Go to the U of M home page

Monday, December 10, 2018

Example 225: Doc701234.docx

Google doc containing phishing link sent to steal login information.

Message Text:

From: Some Name (via Google Drive) <SomeName@gmail.com>
Date: Mon, Dec 10, 2018 at 12:08 PM
Subject: Doc701234.docx
SomeName@gmail.com has shared the following document:
[image: Unknown profile photo]John Coleman as shared a file with you
SomeName@gmail.com is outside your organization.
Google Drive: Have all your files within reach from any device.
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA [image:
Logo for Google Drive] <https://drive.google.com>
Linked Doc/ Login Page:

Image of Google Doc and linked Fake Login Form
Image of Google Doc and linked Fake Login Form
Things to Note:

  • Email really comes from a Gmail account (anonymized here as "SomeName")
  • Link in email takes user to a real Google Doc 
  • Google Doc goes to a Forged Office 365 web login
Recommended Action:

Tuesday, December 4, 2018


Simple phishing attempt offering "email upgrade"

Message Text:

To: "Recipients"
From: "IT HELP DESK" <webmaster@xxxx-info>
Date: Mon, 03 Dec 2018 22:54:22 -0800
Your webmail quota has exceeded the set quota which is 2GB. you are currently running on 2.3GB to re-activate and increase your webmail quota please verify and update your webmail Account by clicking the link hxxp://www.some-domain-here.cf/ fill the form for upgrade.


fake login webform from CF domain
fake login webform from CF domain

Things to Note:

  • No "UMN" branding
  • Email not from a @umn.edu sender
  • Message really comes from a gmail.com address, but reads "From" a .info address
  • Webform not encrypted - not https, but http - most browsers warn against putting passwords in such forms
  • Form hosted at a .cf (Central African Republic) address, not UMN.EDU

Monday, December 3, 2018

Advisory: Protecting Against Identity Theft

Timely reminder from US-CERT regarding identity theft risks from online shopping.

As the holidays draw near, many consumers turn to the internet to shop for goods and services. Although online shopping can offer convenience and save time, shoppers should be cautious online and protect personal information against identity theft. Identity thieves steal personal information, such as a credit card, and run up bills in the victim’s name.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages consumers to review the following tips to help reduce the risk of falling prey to identity theft:
If you believe you are a victim of identity theft, visit the FTC’s identity theft website to file a report and create a personal recovery plan.

Wednesday, November 28, 2018

Advisory: Risks of Falling for a Phishing Scam

Advice on what happens if you get phished. From it.umn.edu:

You are popular. REALLY popular. Right now, there are people all over the world writing email, building websites for you
Unfortunately a lot of this work is aimed at one thing - collecting passwords tied to your email address. 
Now, getting into your email alone is kind of a big deal. Just think about all the business we conduct - personal or work-related - and how it flows through email. But that’s only the start of what can happen when you lose control of that password. 
At the University our email address and password are the keys that unlock paychecks, student loans, library resources, and network access. That’s a nice treasure chest of loot for the would be cyber pirate - but wait, there’s more! 
It’s not unusual to use the same password on multiple sites - we’ve all got so many to remember, right? And, oh! What do most sites use for login ID - yes, your email address! So, when some crook nabs your email address and password, they’re free to try it at Amazon, Apple, Netflix, Spotify or you name it. If you use the same password across multiple sites you’ve just created a skeleton key that opens way too many accounts.

There’s hope!

With the roll out of Duo Security at the University of Minnesota, we’ve put a significant roadblock in front of the phishers. Once you enable Duo Security on your account, your password alone will not grant access to your UMN resources (though some, for example, VPN and WiFi are not protected by Duo Security). 
Many, if not most, non-UMN resources can use two factor authentication. Take some time to protect your other accounts. Check out https://twofactorauth.org/ for information on what you can do to add this important tool to your other accounts. 
Next - stop using the same password on multiple accounts. Get a system to manage your passwords - even a paper notebook is a solution. But tools like Lastpass, Password Safe, or Keepass will give you a lot of power in managing your many accounts. Also, be sure to set up a strong password or passphrase, here are some tips
And remember - a very strong way to assert control over your accounts is to change your password. If ever you are concerned that your password has been stolen - change it! It’s as simple as going to my-account.umn.edu
One last tip from Brad Paisley: “The Internet Is Forever.” In other words, do not reuse old passwords. There is a worldwide active market in stolen passwords - once stolen, the passwords on those lists never go out of circulation. So don’t go back to that favorite password from long ago!

Monday, November 12, 2018

Advisory: "The Boss Needs iTunes Gift Cards For Customers... NOW"

Good summary of scam emails "from" the boss requesting purchase of iTune (or other) gift cards.

NOTE: This is not hypothetical - we've seen multiple attempts to use this fraud against the University of Minnesota community.

From blog.knowbe4.com:

If you ever wondered if those iTunes gift card phishes really work, see the below email exchange.
Yep, that overzealous employee actually drove around town from store to store picking up iTunes gift cards for the bad guys because there was a limit on the number of cards that could be bought at any one store at one time.
All told poor Emily bought TWENTY $100.00 iTunes gift cards for these criminals. Still worse, she put them ON HER OWN PERSONAL CREDIT CARD!
Wonder if her company will reimburse her? Kinda feel sorry for her. Sometimes it helps to get security awareness training from your organization. Emily was not trained. Don't be Emily.
Here is the email exchange in chronological order. Note the time stamps are the originals and from different time zones. Names are changed to protect the innocent. John Carpenter is the C-level executive of "distracted.com" and was spoofed by the bad guys.  

From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:20 AM
To: Emily Walker <ewalker@distracted.com>
Subject: Respond
Let me know when you are available. There is something I need you to do.
I am going into a meeting now with limited phone calls, so just reply my email.
John Carpenter
Sent from my iPad
Subject: RE: Respond
Date: 6 September 2018 at 21:24:35
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Did you intend to send this to me?
Emily Walker
Project Manager
Sent from my iPhone
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:28 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond
Yes Emily, can you get this done ASAP? I need some couple of gift cards.
There are some listed clients we are presenting the gift cards. How
quickly can you arrange these gift cards because i need to send them
out in less than an hour. I would provide you with the type of gift
cards and amount of each.

Sent from my iPad
Subject: RE: Respond
Date: 6 September 2018 at 21:48:03
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
Can do now. I’ll put on my credit card. Send me the following:
Emily Walker
Project Manager

Sent from my iPhone
From: John Carpenter <officeexec.mails@inbox.lv>
Sent: Thursday, September 6, 2018 11:52 AM
To: Emily Walker <ewalker@distracted.com>
Subject: RE: Respond

The type of card I need is Apple iTunes gift cards. $100 denomination,
I need $100 X 20 cards. You might not be able to get all in one store,
you can get them from different stores. When you get the cards, Scratch
out the back to reveal the card codes, and email me the codes. How soon
can you get that done? Its Urgent.
Sent from my iPad

Subject: RE: Respond
Date: 6 September 2018 at 21:55:17
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
I can do now. Do you want me to do online instead?
Emily Walker
Project Manager

Sent from my iPhone

On Sep 6, 2018, at 11:57 AM, John Carpenter <officeexec.mails@inbox.lv> wrote:
I need you get physical card from the store
Sent from my iPad
Subject: Re: Respond
Date: 6 September 2018 at 22:01:32
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
On my way to store now. What time need by?
Sent from my iPhone

On Sep 6, 2018, at 12:05 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
As soon as you can. I will await codes
Sent from my iPad

Subject: Re: Respond
Date: 6 September 2018 at 22:13:37
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>
If choice between the two do you want $15 or $25?
Sent from my iPhone

On Sep 6, 2018, at 12:16 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
Sent from my iPad

Subject: Re: Respond
Date: 6 September 2018 at 22:51:58
From: Emily Walker <ewalker@distracted.com>
To: John Carpenter <officeexec.mails@inbox.lv>

Just texted you the first 11 codes. Heading to another store now. 5 and 6 limit per store.
Sent from my iPhone
On Sep 6, 2018, at 12:54 PM, John Carpenter <officeexec.mails@inbox.lv> wrote:
Email the codes to me
Sent from my iPad
End of email thread. One hour and twenty five minutes later, the bad guys had 2 thousand dollars in iTunes gift cards in their hands and Emily had charged all of them on her personal credit card. OUCH!
I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:
The bad guys are getting creative with hybrid giftcard  / CEO Fraud scams, There is a massive campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. N ever comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it's OK to say "no" to the boss!
Can Your Domain Be Spoofed?

Did you know that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain? Now they can launch a "CEO fraud" spear phishing attack on your organization.

Wednesday, October 3, 2018

Advisory: Facebook breach: what to do next

FTC advice regarding the recent Facebook breach.

Facebook breach: what to do next

Facebook recently announced the largest breach in the company’s history. The breach affected about 50 million users, allowing hackers to take over their accounts. If you use Facebook, you may be wondering what to do next. Here are a few steps you can take.
First, you probably want to know more about the breach. According to Facebook, the attackers took advantage of a weakness in the “View As” feature, which lets people see what their profile looks like to others. The hackers stole digital keys that keep you logged in to Facebook so you don’t need to re-enter your password every time. Facebook says they’ve fixed the vulnerabilities and reset digital keys on 50 million affected accounts, plus an additional 40 million accounts that used the “View As” function.
To better protect yourself after this breach:
  • Watch out for imposter scams. With access to your Facebook account, hackers can get a lot of information about you. That information could be used to impersonate people you know or companies you do business with. If someone calls you out of the blue, asking for money or personal information, hang up. Then, if you want to know for sure if the person calling you was really your family member or was really from a company you know and trust, call them back at a number you know to be correct before you give any information or money. And remember: anyone who demands that you pay by gift card or by wiring money is scamming you. Always.
  • Consider changing your password. Facebook says that it fixed the vulnerability, so there’s no need to change your password. But, to be safe, log in and change your password anyway. If you use the same password other places, change it there, too. Don’t forget to change your security questions, as well – especially if the answers include information that could be found in your Facebook account.
For more information about what to do after a data breach, visit IdentityTheft.gov/databreach and watch the FTC’s video on What to Do After a Data Breach.
If you learn that someone has misused your personal information, go to IdentityTheft.gov to report identity theft and get a personal recovery plan. Because recovering from identity theft – and data breaches – is easier with a plan.

Tuesday, October 2, 2018

Advisory: 5 Easy Ways to Protect Yourself Online

Tips from staysafeonline.org:

Every day, it seems we hear about a new internet scam, from Nigerian princesrequesting a wire transfer of $10,000 to online dating catfishing. As helpful as the internet can be, such stories are worrisome.

While the internet can sometimes seem like a jungle of a million different threats, you can take steps to protect yourself. Here are five easy, free and quick ways to safeguard yourself.
  1. Enable Two-Step Authentication
Also known as multi- or two-factor authentication or login approval – two-step verification provides an extra layer of security beyond your username and password to protect against account hijacking. When using this security mechanism, you will log in using your password and then be prompted verify your identity again. This second verification is usually done via a biometric (fingerprint or face scan), security keys or a unique one-time code through an app on your mobile device.
Many websites and companies offer two-step verification, and they make it easy to set up this second layer – usually found in the settings section of your account. Using two-step authentication can help you feel more secure, especially for sites containing your financial information.
  1. Check a Site’s SSL Certificate ....
  2. Don’t Save Financial Information on Shopping Sites ...
  3. Be Careful Who You Trust  ...
  4. Create Strong, Unique Passwords ...

Friday, September 21, 2018

Advisory: Credit Freezes are Free: Let the Ice Age Begin

Good news - credit freezes are now free in every US State - this is a valuable tool to prevent identity thieves from accessing your credit history, from krebsonsecurity.com:

SEP 18

Credit Freezes are Free: Let the Ice Age Begin

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.
Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.
A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file).  ....

Thursday, September 20, 2018

Advisory: Business E-Mail Compromise

FBI warning of scam email threat called business e-mail compromise (BEC).

Since 2013, when the FBI began tracking an emerging financial cyber threat called business e-mail compromise (BEC), organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world—from non-profits and well-known corporations to churches and school systems. Losses are in the billions of dollars and climbing.

At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.

Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals.

“BEC is a serious threat on a global scale,” said Special Agent Martin Licciardo, a veteran organized crime investigator at the FBI’s Washington Field Office. “And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.”    ...

Timeline of business e-mail compromise attack
Timeline of business e-mail compromise attack
See also:

Saturday, September 15, 2018

Advisory: Potential Hurricane Florence Phishing Scams

Alert from US-CERT warning of scams trading off of current weather emergency.

Potential Hurricane Florence Phishing Scams

Original release date: September 14, 2018
NCCIC warns users to remain vigilant for malicious cyber activity seeking to exploit interest in Hurricane Florence. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a subject line, attachments, or hyperlinks related to the hurricane, even if it appears to originate from a trusted source. NCCIC advises users to verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. Contact information for many charities is available on the BBB National Charity Report Index. User should also be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the hurricane.
NCCIC encourages users and administrators to review the following resources for more information on phishing scams and malware campaigns:

Wednesday, September 5, 2018

Advisory: Active Phishing Campaign Targeting Student Email Accounts

Federal Student Aid (FSA) has identified a malicious phishing campaign that may lead to potential fraud associated with student refunds and aid distributions.

If you have any concerns about any suspicious financial aid messages you receive, contact One Stop for assistance: 

What is happening: Multiple institutions of higher education (IHEs) have reported that attackers are using a phishing email to obtain access to student accounts via the IHE student portal (see example phishing email below). The nature of the requests indicates the attackers have done some level of research and understand the schools’ use of student portals and methods. These attacks are successful due to student compliance in providing requested information and the use of just one factor for authentication.
Upon gaining access to the portal, the attacker changes the student’s direct deposit destination to a bank account controlled by the attacker. As a result, FSA refunds intended for the student are sent to the attacker. FSA believes that attackers are practicing and refining the scheme on a smaller scale now and that this will emerge as a prominent threat against IHEs during periods when FSA funds are disseminated in large volumes.

 Example of phishing message
Example of phishing message

Tuesday, August 28, 2018

Example 223: Action Required: University of Minnesota Portal Validation Request

Fake University Login sent from compromised UMN account.

Message Text

From: UMN.EDU Portal < compromised UMN ACCOUNT>
Date: Tue, Aug 28, 2018 at 12:25 PM
Subject: Action Required: University of Minnesota Portal Validation Request


Dear xxxxx@umn.edu,
You are required to verify use of your *UMN.EDU <http://UMN.EDU>* portal
login. This is a routine to delete in-active email from our database.
Verification link expires in *72 hours*.
<http://xxx  xxxxxxx .com/umn-eduWebLoginService/validate.htm>

Failure to complete verification may lead  to restriction of your portal
access. In this case, kindly contact your school IT Administrator.
Thank you
*UMN.EDU <https://www.umn.edu/> Team*
Login Form
 Fake UMN Login webform
Fake UMN Login webform
Things to Note

  • Email DOES come from a UMN.EDU address - a user who had their account stolen
  • Web form copies UMN login page
  • Web form hosted at a ".COM" address, NOT UMN.EDU
  • Login is NOT secure - browser in image above shows the warning.

Wednesday, August 15, 2018

News: Cyberattackers infiltrate Hennepin County workers' e-mails

Cyberattackers have infiltrated e-mail accounts for about 20 Hennepin County employees since late June.

Here's a reminder to be wary of unexpected emails that seem "too good to be true" - often they are neither good nor true:

Star Tribune article about cyber attack
Star Tribune article about cyber attack 


Friday, August 10, 2018

Example 222: Job Job Job!!!


This email scam campaign appears to mostly be directed at students. It is sent by multiple senders with multiple different subject lines, including (but not limited to):

Employment Opportunity For Student Only
Employment Opportunity
New Personal Assistant Needed ( Part-Time Job )
Job Opportunity
School Announcements
University Announcements

There is a Resume.txt file attached, which is only a text file with the phony job offer, not malware.

The scam ends by the scammer asking the student for money to get through customs to come to the United States so he can hire the student.

This is a type of "Money Mule" Scam: http://www.lse.ac.uk/intranet/students/supportServices/healthSafetyWellbeing/MoneyMuleScam.aspx

What you should do: 

  • Report the email as spam in Gmail to help educate Google's spam filters. 
  • Do not engage with the sender.

Content of Resume.txt

Dear Student,
 I am  Dr. Williams Morgan  and I work as a clinical counselor for the department of Disability Resources and Educational Services (DRES). I provide individual and group therapy, coaching, assessment and academic screenings to support students with disabilities (physical, chronic, psychiatric, and invisible)registered with DRES. A large percentage of the students served by the mental health unit have psychiatric disabilities or co-morbid psychiatric disabilities and need mental health support to be successful at the university. In addition,many University of students with academic difficulties and no prior diagnosis are seen and assessed through the academic screening and assessment process. I also am the director of supervision, training and coordination of counseling psychology and clinical psychology graduate students of the United States who have practicums at DRES and APA-accredited school psychology pre-doctoral interns.You have received this email because you have an offer from the University Office for Students with Disabilities to work with me while we help Students with disabilities frustrated with ignorance and lack of services but as my temporary personal assistant. I care about Animal Welfare, Arts and Culture, Children, Civil Rights and Social Action, Education, Environment, Disaster and Humanitarian Relief, Social Services and lots more.This is a very simple employment.

You will only help me Mail letters, Make payments at Walmart and purchase some Items when needed. This employment only takes an hour a day and 3 times a week for $480 weekly.I am unable to meetup for an interview because I am currently away and helping the disabled students in Australia.

You will be paid in advance for all tasks and purchased to be done on my behalf and some of my personal letters and mails will be forwarded to your residence or nearby post office for you to pick up at your convenience. Upon my arrival we will discuss the possibility of making this a long-term employment if I am impressed with your services while I am away. My arrival is scheduled for the 

First week of September 2018

To Apply, Please email your Full name, Address, Alternate email (different from school email) and mobile and  Correspondent will reply you as soon as possible.


Dr Williams Morgan   

Friday, July 20, 2018

Advisory: Scam Extortion Using Leaked Passwords

Attempt to extort bitcoin payment using passwords from data breaches.

Scam Details

  • Victim's email and a password are exposed in a data breach, i.e. Linked-in, etc.
  • Attacker crafts an email to that email address "revealing" they know the password, with the following details:
  • They have installed malicious software on the victim's computer 
  • They have used the victim's computer camera to secretly record the victim watching porn
  • They will send the recording to the user's contacts unless the victim sends bitcoin payment to buy their silence.

What's Going On

Data breaches are all too common - many yielding large "dumps" of email addresses and passwords. The attackers in this scenario are using this information to trick their victim into thinking they have been compromised - which is very, very unlikely. The most convincing piece of information is that they know a single password that the victim used somewhere at some time. Unless they use the same password everywhere (note: this is a very bad practice) it isn't going to unlock their computer.

How You Can Protect Yourself
  • Use unique, strong,  passwords for each account.
  • Use a password manager to track your passwords. (en.wikipedia.org/wiki/Password_manager)
  • Subscribe to haveibeenpwned.com to learn if your email has shown up in password dumps - change any password if an account turns up.
  • You can use haveibeenpwned.com to check to see if your email address has shown up in the past in any password breaches. [Note: haveibeenpwned will not tell you the password that was exposed, but it will tell you the date of the exposure. If your current password is newer than that date, you do not need to update your password.]
See Brian Krebs (notable security blogger) take on this scam at: https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

Wednesday, July 18, 2018

Example 221: University J0b Recruiting / Artnet Job Offer

Scam offers for employment sent to students using an image file to present the offer.

Messages text:

Date: Wed, Jul 18, 2018 at 12:44 AM
Subject: Re: Artnet Job Offer

*find attached..*
The above had this customized IMAGE file delivering the message:

Date: Tue, Jul 17, 2018 at 11:26 PM
Subject: University J0b Recruiting
Dear selected Candidate,
Your university recruiting department has selected you for an on-campus
offer. Please find attached..
This message, sent by a different email as the first, included this image with the gmail address used in the other "Artnet" offer:

Things to note:
  • Sender is unknown 
  • Email text sent as image file - presumably to avoid being detected as spam
  • Message follows standard "money mule" come-on

What is a money mule?

A money mule is someone recruited by criminals to transfer the profits of their illegal activities. The money may have been stolen directly from another bank account or may be the profits of fraud, drug trafficking, child labour or prostitution. Most of the criminals carrying out this type of crime are located abroad, so a money mule based in the UK is required to transfer the money overseas.
Although some money mules know that they are handling stolen money, criminals also target groups such as university students to unwittingly laundering the funds on their behalf.

Advisory: FTC Issues Alert on Tech Support Scams

FTC Issues Alert on Tech Support Scams

The Federal Trade Commission has released an alert on tech support scams. Scammers use pop-up messages, websites, emails, and phone calls to entice users to pay for fraudulent tech support services to repair problems that don’t exist. Users should not pay or give control of their devices to any stranger offering to fix problems. 
NCCIC encourages users and administrators to refer to the FTC Alert and the NCCIC Tip on Avoiding Social Engineering and Phishing Attacks for more information. If you believe you are a victim of a tech support scam, file a complaint at www.FTC.gov/complaint.

Monday, July 9, 2018

Advisory: Reports of scam caller 'spoofing' 911

Spoofed calls "from" 911 used to steal personal information.

MARQUETTE COUNTY, Mich. (WLUC) - Marquette County Central Dispatch/Emergency Management received a report of a caller ID spoofing incident using “911” as the callback number here in Michigan.
A bad actor using 911 as the caller ID called a citizen and said that someone in their family had been in an accident and started to ask for personal information. The citizen called her family member and found out they were fine. If this ever happens to you, please remember this:
• If you get a voice call from 911, it will NOT be on a 911 line. If the 911 center calls you, it will always be on a 10-digit line, not a 911 line.
• The only time that the digits 911 will show up as an incoming communication will be via a text.
• If you receive a call from someone who says that they are from 911 or other public safety department (police, fire, or EMS), ask them for the number they can be reached at and call them back.
• NEVER give your social security, credit card, or insurance information over the phone.

Monday, June 11, 2018

Example 220: Email xxxx@umn.edu De-Activation

Personalized "warning" of email account closure

Message text:

From: <administrator@mail.com>
Date: Mon, Jun 11, 2018 at 4:48 AM
Subject: Email xxxx@umn.edu De-Activation
To: xxxx@umn.edu

Server Message

*Dear xxx@umn.edu
Our record indicates that you requested to close your recent email:
xxxx@umn.edu. This requires that we verify with you as soon as possible.
If the request was accidentally made and you have no knowledge of it, you
may now cancel the request below
*Cancel Request*
Note: Failure to cancel this request within 24 hours will result to Email
Service De-Activation (ESD) and all email data will be permanently lost.
*Email Administrator*
This message is auto-generated from E-mail security server, and replies
sent to this email can not be delivered.
This email is meant for: *xxxx@umn.edu <xxxx@umn.edu>*

Web forms:

fake login form to keep account from being "canceled"
fake login form to keep account from being "canceled"\
Claims of "success" in keeping account active
Claims of "success" in keeping account active

Things to note:

  • Email is personalized to individual recipient
  • Web form link carries ID info so webforms have account name
  • No UMN branding in forms
  • Email does not come from a UMN.EDU address
  • Email has no contact information
  • Filling in the form "fails" and makes you try again
  • Filling in the second time "succeeds" then redirects you to a real umn.edu page.

Thursday, May 24, 2018

Advisory: FBI Releases Article on Building a Digital Defense with Credit Reports

Summary: FBI has released an article on using credit reports to build a digital defense against identify theft.

FBI has released an article on using credit reports to build a digital defense against identify theft. FBI explains how identity theft can deal a devastating blow to consumers' credit history. However, regularly checking the accuracy of credit reports can help consumers minimize risk.
NCCIC encourages consumers to review the FBI Article and NCCIC's Tip on Preventing and Responding to Identity Theft.

Tuesday, May 22, 2018

Advisory: Tragedy-Related Scams

Summary: In the wake of the recent Texas school shooting, NCCIC advises users to watch out for possible malicious cyber activity 

In the wake of the recent Texas school shooting, NCCIC advises users to watch out for possible malicious cyber activity seeking to capitalize on this tragic event. Users should exercise caution in handling emails related to the shooting, even if they appear to originate from trusted sources. Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations are also common after tragic events. Be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to the event.
To avoid becoming a victim of fraudulent activity, NCCIC encourages users and administrators to review NCCIC's Tips on Using Caution With Email Attachments and Avoiding Social Engineering and Phishing Attacks as well as the Federal Trade Commission's article on Before Giving to a Charity.

Thursday, May 3, 2018

Example 219: XXX, Secure Your Email Communication. Now!

Forged (personalized) letter providing link to malicious software.

Message text:

From: UMN Security <umnalert@ xxxx .win>
Date: Thu, May 3, 2018 at 7:22 AM
Subject: XXX, Secure Your Email Communication. Now!
To: xxx  < xxxxx@umn.edu>

Hello Xxx,
As a result of the rising cyber security threat, it has become necessary
that the entire staff and students of this institution download and install
the new Microsoft Email Security Software, *WinMail Defender* in order to 
further protect all our email communications.
*WinMail Defender* is an email security software that adds an extra layer
of security to your email communications. It provides end-to-end email 
encryption, there by making it a lot more difficult for third parties and
other unauthorised parties to access your email communications.
Bernard Gulachek
Vice President and Chief Information Officer,
Regents of the University of Minnesota.

Linked Form

   Email contains a tinyurl.com link which redirects to this page:
webform hosting malicious software ink
webform hosting malicious software ink
Things to Note:
  • Email comes from NON @umn.edu address
  • Email subject and letter address recipient by first name
  • Email link goes to a tinyurl.com (not UMN.EDU) link
  • Link redirect to a site123.com page - site123.com is a free website provider
  • Link on form will download malicious software
  • If you downloaded and ran this software, contact your tech support immediately to address possible system compromise.