myU OneStop


Phishing Scams Targeting the UMN College of Brevity School of Significant Impact

Welcome to the Phishing Email Examples blog. Below are some examples of phishing emails seen on campus, targeting the University of Minnesota. Not all phishing emails are posted here, so do not assume a suspicious email is safe just because it is not listed here. There are many variants of each phishing scam, and new ones are being sent out each day. When in doubt, forward the email to phishing@umn.edu.


Archives

Moving to Blogger!

We've moved!

With the end of the http://blog.lib.umn.edu/ support, we've moved the UMN Phishing blog to Blogger!

You should find all the past posts there - and new ones as we have more examples of phishers targeting our UMN community.

The new URL is http://umn-phish.blogspot.com - or just use the handy z.umn.edu/phishing

Phishing Example 47: Library Account

Here's a reminder to question unexpected warnings and double-check that supposed "official" login pages are REALLY hosted at UMN.EDU locations.

Received June 2014:

Email being seen that points at what LOOKS like a UMN URL, but went offshore:

From: Library
Date: Thu, Jun 26, 2014 at 8:47 AM
Subject: *****SPAM***** Library Account
To:
Dear User,
Your library account has expired, therefore you must reactivate it
immediately or it will be closed automatically. If you intend to use this
service in the future, you must take action at once!
To reactivate your account, simply visit the following page and login wilth
your library account.
Login Page:
xxxxxxxxxxxxxxxxxx
Sincerely,
University of Minnesota Libraries
499 Wilson Library
309 19th Avenue South
Minneapolis, Minnesota 55455
(612) 624-3321 (voice)
(612) 626-9353 (fax)



lib-example.jpg

---
Goes to a copy of UMN login page on an offshore website, and claims to "reactivate" your account.

Dangerous, because the phishers copied our real login page - and the page looks identical to, and behaves like a real login page - then puts up a fake "reactivation message" with a link to the UMN library system:

Lib-fake-login.png


Phishing Example 46: EMAIL UPDATE

Things to note:


hosted at a non-umn.edu website


displays passwords in clear text





Received June 2014 :

From: UMN Help
Date: Sun, Jun 29, 2014 at 12:35 PM
Subject: EMAIL UPDATE
To: Recipients


Dear User,

Please validate your account. To perform this action CLICK HERE

Thank you.
Help Desk
The University of Minnesota


yola0629.jpg

Phishing Example 45: Warning Warning Warning!!!


Summer time and the phishing continues!

These Phishers are using a free website portal to send an "upgrade" in storage, unaware UMN users already get 30 gig of storage, and make no attempt to brand their form to look like it comes from the University.




Received June 2014:

Subject: RE: Warning Warning Warning!!!
Date: Tue, 24 Jun 2014 12:54:17 +0000
From:
To:

Your mailbox is almost full. <http://xxxxx.xxxx.com/>
461MB <http://xxxxx.xxxx.com/> 500MB
<http://xxxx.xxxx..com/>
Current size Maximum size
Help desk requires to upgrade your *EMAIL *account *UPGRADE-HERE*
<http://xxxx.xxxx.com/> Update your account for HTK4S
Anti-Virus/Anti-Spam.
And Allow New Mails to come in Now

IT help desk 2014 <http://xxxx.xxxx.com>
ADMIN TEAM <http://xxxx.xxxx.com/>


20140624-jigsy.png

Phishing Example 44: Security Alert

Most users should see this marked as spam - but here's a new phish, pointed at a free website provider (not a umn.edu address). There's an interesting attempt at "branding," but with an odd logo that has nothing to do with email.


From: Mail Admin:: University of Minnesota Date: Thu, May 29, 2014 at 8:32 AM Subject: Security Alert: To:

Important information regarding your University of Minnesota account

You have reached your University of Minnesota email maximum data allowance,
you may not be able to send or receive email with your email account again;
Because it has been brought to our attention that your email account has
been accessed and used by a third party to send spam/phishing emails.Kindly
Visit *umn.edua*
Or
Click on *University of Minnesota Login*

now. and Login your account details.

05292014-yolasite.jpg

Phishing Warning: Beware "Reset Your eBay Password" Emails

Large-scale data breaches that are widely publicized, like the recent eBay breach, offer attackers a new opportunity for malicious emails designed to steal your credentials.

To safely change your eBay password, log directly into eBay and use the change password option.

Phishing Example 43: "Dear Account User." Gmail spoof


A clever email has been making the rounds, using a PDF security notice. It claims to be from gmail, and it directs users to a fake gmail login - the mail reads:

Dear Account User. Attached Account Verification Letter.

Sincerely,
The Gmail Support Team!

Attached is a PDF:
fake-gmail-letter-05012014.jpg

IF a user clicks on the link (please don't!) they'll go to a fake (but very plausible) gmail login page:

fake-google05012014.jpg

(note: this web link will no longer work within the University network.)

If that wasn't enough, users who give a name and password, will be asked to supply a phone number and alternate email address!

phish05012014-extras.jpg



If you, or anyone you know were deceived by this spam, tell them to go to the my account page at https://www.umn.edu/myaccount and change their password immediately, and report the incident to phishing@umn.edu.

Phishing warning: Heartbleed may generate new scams

"Given the growing public awareness of this bug, it's probable that phishers and other scam artists will take full advantage of the situation. Avoid responding to emailed invitations to reset your password; rather, visit the site manually, either using a trusted bookmark or searching for the site in question."

Heartbleed Bug: What Can You Do?

For more information on the Heartbleed vulnerability see http://heartbleed.com


Symantec reports about a new phishing scam that sets up a phishing form that looks like a google sign-in in a google drive document.

"The fake page is actually hosted on Google's servers and is served over SSL, making the page even more convincing. The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive's preview feature to get a publicly-accessible URL to include in their messages."

FakeGoogle032014.jpg

NOTE:

  • * If you get an unexpected document from an unknown (or unlikely) collaborator, be suspicious
  • * IF you are already logged in Google in your browser a Google doc should NOT redirect you to a login form.
  • * When UMN Google Apps DO direct you to a login page - they should always include UMN branding.

Phishing example 42: Update

Notes: This is a particularly nasty phishing scam because it is spoofed to come from help@umn.edu, and the link (which is now blocked) was a perfect copy of the University's login page.

From: Helpdesk
Date: Sat, Mar 1, 2014 at 3:00 PM
Subject: Update

Dear User
Due to high numbers of inactive mail accounts on our server, all email
users are urged to update their email account within 24 hours of receiving this email, by
using the Update
*Click here hxxp://xxxxxxxxxxxxxxxx/idp/umn/login.php *to confirm
that their email account is active.
Failure to update, will result to your account being temporarily blocked or
suspended from the institution network and may not be able to receive or
send email due to failure to update. Do not ignore this message to avoid termination
of your webmail account.
Thanks for your co-operation.
Yours sincerely,
Call: 612-301-4357 (1-HELP)
Email: help@umn.edu