity

Monday, March 6, 2017

Example 191: UPDATING CONFIRMATION target-id@umn.edu

Custom phishing email that include target email in subject, URL and email address on login form.

Subject: UPDATING CONFIRMATION target-id@umn.edu
From: "Mail Admin" <DOC@xxxxxx.COM.CN>
Date: Mon, 06 Mar 2017 04:32:50 -0700
To: target-id@umn.edu
Admin Alert: Access To Your Account Has Exceeded It Limit! sign
 Dear customer, 
 The deadline for updating all Admin E-mail Account is Today . You are advice to Update Your Account Now.
Kindly Click on Update Your Account to Complete the Process.
We apologize for any inconveniences
The Admin Account Team © 2017  


Form with Customized URL that appears on form
Form with Customized URL that appears on form

  • Email subject includes target email address
  • URL in form also includes form which
  • Displays target email address on login form

Thursday, March 2, 2017

Example 190:[Warning] Email Quarantine

Email quarantine warning links to a realistic fake UMN login site


Subject:[Warning] Email Quarantine
From: (non-UMN email address)
Dear Staff/Student:

If you receive this message, it means that your account has been queued for deactivation; this is due to an ongoing script error (code: 505) results received from your account.
To solve this problem, you must reset your account. In order to reset this email account, please follow the link below to  reset your  account in accordance with the following versions.

 Account Reset <<-- link to forged UMN login page

Note: If this process is not completed within 24 hours will be resolved to deactivating your e-mail account. We apologize for the inconvenience.
Sincerely, University of Minnesota
Hotline: 0800-080-402

forged copy of UMN login page
forged copy of UMN login page

real UMN account landing page
real UMN account landing page


  • login page is complete copy of current UMN login - all links valid EXCEPT the form
  • completing the form takes you BACK to UMN web pages