Re: Fraudulent Domain

["Menne, Michael S" <michael.menne () MNSU EDU>]

We have had a similar issue arise. Our domain is mnsu.edu.  We have had a few phishing attempts come from mnsuu.com.  
Using that domain they have duplicated at least two e-mails and directed users to copies of our login pages.  We 
haven’t requested takedown of the domains, but we have requested takedown of the sites when they pop-up. We have also 
blocked the domains through OpenDNS and Office 365 Advanced Threat Protection SafeLinks.

Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705

Are you ready for ransomware? Make sure your data is backed up and you're able to restore it!
Learn more.<https://link.mnsu.edu/cyberaware>

[cid:image001.png@01D341A0.236300E0]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Brad Judy
Sent: Monday, September 24, 2018 11:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fraudulent Domain

I’m battling an identical battle at the moment. So far, the registrar for the domain has not replied to my email and 
voicemail contacts with their abuse department. I’m curious to hear the other advice you receive.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C3789e1de1bba41afed7908d6223be123%7C0c0d13782eaf49c7afa98b40189a1b5c%7C0%7C0%7C636734037912140758&sdata=K0kE5NiKlSSdIkJPWmWhl%2BU1ZoD286BqMdlf7Fn2MxY%3D&reserved=0>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of 
"Gomez, Joshua" <J.Gomez () SNHU EDU<mailto:J.Gomez () SNHU EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Monday, September 24, 2018 at 9:12 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Fraudulent Domain

Hello Everyone,

We have had a fraudulent domain pop up impersonating the University sending out fake Purchase Orders to suppliers.  
This website domain does not have an active website but we still reported the domain to reputation reference websites 
such as VirusTotal, ESET, Google Safe Browsing etc.  We plan to contact the registrar of the website and having our 
legal team request a DMCA takedown notice.

What other steps can we take to expedite having this fraudulent domain taken down?

Thanks

Josh

Joshua Gomez | Consultant, Information Security
Information Technology Solutions
Physical Address: 1230 Elm Street, Manchester, NH 03101
Mailing Address: 2500 North River Road, Manchester, NH 03106
Office Phone: 603-626-9100 x7777 | Service 
Portal<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsnhu.service-now.com%2Fsp&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C3789e1de1bba41afed7908d6223be123%7C0c0d13782eaf49c7afa98b40189a1b5c%7C0%7C0%7C636734037912140758&sdata=fRuMWlslj3H4je27dEiCLYQRtFDs2JMYz3kdZ1paWGE%3D&reserved=0>

[SNHU horizontal logo]




Please consider the environment before printing this e-mail.