myU OneStop


Phishing Scams Targeting the UMN College of Brevity School of Significant Impact

Welcome to the Phishing Email Examples blog. Below are some examples of phishing emails seen on campus, targeting the University of Minnesota. Not all phishing emails are posted here, so do not assume a suspicious email is safe just because it is not listed here. There are many variants of each phishing scam, and new ones are being sent out each day. When in doubt, forward the email to phishing@umn.edu.


Archives

Phishing warning: Heartbleed may generate new scams

"Given the growing public awareness of this bug, it's probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question."

Heartbleed Bug: What Can You Do?

For more information on the Heartbleed vulnerability see http://heartbleed.com


Symantec reports about a new phishing scam that sets up a phishing form that looks like a google sign-in in a google drive document.

"The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages."

FakeGoogle032014.jpg

NOTE:

  • * If you get an unexpected document from an unknown (or unlikely) collaborator, be suspicious
  • * IF you are already logged in Google in your browser a Google doc should NOT redirect you to a login form.
  • * When UMN Google Apps DO direct you to a login page - they should always include UMN branding.

Phishing example 42: Update

Notes: This is a particularly nasty phishing scam because it is spoofed to come from help@umn.edu, and the link (which is now blocked) was a perfect copy of the University's login page.

From: Helpdesk
Date: Sat, Mar 1, 2014 at 3:00 PM
Subject: Update

Dear User
Due to high numbers of inactive mail accounts on our server, all email
users are urged to update their email account within 24 hours of receiving this email, by
using the Update
*Click here hxxp://xxxxxxxxxxxxxxxx/idp/umn/login.php *to confirm
that their email account is active.
Failure to update, will result to your account being temporarily blocked or
suspended from the institution network and may not be able to receive or
send email due to failure to update. Do not ignore this message to avoid termination
of your webmail account.
Thanks for your co-operation.
Yours sincerely,
Call: 612-301-4357 (1-HELP)
Email: help@umn.edu

Phishing warning: US Tax Season Phishing Scams and Malware Campaigns

In the past, US-CERT has received reports of an increased number of phishing scams and malware campaigns that seek to take advantage of the United States tax season. The Internal Revenue Service has issued an advisory on its website warning consumers about potential scams.

Tax season phishing campaigns may include, but are not limited to:

  • * Information that refers to a tax refund,
  • * Warnings about unreported or under-reported income,
  • * Offers to assist in filing for a refund, or
  • * Links to counterfeit e-file websites.

For more information see the US-CERT notice
US-Tax-Season-Phishing-Scams-and-Malware-Campaigns.

Phishing Example 41: Dear webmail user

Received February 2014

Once again, no, the University really doesn't send messages like this:

From: Date: Fri, Feb 21, 2014 at 10:11 AM Subject: Dear webmail user To:

You have reached the storage limit on your mailbox. Please visit the below
link to restore your email access.

httx:/xxxxxxxxxxxxxxx/xmail/UPGRADE/

Do not ignore this message to avoid termination of your account.
System Help-desk
Copyright (c) 2013 # * * ALL RIGHTS RESERVED

fake-02272014.jpg

Phishing Example 40: Umn Email Alert

Received January 2014

From: Email Alert
Date: Tue, Jan 7, 2014 at 5:57 AM
Subject: Umn Email Alert
To: alert@umn.edu


Note the link leads to an exact duplicate of the University's login page, but the URL does not end in umn.edu. Entry of any credentials leads to the google.com login page.


RT329176_phish-form.GIF

Phishing Example 39: You have 1 important mail alert!!

Received: December 2013

Subject: You have 1 important mail alert!!
Date: 18 Dec 2013 04:15:37 -0000
To: "recipients"
From: "onlinemessage1"

Dear Account User,

Your mailbox has exceeded the limit of 30 GB, which is as set by your manager, you are currently at 30.9GB, very soon you will not be able to create new e-mail to send or receive again until you validate your mailbox.To re-validate your mailbox, click on the attach link and follow the instruction for your upgrade.

Sincerely,

Email Administrator.

Notes:

You should never click a link to a PDF without verifying that it is safe; it could be installing malware. In this case we scanned the PDF before opening it.

The attached link is a PDF document that opens with a link to a fake login site that looks like this:

RT328298_phish-form1.GIF

When you enter an ID and password, another window comes up asking for verification of your *alternate* email address (Google, Yahoo, etc.), that looks like this:

RT328298_phish-form2.GIF

Phishing Example 38: Your Incident ID is: 130329-018715

Sent November 2013:

From: MyUmn
Date: Fri, Nov 8, 2013 at 7:58 PM
Subject: Your Incident ID is: 130329-018715
To:
Your Incident ID is: 130329-018715
This is an automated message to notify you that we detected a login attempt
with a valid password to your Umn! account from an unrecognized device on
Friday, Nov 8th, 2013 18:33 CEST.
Location: Sweden, Stockholm (IP=204.79.146.0)
Was this you? If so, you can disregard the rest of this email. If this
wasn't you kindly follow this link
http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ to review your Umn
account
Sincerely,
MyUmn IT HelpDesk
[---001:000564:57449---]

Please do not reply to this message. Mail sent to this address cannot be
answered.


110813-yola.jpg

Phishing Example 37: faculty/staff

Sent: November 2013

FACULTY/STAFF: NOVEMBER - DECEMBER MAILBOX QUOTA CLEAN-UP
Mailbox Quota Size: 100 %
Current Mailbox Quota: 98.09%
Your mailbox is almost full.
465MB
500MB
Important Notice: Mailbox SEND or RECIEVE operation will be deactivated at 100% Quota-size clickhere on Faculty-Staff ADMIN
ITS HELP DESK,
© Copyright 2013.
Privacy and Confidentiality Notice: The information contained in this e-mail is intended for the named recipient(s) only. It may contain privileged and confidential information. If you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, we would be grateful if you would notify us immediately. Thank you for your assistance.
Please note that e-mails sent or received by our staff may be disclosed under the Freedom of Information Act (unless exempt).

Note: Password disclosed

RT325219_phishing_form.GIF

Phishing Example 36: FACULTY/STAFF

Received 10/2013

Subject: FACULTY/STAFF
Date: October 31, 2013 9:52:58 AM CDT
To: undisclosed-recipients:;

Body text:

Institutio‚Äčn account routine Maintenance

Your mailbox is almost full.
465MB
500MB

Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails until You Re-Validate It. To RE-VALIDATE [hxxp://xxxxx.webs.com] or If it does not work then copy and past the link. Thank you
ITS help desk


ADMIN TEAM

Notes:
Password shown in the clear

RT324488_phish_form.GIF

Subscribe to Phishing Scams Targeting the UMN