Go to the U of M home page

Thursday, April 20, 2017

Advisory: Unexpected Emails

An example of  spam emails that may be trolling for personal information!

Message Text

Subject: New resources for education


Apple-Edu would like to share a special opportunity to you - a sweepstakes offering resources and equipment you can use! Please share anyone with who may wish to consider this - thanks!

    Learn More <<-link



Web Form
Web form used to troll for user email addresses
Web form used to troll for  user email addresses

Things to Note

  • Is this message plausible? Is there any reason that you would receive this message?
  • If the message is delivered to your email - why does their form request your email address?
  • If this message was sent from a specific organization/company - where is the URL hosted?
  • Is the person sending it from the company represented?
  • Use "mark as spam" - this will help filter such messages in the future
  • Report suspicious email to University Information Security - phishing@umn.edu

Tuesday, April 18, 2017

Advisory: BBB Scam Tracker

The Better Business Bureau maintains an information and reporting tool for scams at https://www.bbb.org/scamtracker

Spot a business or offer that sounds like an illegal scheme or fraud? Tell the BBB about it. Help  investigate and warn others by reporting what you know.

Monday, April 17, 2017

Example 196: ID:431 -Account Reset Notification

Account termination warning aimed to get your password.

Message Text:

Sent: 17 April 2017 17:25
Subject: ID:431 -Account Reset Notification
      This message is sent from a trusted sender.
Account Confirmation
Dear User,
We received a request from you yesterday to terminate your account
permanently and we are working on that now. but first we need to confirm, If
you did not request this, please follow this link to
hxxp://xxxxxxxxxxxxxxx/help-desk.html   to cancel the
request immediately.
If you actually request to delete your account, please ignore this email.
Thank you for using Microsoft services . .
Web Form

Fake login page - with working captcha!
Fake login page - with working captcha!

scammer provided "privacy policy"
scammer provided "privacy policy"

Things to note:

  • Web form and message have no U of Mn branding
  • Form refers to Microsoft Outlook mail - UMN uses Google
  • Form has a working "captcha" - you have to enter the right info to proceed
  • Form even has a "privacy policy" telling you YOU ARE SAFE (no, you are not if you enter your password here).

Tuesday, April 11, 2017

Example 195: Account Update

Dangerous email scam sent out  Tue, Apr 11, 2017 at 4:57 PM: 

Fake login page designed to steal IDs and passwords

From: IT Service <compromised-account@umn.edu>
Date: Tue, Apr 11, 2017 at 4:57 PM
Subject: Account Update

This is an alert to all active Student, Staff and Alumni of University of
Minnesota that we are validating all accounts.

Validate <hxxps://tinyurl.com/mv7ockr> your account to avoid difficulties
on account or even closure.

IT Service

Note fake URL: umm.edu.recalca.org.co/gmail/gmail.html

Advisory: Easter Holiday Phishing Scams and Malware Campaigns

As the Easter holiday approaches, US-CERT reminds users to stay aware of holiday scams
U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

04/11/2017 10:35 AM EDT

Original release date: April 11, 2017As the Easter holiday approaches, US-CERT reminds users to stay aware of holiday scams and cyber campaigns, which may include:
  • unsolicited shipping notifications that may actually be scams by attackers to solicit personal information (phishing scams),
  • electronic greeting cards that may contain malicious software (malware),
  • requests for charitable contributions that may be phishing scams or solicitations from sources that are not real charities, and
  • false advertisements for holiday accommodations or timeshares.
US-CERT encourages users and administrators to use caution when reviewing unsolicited messages. Suggested preventive measures to protect against phishing scams and malware campaigns include:

This product is provided subject to this Notification and this Privacy & Use policy.

Friday, April 7, 2017

Example 194: Warning: Inbox for xxxx@umn.edu is limited [13 undelivered messages]

Fake warning message linked to bogus login page.

Message Text
Subject:    Warning: Inbox for xxxx@umn.edu is limited [13 undelivered messages]
Date:   Fri, 07 Apr 2017 17:29:15 +0100
From:   Mail Delivery Subsystem <bounced-emails@postmaster.net>
To:     xxx@umn.edu

This message was created automatically by mail delivery software.
More than 5 incoming messages could not be delivered to your inbox since over 72 hours.
The following address(es) failed: READ Your Undelivered Messages On Server
<https://xxxxxxx.com solution/Retrieve.html?xxxxr@umn.edu>

host smtp.mailchannels.net []
SMTP error from remote mail server after end of data:
550 5.7.1 [CS] Messages blocked MAIL FOR: xxxx@umn.edu <mailto:xxxx@umn.edu>. If
you receive this email in your SPAM/JUNK, Kindly move to inbox as to enable you complete the verification. 
Login Form

fake error screen with user name filled in from URL
fake error screen with user name filled in from URL

Things to Note
  • Message is customize with email address in message and subject
  • URL linking to form includes the email address
  • Webform fills in the user name from the URL - but would put any name in if you change the URL