Tuesday, January 06, 2015

Universities Targeted with "Library Account" phish

Many universities across the country have been targeted with phishing emails that warn their students that their "Library Account" is going to expire. As with so many cybercrime issues, these crimes could be addressed much differently if the Powers That Be were aware that these were not individual cases, but an on-going campaign across victims across the country!

Towards that end, I've collected full text examples of many of these phish, with links to the University web pages where there students have been warned. Hopefully we can start warning people of national on-going campaigns like this BEFORE they are victimized!

While I was reviewing University Phish for this project, I was especially impressed with the phishing details shared at University of Michigan (Go Blue!) and University of Pennsvylvania. Both are great examples of giving students enough details to understand the scope of the risk at hand.

January 2014 Library Account phish


January 9, 2014 - George Washington University
Subject: Library Account
Dear User,

Your library account has expired, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in the future, you must take action at once! To reactivate your account, simply visit the following page and login with your university account. After logging in, your account is reactivated and it will redirect you to your Library Account.

February Library Account phish


February 21, 2014 - Flinders University
Have you received an email asking you to “validate” your Library Account? This email is attempting to steal Flinders user credentials and is not legitimate.

Don’t follow the links in the email, just delete it. The library will never ask you to login to verify your details or activate your account.

May Library Account phish


May 23, 2014 - Lehigh University

June Library Account phish


June 26, 2014 - University of Minnesota
From: Library
Date: Thu, Jun 26, 2014 at 8:47 AM
Subject: Library Account
To:
Dear User,
Your library account has expired, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in the future, you must take action at once!

To reactivate your account, simply visit the following page and login wilth your library account.

Login Page:
xxxxxxxxxxxxxxxxxx
Sincerely,
University of Minnesota Libraries
499 Wilson Library
309 19th Avenue South
Minneapolis, Minnesota 55455
(612) 624-3321 (voice)
(612) 626-9353 (fax)

September Library Account phish


September 10, 2014 - University of Pennsylvania
From: Jonathan Heller < jheller@pobox.supenn.edu > 
Subject: Library Account Access 
Date: Wed, Sep 10, 2014 2:11 PM 

Dear User, 
Your access to your library account is expiring soon and it won't be accessible for you. You must reactivate your account in order to continue to have access to this service. For this purpose, click the web address below or copy and paste it into your web browser. After logging in, your access is reactivated and you will be redirected to your library profile.

(LINK REMOVED)

If you are not able to login, please contact Library Services Manager at jheller@pobox.upenn.edu .


Sincerely, 
Jonathan Heller 
Library Services Manager 
Access & Delivery Services 
Penn Libraries 
University of Pennsylvania 
(215) 898-8956 
jheller@pobox.upenn.edu 

September 17, 2014 - University of North Carolina Health Sciences Library
Alert: Phishing Emails Impersonate UNC Library

Some members of the UNC community have received false emails that appear to be from the Library.

These emails state that “access to your library account is expiring soon and it won’t be accessible for you.” The email directs the recipient to a link that appears to be from the Library.

October Library Account Phish


October 8, 2014 - UC Denver's Auraria Library
October 9, 2014 - University of Colorado Health Sciences Library
The University has been recently subjected to a phishing attack. The subject line of these new phishing messages is “Library Account Access”. These emails are designed to appear as if they are coming from the library concerning a library account activation. The phishing emails also contain links to malicious web sites that ask for your University information (Name and student/employee ID).


October 10, 2014 - Miami University of Ohio
    From: XXX XXX [mailto:xxxxxxxx@miamioh.edu]
    Sent: Friday, October 10, 2014 12:45 PM
    To: xxxxxxxx@miamioh.edu
    Subject: Library Account Access

    Dear User,

Your access to your library account is expiring soon and it won’t be accessible for you. You must reactivate your account in order to continue to have access to this service. For this purpose, click the web address below or copy and paste it into your web browser. After logging in, your access is reactivated and you will be redirected to your library profile.

(LINK)

If you are not able to login, please contact Library Services Manager at xxxxxxxx@miamioh.edu.


    Sincerely,
    
    Alison Withers
    Library Services Manager
    Access and Delivery Services
    University Library
    Miami University
    513-529-2938
 

October 30, 2014 - Virginia Commonwealth University
To:
From: Access Services Manager 
Date: 10/30/2014 11:54AM
Subject: Library Account Access

Dear User,
Your access to your library account is expiring soon and it won’t be accessible for you. You must reactivate your account in order to continue to have access to this service. For this purpose, click the web address below or copy and paste it into your web browser. After logging in, your access is reactivated and you will be redirected to your library account.

(Link redacted, actual link goes to login.vcu.edu.cavc.tk)

If you are not able to login, please contact Library Services Manager at kbonis@vcu.edu.


Sincerely,

Kerry Bonis
Library Services Manager
Access & Delivery Services
Main Library
Virginia Commonwealth University
(804) 827-3968

November Library Account phish


November 13, 2014 - Illinois Institute of Technology
IIT faculty, staff and students may have received an email to “All Members of the University of Illinois” notifying you about a new library system that requires you to activate a new library account. Do not respond to this email. It is a phishing attempt to collect IIT campus-wide ID numbers (CWIDs).

Library users affiliated with Illinois Tech gain access to subscription databases when off-campus by entering their CWID. Releasing that information to a third-party may result in access to our databases being limited or cut off. You can always safely access the library website by using the IIT Portal links, or going directly to the library website. If you believe your CWID has been compromised, please contact the OTS support desk.


November 17, 2014 - Southern Methodist University
Sample Phishing Email

Subject: Library Account Access
Sender: Jane Sippell 

Dear User,
Your access to your library account is expiring soon and it won’t be accessible for you. You must reactivate your account in order to continue to have access to this service. For this purpose, click the web address below or copy and paste it into your web browser. After logging in, your access is reactivated and you will be redirected to your library profile.

Note – this link appears in the email:

https://libcat.smu.edu/cgi_bin/ldapauth.cgi_loginType=E25JFHNfCD7…

The actual destination does not point to the SMU library catalog but to a web address at http://libcat.smu.edu.cvre.tk

http://libcat.smu.edu.cvre.tk/cgi_bin/ldapauth.cgi_loginType=E25JFHNfCD7v…

If you are not able to login, please contact Access Services Manager at jsippell@smu.edu.


Sincerely,

Jane Sippell
Access Services Manager
Access & Delivery Services
Central University Libraries
Southern Methodist University
(214) 919-5931
jsippell@smu.edu
November 17, 2014 - University of Arizona
From: library (EMAIL ADDRESS REMOVED)
Subject: Library account
Date: November 17, 2014 at 8:46:39 AM MST
Reply-To: (EMAIL ADDRESS REMOVED)

Dear User,
Your library account has expired, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in the future, you must take action at once!

To reactivate your account, simply visit the following page and login with your library account.

Login Page:

(URL REMOVED)

Sincerely,

The University of Arizona Libraries
(ADDRESS, PHONE NUMBER AND URL REMOVED)


November 18, 2014 - Washington University in St. Louis
Dear User,

Your access to your library account is expiring soon and it won’t be accessible for you. You must reactivate your account in order to continue to have access to this service. For this purpose, click the web address below or copy and paste it into your web browser. After logging in, your access is reactivated and you will be redirected to your library profile.

(LINK)

If you are not able to login, please contact Access Services Manager at *********@wustl.edu.

Sincerely,


November 19, 2014 - Ball State University Library
University Libraries was alerted that some members of the Ball State community received an email message stating their library account was soon to expire. The email said to reactivate the account by clicking on a web address included in the message. This was a phishing scam and the campus Office of Information Security took steps block access to the phony site.

December Library Account Phish


December 1, 2014 - Harvard University
December 1, 2014 - McGill University (Canada)
    From: Library  
    Subject: Library Account
    Sent: Monday, December 01, 2014 8:49 AM
    To: 

    Dear User,
    Your library account has expired, therefore you must reactivate 
    it immediately or it will be closed automatically. If you intend 
    to use this service in the future, you must take action at once!

    To reactivate your account, simply visit the following page 
    and login with your library account.

    Login Page:

    Sincerely,

    McGill Library
    McLennan Library Building
    3459 rue McTavish
    Montreal, Quebec
    H3A 0C9
 
December 1, 2014 - Cornell University
Subject: Library Account
Date: December 1, 2014

Dear User,

Your library account has expired, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in the future, you must take action at once! To reactivate your account, simply visit the following page and login with your library account.

Login Page:
(BAD LINK)

Sincerely,

Cornell University Library, Ithaca, NY 14853 | (607) 255-4144


December 3, 2014 - University of Tennessee Knoxville
Dear User,

Your library account has expired, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in the future, you must take action at once!

To reactivate your account, simply visit the following page and login with your library account.

Login Page:

http://www.lib.utk.edu/reactivation?service

Sincerely,


    University of Tennessee
    University Libraries
    Email: library@utk.edu
    Tel: (865) 974-4351
 

December 15, 2014 - California State University Long Beach
December 18, 19, 20, 2014 - University of Michigan - (Hail to the Victors! Go Blue! WELCOME COACH HARBAUGH! Watched you play in 1985 while I was a Wolverine myself!!!) (oops) (blush)
Date: Thursday, December 18, 2014
Subject: Library Account Access

Dear User,

Your access to your library account is expiring soon and it won’t be accessible for you. You must reactivate your account in order to continue to have access to the library services. For this purpose, click the web address below or copy and paste it into your web browser. After logging in, your access is reactivated and you will be redirected to your library profile.

[LINK REMOVED]

If you are not able to login, please contact [LINK REMOVED] for immediate assistance.

Sincerely,


Access Services Manager
University of Michigan Library
(734) 936-2921
[LINK REMOVED]
Date: Friday, December 19, 2014
Subject: U-M library System Problem
Dear [Your Name],

You are receiving this message because your login and off-campus access may have been compromised.

Your access will be inactive in 3 days. Because of some security problems, we decided to make some changes (Upgrade) and this is due to the implementation of a new version of Central Authentication System(CAS) and Umich WebLogin.
This means while you are off-campus or on-campus you will have no access to library's internal web services.

You can activate it by going again simply login to University of Michigan Library Weblogin System with your U-M LoginID and reactive your access.
Offer that Logout your account and close your browser.

Please note: If you get an Authentication Error ,just try 2 times to login again. Because System will automatically block your IP and Account and you should contact Systems Help Desk to Unlock.

University of Michigan Library
818 Hatcher Graduate Library South
913 S. University Avenue
Ann Arbor, MI 48109-1190
(734) 764-0400
[LINK REMOVED]
Date: Friday, December 19, 2014
Subject: ADMIN

Dear Web-mail Account User,

Your e-mail Account have Exceed the 20 GB e-mail Storage Set-Up by your Service Provider/Admin. You have to contact your Service Provider on Help Desk Support Portal below in less than 48 hours to avoid Suspension of your Web-mail Account if you dont Verify your e-mail account. To keep your Account Safe, Kindly Click the Help Desk Support Blue Portal below:

umich.edu-helpdesk [LINK REMOVED]

SERVICE DESK - IT HELP DESK
©COPYRIGHT 2014 WEB-TEAM. ALL RIGHT RESERVED.

December 23, 2014 - Wake Forest University
Dear User,

Your access to your library account is expiring soon and it won’t be accessible for you. You must reactivate your account in order to continue to have access to the library services. For this purpose, click the web address below or copy and paste it into your web browser. After logging in, your access is reactivated and you will be redirected to your library profile.

(LINK)

If you are not able to login, please contact James Hart at hartja@wfu.edu for immediate assistance.

Sincerely,

James Hart
Access Services
ZSR Library
Wake Forest University
336-758-4967
hartja@wfu.edu

December 23, 2014 - UAB Library

Wednesday, November 12, 2014

Phishing Success Rates and Google Phish

Last week a group of Google employees led by Elie Bursztein joined UCSD researchers Andreas Pitsillidis and Stefan Savage in presenting the findings of a study on phishing to the ACM Internet Measurement Conference in Vancouver, British Columbia. Their paper, Handcrafted Fraud and Extortion: Manual Account Hijacking in the Wild (12 page PDF) was picked up broadly in the press, and as usual, wildly misinterpreted.

At least 110 articles referring to the study were found in a simple Google News search with headlines ranging from the somewhat accurate:

  • Manual Phishing Gmail Attacks Found To Be Very Effective - Top Tech News, Nov 9, 2014
  • Google Study Finds Email Scams Are More Effective Than You'd Expect - Huffington Post, Nov 7, 2014
  • Old-time phishing scams are working just fine, Google finds - Naked Security, Nov 11, 2014
to the extreme bending of the facts for headline value such as these:
  • Phishing attacks on email accounts are successful 45 percent of the time - Firstpost, Nov 10, 2014
  • Phishing scams work 45% of the times: Google study - Times of India, Nov 10, 2014
  • Have You Been Scammed? Phishing Emails Successful 45% of the Time - Crave Online, Nov 11, 2014
  • A scary number of you are still falling for phishing scams, says Google - Nov 10, 2014

What did Google and UCSD Actual Say about Phishing?

First, the 45% quote. For the 100 Google/Gmail phishing sites that the researchers studied, they found that depending on the structure of the page, as few as 3% of the visitors filled out the phishing form and submitted their data. Overall 13% of the visitors to the webforms shared their personal data with the phishers, while in the most extreme example, 45% of the visitors to the phishing web page completed the form and submitted their personal data.

There were several interesting findings in the study. A few that I found interesting included:

  • 35% of phishing sites target victims' email
  • 21% of phishing sites target banking credentials
  • A growing number of phishing sites are targeting App Stores and Social networking credentials
  • Account takeovers are primarily Fast and Foreign:
    • 20% of compromised Google accounts were logged into within 30 minutes
    • The top countries of origin for hijackers were China, Ivory Coast, Malaysia, Nigeria, and South Africa
  • The easiest way to have your account restored is to have registered an SMS telephone number for out of band contact.

Manual Hijacking

The focus of this study was the process of Manually Hijacking accounts belonging to Google users. Because of that focus, it is not clear how broadly the observed behaviors can or should be projected onto other types of phishing. At Malcovery Security we observe 600 to 800 newly created phishing sites per day. This study focused primarily on Gmail/Google phish from January 2014, and for part of the study focused specifically on 100 Gmail phishing websites.

Google provided some statistics on how widely the problem of manual hijacking has been seen in the past. Over calendar 2012-2013, Google's security teams found that approximately 9 manual hijacking cases per day per million active users occurred. With over 500 million subscribers, Google is dealing with thousands of such account hijacks per day.

With Google participating in the research, researchers were able to determine that when an account is taken over, the criminals login to the account and search the email history and address books to determine how best to monetize the account. It seems that every week someone will make the comment in my presence "Yes, I have malware on my computer, but the worst that might happen is they get my email password!" But think about what is possible with that? How would you reset your password at your Bank? Amazon.com? eBay? On most of those sites, clicking "I Forgot My Password" results in an email being sent with a "Reset My Password" link! If the criminal finds an email from your bank in your email history, they now know exactly which bank to visit to click the "I Forgot My Password!" The email account is the key to the entire balance of your account!

The researchers also found that the scam we first wrote about in 2009 in the post Traveler Scams: Email Phishers Newest Scam is still quite prevalent. In this scam, because the criminal has access to your recent sent emails and address book, they are able to contact your friends and family with news of a tragedy while traveling where they desperately need money wired overseas to help them through the crisis. I've met many individuals who have wired money to their friends before realizing it was a scam! They often have stories of how they KNEW the email was truly from their friend, because when they asked questions, their friend replied with details only the friend would know. Often these details made use of prior "private" conversations in the phishing victim's email sent items box!

Popular Email Phish from Malcovery's ThreatHQ System

In the past seven days, Malcovery Security confirmed 416 distinct phishing URLs related to Google and their properties. These URLs were hosted on 207 distinct domain names on 174 different IP addresses. By country, the United States is the most prominent host of phishing sites, not just for Google, but for nearly every brand that does business in the USA. Of those 174 IP addresses, 90 are in the United States.

Google phish locations: November 5-12, 2014

90United States of America
8Great Britain
7Turkey
6Australia
5Canada
5Chile
5Germany
4Indonesia
4India
4Italy
4Netherlands
4Romania
4Russia
4Singapore
4Spain
3France
3Thailand
2Brazil
2Hong Kong
2South Africa
1Japan
1Korea
1Mauritius
1Ukraine
This popular phish appeared on the domains bloo8.net, iyfcolombia.org, beingmedicalep.com, lifeofease.us, microcenterengineering.com, manosartesanasdelaregion.com, ouzophilippos.com, acount-verification.com and many ohters.

Although this phishing site is PRIMARILY imitating DropBox, it still steals Gmail and other email credentials:
The domain hosting this phish was "t-online.de".
This version brings in many cable-provider logos for email address choices, rather than relying on "Other Email" as some of the others do:
This version brings the logos of many Chinese language email providers into the mix:
One of the earlier forms of the phish:
These just a few examples of the "look and feel" of some of the 400+ Google-related phishing URLs we've seen in the past seven days at Malcovery security. Most of them were seen many times each!

US Federal Grant Scam: Greendot MoneyPak Edition

Last week we shared a blog post about phone scams claiming to have a Warrant For Your Arrest. After sharing some information about that scam, we've been receiving student-generated tips from several of our students about similar phone scams.

US Federal Grant Scam

Today's scam comes to us courtesy of UAB Criminal Justice student Kyle Jones. Kyle works on the Malware Research Team at the UAB Center for Information Assurance and Joint Forensics Research.

The scam begins with a phone call, in our case coming from callerid 305.356.9999, claiming that we have been selected to receive a Grant from the Federal Government because of our participation in a survey. Of all the people who have taken this IRS Survey, 1700 people have been selected to receive this grant. The caller then instructs us that we should go to a Western Union location near us and we should call them back once we are at the Western Union for instructions on how to receive our $9,500 grant.

The callback number was (516) 554-0006, which seems to be a New York number in Garden City.

So, we waited a bit and called the criminals back from the Western Union store in my office. (grin).

When we called the 516 number, the line was answered "US Federal Grants" and we were asked for the code that we had been given during the first call. I tried providing a slightly wrong code, and learned that they actually are tracking the codes, because she was unable to look up our information. We provided the correct code and learned that it was "very important that we don't go into the Western Union Store yet!" She then asked me if we were near a grocery store, such as a Seven-11? I told her I had a Publix store nearby but she said that wouldn't work. After some back and forth, we learned that a CVS Pharmacy would work for her needs. She instructed me that I needed me to go to the CVS and buy a GreenDot MoneyPak card for $200.

"You need to put $200 on the card to activate the Money Transfer Control Number, but you will get the $200 back, it will be reimbursed with your grant.

Now, simply let me tell you, you are not going to pay the money to me or to my department. This is your money and it is going to be reimbursed back to you. Before we can transfer the money you have to make a registration with the Federal Reserve Bank and once you make the registration then with the help of the Federal Reserve Bank registration number, I will generate the Money Transfer Control Number so that you can receive your money from the Western Union Store."

Here's the audio clip of that part . . .

(audio)How it works - the woman at US Federal Grants, who sometimes claimed this grant was from the IRS, tells us we need to pay a $200 registration fee.

She then "transferred us" to the Federal Reserve Bank as you can hear with this link.

(audio)Transferred to the Federal Reserve Bank - Kevin Jones, manager of the Federal Reserve Bank took my call and helped me.

Kevin was good enough to explain the whole process of how to purchase a GreenDot MoneyPak card for $200 so that I could "within 5 minutes" pick up my $10,000 - (the $9800 grant + $200 reimbursement for my registration) - from the Western Union Counter. Here's the audio of him explaining it to us:

(audio)The GreenDot MoneyPak Process - as explained by the Federal Reserve Bank's Kevin Jones

What To Do if you are a US Federal Grant Scam victim

  • The Best Place to report any type of online scam is the FBI's Internet Crime & Complaint Center. To go directly to their complaint page, use this link:

    https://complaint.ic3.gov.

    Although the form has many questions that you may not be able to answer, complete the form to the best of your ability with the information you DO know. Specifically make sure to note things such as:

    • What name did the person use?
    • Did they call you by name?
    • What agency, department, or company did they claim to be with?
    • How much money did they want you to pay?
    • What number(s) shows up in your callerid?
    • Did they give you any other numbers to call or websites to visit?
    Even if you do not have ALL of this information, any information you share can help link cases together. If someone calling Houston and someone calling Birmingham both told you to call the same phone number, that is a "link". If they used the same Officer Name, that is another "link". The more individual cases we can link together, the better chance we have of catching the criminals!

  • IF YOUR SCAM MENTIONS THE IRS, be sure to report the crime to the investigators at the Department of Treasury who have set up a special website for gathering information about this scam:

    http://www.treasury.gov/tigta/contact_report_scam.shtml

  • IF YOU HAVE LOST MONEY in your case, be sure to ALSO report this as a crime to your local Police Department!
Thank you for reading! Please share this link with your friends, family, and co-workers for their awareness! If you have a story you would like to share, please use the Comment form below!

Monday, November 10, 2014

University "Accept your new raise" Phish

One of the best emails that an employee can get from their employer is the one that tells you that you have been awarded a raise! In certain industries, such as academia, this type of email is quite rare, so you can imagine what welcome news it would be!

University Salary Phish Example

Phishers have been attacking universities across the country with emails that look like this one (Example email from University of Chicago):

++++++++++++++++++++++

From: employeebenefits@uchicago.edu
Subject: Your Salary Raise Confirmation

Hello,

The University is having a salary increase program this year with an average of 2.5%.
The Human Resources department evaluated you for a raise on your next paycheck.
Click below to confirm and access your salary revision documents:

Click Here hxxp://kirovtourism.ru/www.uchicago.edu/Sign-In.htm to access the documents

Sincerely,
Human Resources
The University of Chicago

++++++++++++++++++++++

Recent reports about Your Salary Raise Confirmation

A google search for that email subject "Your Salary Raise Confirmation" helps to reveal just how many Universities are targeted in this attack.

DHS / REN-ISAC / Multi-State ISAC Advisory

On August 18, 2014, the Department of Homeland Security released an advisory titled "University Payroll Theft Scheme" that cautioned Universities to be wary of this scheme.

Some of the email subjects that were mentioned in that advisory include:

  • Your Salary Review Documents
  • Important Salary Notification
  • Your Salary Raise Confirmation
  • connection from unexpected IP
  • RE: Mailbox has exceeded its storage limit.
According to the DHS advisory, this scam has been seen repeatedly at a number of universities dating back to at least August of 2013!

If you receive a copy of a phish such as this, please send an alert to: soc@ren-isac.net