Go to the U of M home page

Tuesday, November 21, 2017

Example 209: Library Notifications

Bogus warning forged as from UMN library - links to a clone of UMN login page via wisc.edu quicklink.

Message text
From: University of Minnesota Libraries <libraries@ umn. co> <<--NOTE "UMN.CO" senderDate: Tue, Nov 21, 2017 at 7:39 AMSubject: Library NotificationsTo: 

Dear Library User,
Our records show that your access to University of Minnesota Libraries System is about to expire. Due to security precautions established to protect University Libraries System, you have to renew your library account on a regular base, so please use the following link
(Note: this fake link in TEXT, really links to a go.wisc.edu quicklink to a fake UMN login)
After your successful authentication, your access will be restored automatically and you will be redirected to the library homepage. If you are unable to log in, please contact the library help desk for immediate assistance. We apologize for any inconveniences this may have caused.

Thank you,

University of Minnesota Libraries 309 19th Ave S, Minneapolis, MN 55455libraries@umn.edu  <<---NOTE non-existent "libraries@umn.edu" address
Web Form

Forged UMN login page
Forged UMN login page
Things to Note:

  • Email comes from "umn.co," not "umn.edu" 
  • Displayed URL appears to be a umn.edu address, 
  • BUT goes instead to a wisc.edu URL-shortener service 
  • Final URL includes "umn.edu" but ends in "citt.cf"
  • IF you "logged in" you will be redirected to the UMN library site - if you did this change your password ASAP!

Friday, November 17, 2017

Advisory: Fake "Invoice" and "UPS" notices come bearing malware!

Multiple versions of "Invoice" or UPS delivery notices have been received, linked to malware aimed at stealing financial information.

Example messages:
From: UPS.com <some.name @some.domain.org>
Date: Mon, Nov 13, 2017 at 7:15 AM
Subject: UPS Ship Notification, Tracking Number 0IT41910520287451
You have a parcel coming.
The physical parcel may or may not have actually been tendered to UPS for shipment.
Current status of the delivery is available here.
Scheduled Delivery Date: Monday, 11/13/2017
Shipment Details
From: eBook on Leukemia: Causes, Symptoms & Treatment
Tracking Number: 0IT41910520287451
Number of Packages: 8
Thank you for your business.

From: Some Name < some different email@someplace.com>Date: Fri, Nov 17, 2017 at 12:02 PMSubject: Invoice number 00744297 issueTo:

This is your invoice dated 17 Nov 17. If you have questions or concerns, just let me know at 01382 844946.
http://xxxx .yyy/New-invoice-3498177/
Yours Truly,Some Name

Things to Note:

  • The name in the "From:" field usually does not match the email address
  • In some cases the "sender" name IS known to the recipient (though it is NOT from their email)
  • The URL addresses have been in multiple countries, none of them apparently related to UPS or the purported business
  • Do not download (and open) unexpected "invoices" 
  • If you have downloaded and opened this malware - contact your tech support immediately to assess and determine next steps
  • Report and forward any such mail to phishing@umn.edu