The 20 Most Recent Threat Descriptions
Fake email messages with the title 'Delivery Status' or 'DHL.Inc: Delivery Status' (or a variation on this) followed by an ID number have been arriving on campus. Do not open the attachment. Delete and ignore.
The phishing email looks like (or is similar) to this:
From: DHL Delivery Report
Subject: Delivery Status ID_768D20E04C
We attempted to deliver your item at 10:10 AM on Nov 24th, 2013.
The delivery attempt failed because nobody was present at the shipping address, so this notify has been automatically sent.
If the parcel is not scheduled for redelivery or picked up within 72 hours, it will be returned to the sender.
Label Number: 768D20E04C
Expected Delivery Date: Oct 24th, 2013
Class: Package Services
Service(s): Delivery Confirmation
Status: eNotification sent
Read the enclosed file for details.
(c) 2013 Copyright DHL Inc 2013. All Rights Reserved.
*** This is an automatically generated email, please do not reply ***
There have been a small number of incidents on campus of a particularly destructive piece of malware which prevents you from being able to use your personal and shared filestore - e.g. documents, pdfs, research data files etc.
Although the number of incidents so far has been small, they are having a severe impact on the day to day work of those affected.
You are therefore asked to follow the guidance below:
- Contact the ISS Service Desk immediately if your anti-virus software (such as Symantec) is giving you warnings.
- If you are getting these warnings outside of office hours, switch off your machine and leave a phone message with the ISS Service Desk (01524 510987 / x10987) and someone will get back to you in the morning.
- If you regularly make use of any social networking sites, such as Facebook, do not click through on any games, apps or attachments if you are not 100% sure that they are safe.
- Only open email attachments when you know who they are from and what they are about.
- Disconnect external drives or filestore connected to your machine which you do not need to regularly use.
Further updates will be provided as more information is available. If you are concerned that your computer has been infected please contact the ISS Service Desk.
12:30 14/11/2013 - Warning Issued - ISS is looking into the problem.
The phishing email looks like this:
From: Lancaster University Email Services Provider [firstname.lastname@example.org]
Date: (arrival date)
Subject: This mail is send from Mail System Administrator Help Desk
Your mailbox is full.
[graphic showing a red bar and '131MB']
Your mailbox can no longer send messages. This is the Help desk Program that periodically checks the size of your e-mail space. The program runs to ensure your inbox does not grow too large, re-validate your email CLICK HERE for update of your Email. Failure to submit the admin required info for update it will render your e-mail in-active from our database. Help desk! Account Services
Delete and ignore
Contents of the Lancaster Webmail phishing mail:
From: email@example.com on behalf of Lancaster Webmail [firstname.lastname@example.org]
Subject: Update Notification
We have upgraded to 500MG Email Space, login into your account to confirm if your account is still active.
Click the link below to login into your account for confirmation and upgrade.
Note: If you have not been upgraded, click the Upgrade To 500MG check box.
Do NOT click on the link. Delete and ignore.
Do NOT open the attachment. Delete the message.
The fake message looks like the following:
From: email@example.com (may vary)
To: firstname.lastname@example.org (may vary)
Subject: *****Failed AutoResponder Request***** [The FedEx Team. Mail delivery failed]
Your shipment has arrived at the post office on 23 July 2013.
Our courier team was unable to deliver the package to you.
To receive your shipment please print the attached receipt and go to the nearest office.
The FedEx Team.
Don't open the attachment, don't click on the link and don't reply.
Typical attachment name: Image Id 33976933.zip (633 B) [numbers vary]
Typical body content:
Cell +440563656942 [number varies]
If your can't show pictures to visit our on-line a web address - www.t-mobile.co.uk/pmcollect - where you can look at the picture message (enter your telephone number and the password). It'll only be available online for 14 days, so make sure you save the picture to a computer if you want to keep it.
Below is a copy of the text of the phishing email
From: email@example.com [mailto:firstname.lastname@example.org]
Your e-mail needs to be updated CLICK HERE and fill the webmail account update page to have your email updated,Failure to update will process your lancs.ac.uk account being temporarily blocked or suspended from our network and may not be able to receive or send e-mail due to the update.
Note: the update page is quite different from your login page, mean while fill the all the information there to have your webmail updated okay
We apologize for the inconvenience, we are here to make it look better web mail Lancs.ac.uk 2013.
From: UCISA announcements list [mailto:UCISA-ANNOUNCE@JISCMAIL.AC.UK] On Behalf Of Mary Sandbo
To: UCISA-ANNOUNCE@JISCMAIL.AC.UK Subject: Quota size: 94.6% Warning !!!
Helpdesk requires you to upgrade webmail by Clicking
This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your webmail account was accessed by a third party. Protecting the security of your webmail account is our primary concern, we have limited access to sensitive webmail account features.Failure to revalidate, your e-mail will be blocked in 24 hours.
Thank you for your cooperation.
Copy of the Webmaster Phish Attack
WEBMASTER EMAIL ACCOUNT UPGRADE
Information Technology Services (ITS) are currently updating our new website accounts. This will provide you the ability to store a greatly Increased amount of e-mail correspondence in your e-mail account and also reduce spam emails that is received in your email on the daily basis. Your account has been selected, as one of the accounts that are to be upgraded. Please click the link below and follow the instruction to upgrade your email account
The new minimum quota level for e-mail accounts will be set to 2 G.
(c) Copyright 2012 | WEBMASTER EMAIL HELP DESK * * ALL RIGHTS RESERVED.
!!! WARNING !!!
Do not respond to Emails Instructing you to send your email password as this is a phishing attempt. Failure to log out will allow others to access your account. Closing the browser window does NOT log you out properly. To log out, please click one of the "Log out" icons in the browser window.
This is a phishing attack - do not follow the link and do not reply to the message.
The contents of the Background Record Phish attack
From: Background Check Alert [mailto:email@example.com]
To: (your name)
Subject: Your background records may have been viewed (i.yourname)@lancaster.ac.uk
Think your arrest records are posted online?
You can view your files or anyone else's you wish to run a background-check on by following the link below:
View Your Records Here: [link]
Do NOT follow the link. Delete and ignore.
There are a number of 'fake parcel delivery' messages appearing to come from companies like FedEx arriving in in-boxes on campus. Do not open the attached zip file - it contains a dangerous Trojan.
One machine infected.
The fake message looks like the message below. Variations on this theme may also be circulating.
Do NOT click on any of the links in the message.
From: [a 'ac.uk' address]
Subject: Email Security Upgrade
As part of our year 2013 Email Security Upgrade, Admin Helpdesk Support require you to immediately update your account information by following the reference link below to prevent your Email address not to be de-activated on our Email service database.
CLICK the secured link Below****
Failure to confirm and verify your email account on our database as instructed, Your e-mail account will be blocked in 24 hours.
Thank you for your cooperation.
(c)2013 Email System Admin.
Please access the attached hyperlink for an important
electronic communications disclaimer:
[a 'ac.uk' address]
Do NOT click on the links. Delete the message.
eBay Phishing Attack Sample
From: (a Lancaster Address)
To: (your address and other Lancaster addresses)
Subject: Failed Payment - eBay
You are receiving this notification from eBay payment processing center.
Your request for payment has been received, however we are not able to process it at this time.
Reason - false or incorrect information in the payment details.
Please check the data submitted during the payment.
The funds will remain in "frozen" status until all relevant information is corrected.
Once necessary information is corrected in the payment order, funds will be sent within 10 minutes.
(link) Please follow the link to correct/update your payment details
eBay Payment Processing Services.
Do NOT follow the link
Zero Day Exploit Found in Adobe Acrobat
There is an un-patched vulnerability in the Adobe Acrobat Reader (and writer) PDF system.
ISS advises users to be more cautious than usual when opening unsolicited PDFs in email and online.
External Advice From Sophos
Link to internet article http://nakedsecurity.sophos.com/2012/11/08/adobe-reader-zero-day-exploit-thwarts-sandboxing/
Friday 9th November 2012 - Mail delivery to AOL email addresses is now OK.
Restriction By AOL
Due to a 'Trojan' infected PC sending out Spam to AOL addresses, the University has been blocked by AOL and delays in outgoing mail to AOL are being experienced. Users will get an error message back if their email has not been delivered.
Spam Makes Money
Criminals get paid for relaying Spam to people's email accounts. They use diverse methods to get ordinary users to download 'Trojan' programs on to their PCs, which then send out Span for the criminals.
Users are reminded to be careful about clicking on unknown links in emails and opening/downloading attachments in suspect emails.
Trojans can also be downloaded from websites that have become infected. If your computer displays a dialog box asking you to allow access to your computer unexpectedly e.g. after a simple visit to a web page, refuse permission.
The 'Vodafone New Message - Phishing Attack' looks like this:
Subject: You have received a new message
Attachment: UK-vodafone_MMS.zip (28 KB)
You have received a picture message from mobile number +447436014069
To save this picture, please save attached file.
[grey footer box]
You can reply once to this message via MMS for free!
To send a reply containing pictures, audio or video, click here to visit our on-line composer.
Alternatively, you can send a text-only reply (limited to 500 characters), simply by
clicking your usual reply button. By replying to this message you agree to our terms and conditions.
Please see our Website Terms and Conditions at
http://www.vodafone.co.uk/termsandconditions for full details.
Only one reply is possible until 11/11/2011.
Do not click on any links in this message. Do not open the attachment.
Email messages purporting to come from Facebook with the subject: "Your friend added a new photo with you to the album" (or similar) are being received on campus. They look like this:
To: (your address)
Subject: Your friend added a new photo with you to the album
[blue background] Facebook
One of Your Friends added a new photo with you to the album.
You are receiving this email because you've been listed as a close friend.
[blue background] View photo with you in the attachment
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
Do NOT open the attachment - delete and ignore
The @lancaster phish attack looks like this:
From: Admin [mailto:Admin@neni.co.il]
Sent: 21 August 2012 08:43
Subject: Dear @lancaster.ac.uk Account Subscriber,
Dear @lancaster.ac.uk Account Subscriber,
Welcom to Webmail Account Center Upgrade And Maintenance . In order to continue using our services you are require to update and re-comfirmed your email account details as requested please Click here to complete this update you are require to fill the account form,you must reply to this email immediately and enter your account details as requested.
After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconveniences.
Warning!!! Account owner that refuses to update his/her account after 2days of receiving this warning will lose his or her account permanently.
Thank you for your understanding
Warning Code: BRYN4F5G7NBX
Copyright (c)2012 Webmail Helpdest Support Center
Do NOT open the attachment. Do NOT reply.
Do not open the attachment. Delete and ignore.
Subject: Reservation Confirmation , Thu, 2 Aug 2012 19:04:55 +0800
Date: Thu, 2 Aug 2012 19:04:55 +0800 ---
Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.
Arrival: Monday, August 06, 2012
Departure: Wednesday, August 08, 2012 Number of rooms: 1
Customer Service Team
Your Reference ID is: 8630613
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation. -Booking.com guarantees the best hotel rates in both cities and regional destinations - ranging from small family hotels to luxury hotels.