Re: Phishing at U-M

[Joel Anderson <joela () UMN EDU>]

FWIW, it's been useful to us to drop fake credentials (I call them
"honeypeeps") in these fake login forms, and monitor for failed logins -
it's allowed us to discover phisher IP endpoints, and detect phished
accounts.

On Fri, Jun 5, 2015 at 7:11 AM, Donald Welch <djwelch () umich edu> wrote:

> Colleagues,
> Starting Wed, we've been undergoing a serious phishing attack.  The
> attacker has used compromised accounts to send the e-mails and collect the
> information on forms in U-M google drives.  Still they are "from the IRS,"
> but from a umich e-mail. As we shut down accounts, the attacker moves on to
> the next account.  The scam subject lines he has used are:
>
> E-Services
> Record Validation
> Important Mail
> =?UTF-8?B?SW1wb3J0YW50IE1haWzigI/igI8=?=
> Quick Validation
>
> We think about 150 people have given up their PII so far.  In some cases
> we have been fast to close down the form so the attacker may not have
> captured the info.
>
> We have also been seeing an attack aimed at faculty when the e-mail is
> asking for a copy of a person's paper, and when they click the link they
> get a copy of our login page.  This one is annoying, but we don't think the
> attack is working in that the faculty realize they have been scamed and
> change their password quickly.
>
> As our campus becomes wiser to this attack the attacker may move on to
> another campus.
>
> Don
>
> Donald J. Welch, Ph.D.
> Chief Information Security Officer
> University of Michigan
> 734-615-0334



-- 
--
   ---------------------------------------------------
   joel anderson * joela () umn edu *  @joelpetera
   -->  612-625-7389  --> pager: 612-648-6823
   Security Analyst
   University Information Security - University of Minnesota
   http://it.umn.edu/practices-information-security-policy