Archive for February, 2013

In my email this morning, I just learned that someone tweeted a picture of me!

Not so fast. It’s email from a scammer impersonating a legitimate twitter account to get me to surrender my account information.

Email claiming there's a picture of me in twitter

Click the image to see a larger version.

Even though the email appears to have come from twitter (the fake domain “postmaster.twitter.com”), it’s a phish. It’s not legit. Someone has spoofed a legit twitter account and standard twitter traffic, trying to social engineer your response: “Oh goody! A picture! [Click bit.ly link.]” If you follow the link in the email, you’d see a forged twitter page. The design and images make the page look just like twitter’s login screen, but look carefully at the URL:

Fake twitter login page

Click the image to see a larger version of this forged twitter login page. Look carefully at the URL….

This scam points to the need for caution in following “shortened” links and to the need to Think B4 U Click! This scam is designed to make you so happy that one of your twitter contacts has posted a picture of you that you’ll just react by clicking the link, thinking you need to log in to twitter using the fake screen and–boom!–the scammer has captured your twitter username and password.

This scam probably originated with a legitimate account being compromised. Therefore, if you receive a phishing scam like this one, notify the real holder of the twitter account about the phishing attempt.

If you fall for this scam, log in to twitter.com and change your password immediately. If you cannot change your password because the scammer has already changed it, contact twitter to report that your account has been compromised.

Comments Comments Off

People are reporting dozens of different phishing scams in UDel.edu mailboxes. A lot of the phishing messages are coming in with a subject line of “Technical Support” or “Webmail Alert!” and appear to come from elbt@udel.edu, helpdesk@udel.edu, webmaster@udel.edu, all spoofed addresses. These messages are not from UD. Delete them.

Here’s a sample of one of the many we’re seeing:

From: University of Delaware <eblt@UDel.Edu>
Date: February 21, 2013 5:56:55 PM EST
To: yourid@UDel.Edu
Subject: Technical Support

You could be infected with spyware. Press this link to protect your account.

University of Delaware Email Team

If you are reading email on a computer and if you “hovered” your mouse over the link, you would see that it does not take you to a udel.edu Web site. It’s a fraud. You are supposed to fear spyware so much that you’ll click the fraudulent link without thinking.

If you’re using a mobile device, don’t follow the link in any unsolicited email.

Remember, the University of Delaware will not send you email that asks you to follow a link to fix your account, nor will we ever send email asking for your account password.

Look at some of the other sample messages at this site, read our most recent UDaily article about phishing, explore some of the resources linked from this site. Above all else…. Think B4 U click!

Comments Comments Off

This morning we have begun receiving reports of phishing scams baited with information allegedly from the IRS about a problem with the recipient’s tax refund. As Michael Hickins, Wall Street Journal, pointed out in a March 2011 blog post,

It’s tax season, which means cyber-thieves are trawling the Web and sending counterfeit email in the hopes of snaring your personal tax data. And they’ve created websites with reasonable-seeming addresses and legitimate-seeming emails in order to lure unsuspecting citizens into clicking on the wrong link or downloading a virus-laden PDF.

Below is a sample phish that landed at UDel.edu this morning.

Not very convincing IRS phish

Click on the image to see a larger version of this phishing scam alleging to be from the IRS.

This is not a very convincing scam, with

  • interesting grammar,
  • an incomplete address and strange hours in the signature block,
  • a link to a site in Germany for you to enter your information,
  • email about “your” refund being sent to a mailing list,
  • and so on. One version of this scam claims the IRS is contacting you about your state tax refund.

But as we get deeper into tax season, be on the lookout for better forgeries claiming to be from the IRS. They all are trying to make you react to the shock of having a tax problem — “Oh, no! My refund has a problem!” [click] — without thinking it through.

As the IRS itself says,

The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.

Report Phishing, IRS Web page, 10/18/2012

If you receive a phishing message claiming to be from the IRS, you can report it to phishing@irs.gov — then delete the phishing message.

Comments Comments Off

You have to be careful with all of your email accounts. For example, look at this classic that arrived in one UD employee’s Yahoo! email account:

Yahoo! phishing scam.

We added a red arrow so you can see that the link in this message would NOT take you to a valid Yahoo! page. Click the image to see a larger version.

Most companies, banks, organizations, and universities do not send out email that asks you to click a link to validate your account. The safe thing to do is to log in at the Web address (URL) you usually use for your account and check your account status there.

This phish uses a stolen Yahoo! image and a forged Yahoo! copyright notice to try to trick you: It’s designed to scare you into reacting without thinking–to react to an alleged problem with your account by clicking the bogus link.

Just delete it.

Comments Comments Off

We can’t possibly post every phish we’ve seen this week–as phishers trawl for identities they can steal, bombarding UD inboxes at the beginning of a new semester. But this one has an interesting wrinkle: it claims that someone with a specific IP address tried to access your account! With that level of detail, it’s got to be correct, right?

No!

From: Welch, Crystal
Subject: FW: WEBMAIL TECHNICAL SUPPORT
To:
Date: Thursday, February 7, 2013, 3:27 AM

Dear User,

Attention! Your Webmail Account was violated! Someone with IP address 82.160.128.20 tried to access your personal account! Please click the link below and enter your webmail information to confirm that you are not currently away. You have 3 days to confirm webmail information or your account will be locked.

CLICK HERE to verify your account

We apologize for any inconveniences on this effect.

Thank you for your patience and understanding.
Technical Support

If you see a message like this one, delete it. If you fall for it and “CLICK HERE,” change your UDelNet password immediately. If unable to do so, contact the IT Support Center.

Comments Comments Off