Go to the U of M home page

Monday, July 31, 2017

Example 203: Unrecognized Login Location Alert For xxx@umn.edu

Spoof security alert message aimed at capturing login credentials.

Message Text
Date: 29 Jul 2017 18:27:07 -0400
Subject: Unrecognized Login Location Alert For xxx@umn.edu
To: xxx@umn.edu
From: " E-mail Security Alert" <xxx@xxx.xx.cn
(note: EMAIL From Non-UMN.EDU address!)
for - Account User: xxx@umn.edu 
This is to notify you that someone from an unrecognized location tried logging into your e-Mail (xxx@umn.edu ) few minutes ago. 
Was this done by you? 
For your account security, we strongly recommend that you verify your account now, else you account will be blocked without further notice. 
Click here to Verify your E-mail account now
After verification, extra security features will be activated in your email settings and your account will be safe for use again.
Source: Email Security Team

Things to Note

  • No University of Minnesota text or branding
  • Email source NOT @umn.edu 
  • Personalized report includes recipient email, which is also embedded in the form link (this lets the form come up with your ID already filled in)
  • Form link NOT at UMN.EDU (it was actually on a doggie day care website)
  • Sorry, no picture of the form, which was already removed by the time it was reported

Monday, July 10, 2017

Example 202: umn.edu

Simple message leading to a fake UMN login page on a free web service

Message Text
From: helpdesk>support <xxxxxxx14@gmail.com>Date: Fri, Jul 7, 2017 at 3:31 PMSubject: umn.eduTo: 

Your umn.edu e-mail account have exceed its limit click the below linkhxxp://umn-xxxxxxxx.myfreesites.net/ to re-validate. UMN<help-surport> Thanks
Login Form
Fake UMN login page hosted at freesites.net
Fake UMN login page hosted at freesites.net

Improved version included in some spam messages
Improved version included in some spam messages

Things to note

  • Email sent from a gmail.com email address
  • Some copies sent from compromised UMN.EDU addresses
  • Mild branding with UMN logo, but not hosted at UMN.EDU
  • Web page advertises free web page building service
  • Password entry displays passwords in the clear