Secure UD Threat Alerts Wed, 24 Sep 2014 18:15:07 +0000 en-US hourly 1 More opportunities to upgrade your webmail account, courtesy of UDel (kinda?) Wed, 24 Sep 2014 18:14:15 +0000 2014-09-24_1400We’ve seen tons of these scams before, and it makes us wonder how many people fall for them.

Here we have a pretty generic email claiming that you can get a “webmaster account upgrade” in order to increase your inbox storage capacity. Note the clunky wording, which doesn’t make any reference at all to UD or Google Apps. The link provided is definitely not a UDel address, and the phisher didn’t even bother trying to disguise it at all. The email is also signed with the vague label “HelpDesk ITS” rather then UD anything.

It’s a pretty standard procedure: the phishers attempt to redirect people to an outside site so they can harvest email login information when unsuspecting victims “sign up” for their service.

Remember to report and delete phishing emails like this one.

]]> 0
Home Depot Awerikan Express scam hits UDel Wed, 24 Sep 2014 17:58:07 +0000 2014-09-24_1328
It seems the recent Home Depot phishing scam has been reproduced using American Express as the new vehicle.

This authentic-looking email tries to direct us to what appears to be American Express’s website so we can log in and check our account activity. It claims that AmEx noticed recent activity on your card, and it provides a random recent date in the hopes that cardholders will not remember using their cards and thus feel compelled to check their statements for “suspicious activity.”

Conveniently, the email also warns us that there’s no need to call AmEx. It’s as if doing so would reveal a scam of some kind…

When we hover over the links, however, we see that they all point to “” Phishers often rely on visually similar URLs to trick you into a sense of security.

It turns out that “” is a pretty good replica of the actual American Express website, It uses actual images and text from the legit AmEx site, and it provides a nice, obvious location for you to input your account information.

We’re not sure if anyone at UD has fallen for this one yet, but we advise all students and staff to only log in to websites after they have checked the URL and verified that they are in fact on the correct page. And always check the links before you click!

]]> 0
Phishing scam targets UD email addresses Thu, 18 Sep 2014 18:51:16 +0000 Several University of Delaware members have reported a phishing scam specifically targeting UD email addresses. If you see the following message in your inbox, delete it immediately—it is not from the University of Delaware.

From: University of Delaware <>
Subject: New Message
Dear Member,
You Have 1 New Message. Click Here To Read.
University of Delaware
© 2014

Clicking the link prompts the user to enter their username and password on a phony UD login page. As you can see, the URL of the page has a domain name, the Internet country code for South Africa. UD does not host any pages in South Africa. Do not enter your credentials.


]]> 0
Five million Gmail passwords posted to forum. Reminder: Change your passwords! Wed, 10 Sep 2014 21:26:20 +0000 A recent news story reminds us that it might be time to change your passwords again!

Today, C*news, a Russian news agency, reported that almost five million Gmail usernames and passwords were posted to a Russian Bitcoin security forum. The list has since been removed, and there’s no evidence that Google itself was infiltrated. But this incident should be a reminder to you: when was the last time you changed your key passwords?

The credentials posted in the forum were a collection of username/password combinations phished and hacked over the past few years. Researchers speculate that as many as 40% of these Google passwords were changed by the account owners before the list was posted. But that would leave 60%–3,000,000–Google accounts at risk!

Even though most of the stolen Google credentials were from Russia, this incident should remind you about good password management:

  • Strong passwords are of the utmost importance!
  • From time to time, change your passwords! If you have somehow snuck through the cracks and haven’t created or changed your UDelNet password since April 8, 2014, change it now.
  • Incidents like this one explain why security experts suggest that you change your passwords from time to time. Hackers often take months to use the credentials they steal from a website. If you’ve changed your password since the theft, your account should be safe.
  • Use different passwords for your different accounts so that, if your login credentials are stolen from one site, hackers can’t access all your accounts using the stolen password.

More information

]]> 0
Facebook Messenger security flaw could automatically dial premium-rate numbers Wed, 27 Aug 2014 19:28:48 +0000 Facebook’s already controversial Messenger app is making headlines again with a security flaw on iOS devices that could lead to iPhone users being charged for expensive, unwanted phone calls.

iOS native applications like Mail and FaceTime handle phone numbers using codes called the “tel URL scheme.” In this scheme, the number is dialed immediately after clicking on the link. The user is never asked to confirm.

However, unlike native apps, mobile apps like Facebook Messenger and Google+ are supposed to have the user confirm whether they want to dial a number or not; however, this setting is often turned off, as with Facebook Messenger.

A malicious phone number sent to a user, in combination with a JavaScript code that automatically “opens” the number from within Messenger, could automatically dial a premium-rate number, which the hacker then receives revenue from.

Facebook will be patching the flaw in the near future.

Guillaume K. Ross, an information security consultant in Montreal, presented the flaw at during a  talk at BSidesLV 2014.

]]> 0
Phishing scam on campus Thu, 14 Aug 2014 13:10:52 +0000 A new (old) phishing scam has appeared on campus regarding the quota of your email account. If you see the following message in your Inbox, just delete it–it is a scam.


Subject: IT Helpdesk

Dear webmail User,

Your Mailbox Quota disk exceeds 500GB limits set by our Webmail Service Administrator. Your mail may not be able to send/receive some important new messages until your Mailbox size is reset.

To upgrade and expand your Mailbox disk Quota click on below web link or copy paste the link

to correct your mail account information’s.

Sorry for the Inconveniences.

IT Service Helpdesk

©Copyright 2014

]]> 0
Summer #phishing scams attack USAA.COM account holders Mon, 28 Jul 2014 18:19:57 +0000 Just a heads up about a recent phishing scam that is, unfortunately, having some success with USAA members across the United States. Share with your colleagues as appropriate.

A lot of military families and families of retired military personnel use USAA for insurance, banking, or investing. A new phishing attack has been spotted that leads USAA members to fake USAA sites where a victim is prompted for his or her personal information, according to Jesper Jurcenoks, VP for Research at Critical Watch (

The phish lead people to very convincing but fraudulent sites–set up by scraping images used at the legitimate USAA site in June and early July.

More information:

]]> 0
Varieties of 2 common phish swim into UDel inboxes over holiday weekend Mon, 07 Jul 2014 14:11:12 +0000 Over the weekend, people reported seeing versions of two common phishing scams in UD inboxes. One a “Your Mailbox is Full” scam, the other a “Google Doc for You” scam. Screenshots and commentary below.

Your Mailbox is Full

Your mailbox is full scam.

Click image to see larger version of this scam.

This scam wants you to be shocked that your mailbox is full and that you cannot send email. The scammer wants you to be so upset that you’ll react without thinking–that you’ll react by clicking that Cleanup link and fill out a form surrendering your personal information.

The red bar allegedly showing you have 2 MB left in your inbox is a nice touch, too.

This one is a classic that, even though it is an obvious phish to most of us, still hooks enough people that scammers still use it. Some telltale signs:

  • First, the message comes from “Norma” and is going to “Norma.” That is a method sometimes used to send a news announcement to a large group of people (using the bcc: field for a large email list). But that sending method is never used by any reputable organization to tell you information about your account.
  • Second, even when authentic email has a typo or two, it won’t contain this many errors in grammar, spelling, and and capitalization. Oh, and note that it says that your “mailbox” can’t send messages. Standard usage would be your “account” can’t send email.
  • What is the ITS help desk? We don’t have such a unit on campus. IT’s help desk is called the ITSC (IT Support Center). They made up an official sounding unit name. Points out how important it is to verify the authenticity of any message of which you are suspicious.
  • Fake copyright notice. Something about that phrase “All Right [sic] Reserved” scares people into thinking a scam message is authentic–even with the “s” missing from “rights.” But why is a message allegedly coming from a UD email account to your UD email account being copyrighted by Microsoft?

See a message like this one? Delete it.

Hi! I have a Google Doc for you

Google Doc phishing scam.

Click this image to see a larger version of this scam.

Oh, cool. My friend Kelly has a Google Doc for me! Great! I haven’t heard from her in a while.


Don’t click that link! How do you know that this is a scam? Let us count the ways:

  1. This message has a Google Docs image followed by a mish-mash of images for other vendors’ products: Adobe, Microsoft, Apple. That makes no sense.
  2. My friend Kelly lives in the US. Why would she send something with an upload date in DD-MM-YYYY format?
  3. Google refers to its shared document/cloud product as Google Drive, but did formerly refer to it as Google Docs. Note that the product is referred to as “Google Doc [sic]” three times.
  4. The message contains no information about the document. Why would I “Click Here” to see a document that I wasn’t expecting without any explanation from the sender, even if she is someone I know?

Google-based scams are one of the more common methods phishers use to trawl for your personal information, either by putting up a Google Form for you to fill out or by putting up a document infected with malware for you to download.

The moral is…

As always, the moral is Think B4 U click!

For more information about how phishing scams and social engineering works in general, view our June Secure UD newsletter.

]]> 0
Schools of this phishing scam spotted in UDel inboxes Wed, 02 Jul 2014 18:18:56 +0000 UD Public Safety reports that a lot of their employees received this phishing email on July 1. None of them were hooked by this scam.

This scam provides a good illustration of a “standard” phishing scam that is trying to shock you into clicking a link you shouldn’t and sharing your personal information with scammers:

Sample Phish from Jul 1, 2014

Click this small image to see a larger version of this annotated phishing scam.

The scammer tries to shock you into clicking the link by warning you your account will be permanently terminated, and by using the phrase “Virus Scanning” to make you think it’s “Very Important” to click that link. But as we all know, no reputable organization will ever ask you to click a link in an email message to confirm your personal information.

We’ve marked some of the tell-tale phishy signs in this email. Look also for the non-standard capitalization, wording, and punctuation. We love the fake copyright notice at the end: “All rights reserved” by a UD unit that doesn’t exist!

See this message or one like it? Delete it.

]]> 0
Another Android worm spreading malware via links in SMS messages Mon, 30 Jun 2014 18:58:48 +0000 Android worms are starting to show up, spreading from phone to phone via SMS text messages, using each victim’s contact list to replicate and send itself to more victims. We first mentioned this trend two months ago, and now Sophos’ Naked Security Blog is mentioning another new worm: Andr/SlfMite-A.

“Viruses and worms ha[ve] to make their own running, and they took the business of spreading into their own hands, automatically seeking out new files or computers to infect, or churning out emails with themselves as attachments or download links.

“That’s how Andr/SlfMite-A gets around, though it sends itself in the form of an SMS containing a web link, rather than as a self-contained attachment.

“So, if you allow yourself to get infected, you don’t just put yourself at risk, you immmediately put your top 20 contacts at risk, too.”
Source: Paul Ducklin, Anatomy of an Android SMS virus – watch out for text messages, even from your friends!, Sophos Naked Security, June 29, 2014.

Digging around on the Web, we saw that Andr/SlfMite-A also shows up on Windows systems. In addition, Sophos reports that while it’s texting your contacts, it is also downloading malware onto your Android Device: a “front end” for MoboGenie–the malware-ridden app that billed itself as an alternative to the Google Play Store.

Good anti-virus/anti-malware software for Android should catch the SMS text version. Sophos, of course, recommends the free version of Sophos Mobile Security for Android, but other reputable free software like Lookout Mobile Security should catch it as well.

And the moral of the story is, Think B4 U Click!

]]> 0