Archive for November, 2011

A lot of UD folks have email accounts at Yahoo!, Google, or Hotmail for things like shopping and personal correspondence. So this phish, seen in a Yahoo! email account, could be relevant. Notice how this one contradicts itself–it claims your account has had new anti-virus software applied, but says you need to send in your account info (including your password) to “prevent spread of the virus.”

Remember, no legitimate entity will ever send you a request to reply with your complete account information (password, account, birth date, etc.).

See email like this? Just delete it.

Dear Yahoo!® Mail Subscriber,
Virus Notification
A DGTFX Virus has been detected in your folders.
Your email account has to be upgraded to our new Secured DGTFX
anti-virus 2011 version to prevent damages to our web mail log
and to your important files. Click your reply tab, Fill the
columns below and send back to us or your email account will
be terminated to avoid spread of the virus.
User name: 
Reconfirm Password:

Note that your password will be encrypted with 1024-bit RSA
keys for your password safety.
All User Should Reply Now !!! 
Failure to do this will immediately render your Web-email
address deactivated from our database.
Thank you for your co-operation.
Warning Code :ID67565434
Yahoo Account Support.
Copyright ©2011

Comments Comments Off

Last month, we talked about fake notices that an electronic payment has failed. Well, these phish are really multiplying. One IT staff member received 43 (!) messages like that in the past week.

Even if they have the NACHA logo and are formatted appropriately, they’re still phish. In the sample below, note how the alleged link to a Word file really takes you to a suspect Web site.

If you think there’s an issue with an electronic payment to your bank account or from your bank account, contact your bank directly.

If you get email like this message, just delete it.

Fake ACH notification

Fake ACH notification: Another Phish!

Comments Comments Off

The holiday shopping and shipping season is upon us. We’re seeing more phish tailored not to your UD email account, but to the likelihood that you’re shopping on line this year. We’ve talked about package scams before. Here’s another holiday classic: your account at our company has been hacked, and, therefore your PayPal account may have been hijacked!

If you see a message like the one below, delete it. Commentary follows.

Subject:	Security notification regarding your Online Access!
Date:	Fri, 18 Nov 2011 02:43:22 -0500
From:	Customers Service <>
To:	__________@UDel.Edu

Identifying Unauthorized Logon Attempts on 18/11/2011: (Error Message No.
FE0LAPWMLWWQ9) Your account access has been limited for the following reason(s):
1. We would like to ensure that your account was not accessed by an unauthorized
third party. Because protecting the security of your account is our primary concern, 
we have limited access to sensitive Pay`Pal account features.
2. Unusual account activity has made it necessary to limit account access until
additional verification information can be collected.
3. If your account was hijacked, the PayPal account attached is vulnerable too. 
Please respond as soon as possible!

Pay`Pal Confirmation link:

Once you complete all of the checklist items, your case will be reviewed by one of 
our Account Specialists. We will send you an email with the outcome of the review.
If, after reviewing your Pay`Pa| account information, you seek further clarification
regarding your account access, please contact Pay`Pal Online Banking by visiting
the Help Center and clicking "ContactUs".

Thank you.
Pay`Pal Team.

Copyright 1999-2011 Pay`Pal. All rights reserved
Copyright Sandstone Technology Pty Ltd [ 2.0.63 7CFD 2144 FBEE ]
This email has been scanned by the MessageLabs Email Security System.

The scammer’s feigned concern for your security, copyright notice, fake “must be important codes” (error message number and some alleged code at the end) make it seem credible at first glance.

But can you spot the phishy signs?

  • Who is this from? What catalog company? PayPal itself? Ha.
  • Nice spelling: PayPal, Pay`Pal, and Pay`Pa| (with a vertical line instead of an “L”) — uh, huh, right.
  • What the heck are the sender’s alleged address and alleged reply-to addresses? and
  • That link in the middle–PayPal or the unnamed catalog company will probably not include a link for you to click to verify your information. Besides, look where this one goes. That’s not a PayPal site! And it’s not a catalog any of us have ever ordered from!
  • A little bit of badly-translated English has crept in: “Customers [sic] Service”; “sensitive” account features; European date format at the beginning.

We’re thrilled that so many of you are starting to send us phish like this one. Keep up your vigilance.

Comments Comments Off

No, the IT Support Center did not send you email asking you to send them your UDelNet ID and UDelNet Password. The message below is a classic spear phishing scam. Lots of UD specific language in this phish. But if you read carefully, the message reads like something written in a foreign language then forced through a not-very-good translation program.

And, in case you’ve forgotten, the University of Delaware will never ask you to email in your UDelNet ID and password.

If you got this message, just delete it.

From: "IT Support Center"
Date: November 17, 2011 3:59:53 PM EST
Subject: Service Upgrade & Maintanance
Reply-To: IT Support Center

Dear Valued Subscriber,

Service Upgrade & Maintanance

In line with the upgrade of our services to enhance relevant service continuity of all
webmail/UD Google Apps account is in the process of being upgraded to a new set of
Windows-based servers and an enhanced online email interface in line with internet
infrastructure maintenance. The new servers will provide 2GB storage per mailbox,
new spam protection, new Web Mail interface, IMAP, POP, and SMTP support.

To ensure that UD webmail/UD Google Apps account is not intermittently disrupted 
but active during and after this service upgrade to the new servers, you are 
required to confirm your webmail/UD Google Apps account login details by 
stating your:

 * UDelNet ID:
 * UDelNet password:

as this will prompt the upgrade of your account. However kindly note that if 
receipt of this notice if duly acknowledged, it might result to a temporal 
deactivation of your webmail/UD Google Apps from Support database. Your 
webmail/UD Google Apps account shall remain active upon your confirmation 
of your account login details.

IT Support Center apologizes for any inconvenience caused.

IT Support Center

Information Technologies Support Center  University of Delaware.

Comments Comments Off

This phishing scam was reported by a couple of readers. It’s not been tailored to UD; however, quickly scanning email and seeing a note from IT Service that your email account needs validating may catch a few people. Particularly if folks open the message and glance at the “Warning” subheading and copyright notice.

Another Phishing Scam

Click on the screen shot above to zoom in.

A few clues that this is not legitimate email:

  • The message did not come from a address.
  • The Reply-To: address is phishy (pun intended): “noreply@itservice” is an invalid email address format.
  • If you hover your mouse over the phrase “Clicking Here,” you’ll see the phisher is trying to lure you to click on a non-UD link (not something in the domain!) to harvest too much personal information.
  • Even though no words are misspelled, there are plenty of typos. For example:
    • Email is spelled “Email,” “E-mail,” “email,” and “e-mail.”
    • In the middle of different sentences, “account” is sometimes capitalized and sometimes not.
    • There’s spacing on either side of the period (.) in the middle of the copyright notice.

    We’re not perfect, but our copy editing standards are a bit higher than that.

Get this message? Just delete it.

Comments Comments Off