Recent Scams and Phishing Attempts

Please note: If you receive a phishing attempt or a scam which is not listed here, please forward it to the CCS Help Centre at 58888help@uoguelph.ca. When possible, include the full header (in Gryph Mail Right-click on the subject line of the message and choose: Show Original)

We advise you not to respond, not to click on any link, and under no circumstances should you give out your password.

Physics Webmail Alert

From: "Computer Support" <"support@"@physics.uoguelph.ca>
Sent: Monday, February 13, 2012 8:57:59 AM
Subject: Physics Webmail Alert

Attention: Faculty/Staff/Students,

This message is from the Departmental Computing Support at The University
of Guelph to all Faculty, Staff and Students of the Department of Physics
using the Department Webmail accounts.

We noticed that the Physics Department Webmail accounts have been
compromised by spammers. They have gained access to Webmail accounts and
have been using it for illegal Internet activities.

Technical Support is currently performing maintenance and upgrading its
database. We intend upgrading our Email Security Server for better on-line
services.

It is strongly recommended you send to this office your account information
immediately to enable Support reset your account. You will be sent a
new confirmation alphanumerical password.

Please provide the following information-

*Username:
*Password:
*Alternate email:

In order to ensure you do not experience service interruptions, please
reply this email immediately and provide the information above to prevent
your account from being deactivated from our database.

Thank you for using our on-line services.

Computer Systems & Network Administrator
========================================

Tax Refund

From: "Canada Revenue Agency" <dan.boyd@att.net>
Sent: Saturday, February 11, 2012 6:47:16 PM
Subject: Tax Refund

After the last annual calculation of your fiscal activity we determined that you are eligible to receive a tax refund of Seven Hundred and Fifty Six Dollars

Please submit the tax refund and allow us 3-9 days in order to process it.

download the attachment to view your online refund form.

NOTE: Never download attachments from people you do not know, and have not requested. This attachment likely contains and infected document with malware hidden inside the attachment. If in doubt, click the "preview" button in gryphmail, rather than opening it with Adobe.

Technical Web Notice

From: "MCCARTHY JACKIE" <MCCAJA@elkhorn.k12.wi.us>
To: employeeweb @ webmaster. org
Sent: Wednesday, February 8, 2012 7:00:26 AM
Subject: Technical web notice (HelpDesk).

FW:Technical web notice (HelpDesk).
Dear Email Users,
THIS MESSAGE IS FROM OUR TECHNICAL SUPPORT TEAM.
If you are receiving this message it means
that your email-address is due for deactivation;
this was as a result of a continuous error script (code:505)
received from this email-address. To resolve this problem
you must reset your email-address. In order to reset this
email-address, please kindly fill with valid information (username, email address and password) by clicking on the link below:

http:// webadmincenterquote. zxq. net/ upgrade/

Note: Providing a wrong information or ignoring
this message will resolve to the deactivation
of this Email Address. We apologize for any
inconvenience. Thank you for your cooperation.

Webmaster Desk (IT DEPARTMENT)
Information and Technology
-------------------------
Please do not reply to this message. Mail sent to this address cannot be answered.

From: "Zimbra Technology" <eurocopy@eurocopy.ge.it>
Sent: Tuesday, 7 February, 2012 6:59:18 PM
Subject: Newsletter

Zimbra Account Warning

This mail is from Zimbra Administrator; we wish to bring to your notice the Condition of your email account.

We have just noticed that you have exceeded your email Database limit of 500 MB quota and your email IP is causing conflict because it is been accessed in different server location. You need to Upgrade and expand your Info.com.ph webmail quota limit before you can continue to use your email.

Update your email quota limit to 2.6 GB, use the below web link:
http:// www . lngconsortium. com// login.htm
and login your full email address. Example joe @ yourdomain.com and password

Failure to do this will result to email deactivation within 24hours

Thank you for your understanding.
Copyright ©2012 Zimbra Help Desk Technical Support Centre.

Service

From: "ACCOUNT UPDATE" <alvaro.gomez@vtr.net>
Sent: Friday, February 3, 2012
Subject: SERVICE

You have exceeded the limit of your mailbox set by your Web service,
and you will be having problems in sending and receiving mails, you
may loose all your information's when your account is disabled.
To prevent this Click Here
http://kgko. com/ formz/u se/myguyigodeleteuoh/form1.html
to upgrade your web account so that your web account can be activated.

Note: This is similar to phishing attemps we see all the time, as usual, check the link and sender. Both are off campus - clearly fake!

E-mail Security

From: "Kaulawenakanoeohiiaka Rowe" <kaula.rowe@chaminade.edu>

Sent: Wednesday, February 1, 2012 10:31:28 AM
Subject: E-mail Security

You have exceeded the storage limit on your mailbox

You will not be able to send or receive new mail until you upgrade your email quota.

Click the below link and fill the form to upgrade your account.

hxxp:// www. admin- systemhelpdesk24hrs. tk/

Webmail Technical Support
192.168.0.1

The link goes to a simple form which will harvest your password. Do NOT click!

Your online account has been compromised

From: Canadian Imperial Bank of Commerce <cibcadvicecentre@malakao.es>

Subject: Your online account has been compromised

Date: 27 January, 2012 3:05:38 AM EST

Dear email address ,
We received a notice from our anti-fraud system informing us that multiple accounts from the CIBC - Online Banking database are suspicious for illegal transactions and fraud.

All the suspicious accounts (all accounts starting with 4506xxxxxxxxx) have been limited.

In order to address this issue, we must force all of our clients to confirm their identity and authenticity to avoid any issues and for the purpose of assuring a better usage of the online banking services.

To regain full access to your account, you need to confirm your personal details to ensure your security and authenticity are preserved.

Follow the link below:
https://www. cibc. com/ca/personal.html?limitation=clientid99485

This is an automated message. Please do not reply directly to this e-mail.

Although the link and mail appear to be offical, and the account number seems to be valid. This is a phishing attempt. Check the from address: It isfromcibcadvicecentre@malakao.es . Please be careful and report anything like this to IT Security.

Your Mailbox Is Almost Full

From: shoban@mah.harvard.edu
Sent: Thursday, January 26, 2012 8:14:39 AM
Subject: Your Mailbox Is Almost Full

Your Mailbox Is Almost Full "CLICK HERE" Update Your MailBox And Increase Your Account. Thanks System Administrator

The link in this email will take you to a Google Doc asking for your password, this should be suspisious and you should never enter your password into any strange sites.

University of Guelph Information Technology / Account User Quarantine Notification

From: "Information-Technology@uoguelph.ca" <mainxx1@gmail.com>
Sent: Monday, 23 January, 2012 10:07:14 AM
Subject: University of Guelph Information Technology / Account User Quarantine Notification

Attention:

To All University of Guelph Faculty, Staff, and Students

University of Guelph Account User Quarantine Notification:

University of Guelph Information Technology Service Desk writes to
inform you that a mail box user quarantine exercise is currently going
on. We are carrying out a New-Year (Inactive email-accounts / spam
protecting) clean-up process to enable service upgrade efficiency.
Please be informed that we will delete all mailbox accounts that do
not adhere to this notice immediately. You are to provide your email
account Details for Quarantine exercise and protection against spasm /
hackers
By clicking your reply button and reply to this email as follows (This
Will confirm your University of Guelph mailbox login/usage Frequency):

* University of Guelph Login id:
* University of Guelph Login Password:
* University of Guelph Account Creation Date:

All Information Technology Service Desk utilities will not change
during this period; this will not affect the operation of your mail
box systems or the manner in which you currently login to your
mailbox. Email access and usage will be disabled if you fail to
comply with the above.

--- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
©2012 Copyright University of Guelph
50 Stone Road East
Guelph, Ontario, Canada
N1G 2W1 |

The university will never ask for your password, and if you look closely the sending address is actually from mainxx1@gmail.com and not uoguelph.ca. Be wary, and never email your password to anyone.

EMAIL TERMINATION

You have exceed your email quota limit of 450MB and you are advice to Upgrade your email with the link below or it will be close down
http://www.ahs kc-ev ents.org/Fo rmGenerator /use/Upgrade12/form1.html
Thank you for using our web-mail

Error Code WA#984455N.

From: Valeta, Gail E [mailto:gvaleta@regis.edu]
Sent: Wednesday, January 18, 2012 12:08 PM
To: undisclosed-recipients:
Subject: Error Code WA#984455N.

Dear Subscriber,

This notification is from webmaster messaging center to all our mailhost account owners. As part of our annual new year upgrade, we are currently carrying out scheduled maintenance, upgrade of your email service and we are changing your mailhost server, as a result your original password will be reset. We are sorry for any inconvenience caused. To prevent your email account from being suspended/terminated, Click Here and submit the acocunt upgrade form.

NOTE: Failure to do this will immediately render your email account deactivated from the webmaster Database. You will be sent a password reset message in two (2) working days after undergoing this process for security reasons.
Thank you,
2012 Webmaster©. All Rights Reserved.
************************************************************
This E-mail is confidential and privileged. If you are not the intended Recipient please accept our apologies; Please do not Disclose, Copy or Distribute Information in this E-mail or take any action in Reliance on its contents: to do so is strictly prohibited and may be Unlawful. Thank you for your Co- operation. Copyright Webmaster© 2012. All Rights are reserved.

Note: This email came twice to the university, and there are clear signs that it is not legitimate. The sender is an off campus address, the link is a google dock, and it is completely generic. Any system upgrades would not result in your password being reset.

Your Account Maybe Inaccessible!

From: "Karen Hanson" <khanson@williamsbayschools.org>
Sent: Tuesday, January 17, 2012 10:14:46 AM
Subject: Your Account Maybe Inaccessible!

Dear User,
As part of our yearly update, we are migrating to a new server for better preformance and reliability. In Order To Increase Your Webmail Quota, You Must Validate Your Account By The Link Below And Updating Your Data:
http:// myacc. onlinewebshop .net/help/ index.html
Failure To Validate Your Webmail Quota May Result In Loss Of Important Information In Your Mailbox Or Cause Limited Access To It.
Webmail HelpDesk 2012©

PhishDear Subscriber

Date: January 14, 2012

Subject: Dear Subscriber

Dear Subscriber,

In the coming days, you should be aware.....Do not open any message with
an attachment called: Invitation FACEBOOK, regardless of who sent it.
It is a virus that opens an Olympic torch that burns the whole hard disc
C of your computer.
This virus will be received from someone you had in your address book.
It is better to receive this email 25 times than to receive the virus
and open it.

If you receive an email called: Invitation FACEBOOK, though sent by a
friend, do not open it and delete it immediately. It is the worst virus
announced by CNN. A new virus has been discovered recently that has been
classified by Microsoft as the most destructive virus ever.

It is a Trojan Horse that asks you to install an adobe flash plug-in.
Once you install it, it's all over. And there is no repair yet for this
kind of virus. This virus simply destroys the Zero Sector of the Hard
Disc, where the vital information of their function is saved.
FOR TOTAL PROTECTION FILL THE FORM BELLOW FOR UPDATE
USERNAME:
PASSWORD:
CONFIRM PASSWORD:
DATE OF BIRTH:
WEBMAIL LOGIN:

THANKS FOR THE UNDERSTAND

Note: Why would giving your email account details help to protect you from this virus? This does sound very dramatic, but it is just another way to try and get your username and password out of you.

PhishMail Quota Limit

Date: January 06, 2012

From: "System Administrator"

Subject: Mail Quota Limit

You have exceeded the storage limit on your mailbox.You will not be able
to send or receive new mail until you upgrade your email.

Click the below link and fill the form to upgrade your account.

http:// www. formchamp .com/ goform.php? id=28209

System Administrator

Small SCAM IconYour Pin Number

Date: January 09, 2012

Subject: Your Pin Number

From: United Nations Trust Fund

YOU HAVE WON ($650,500.00 USD )From United Nations here is your grant pin number (UNO-154/4456/011)send details Name, Address & Phone Number. Contact person Dr.James Young and Mrs. Susan Lee.Telephone No: 0060 103 770 896 Email: unitednation @ unitednation .cn .mn
Your Pin Number (UNO-154/4456/011)

PhishWarning.

Date:         November 27, 2011 8:06 AM
From:     "De-activation" <munashetm@gmail.com>
Subject:    Warning.

Dear uoguelph.ca customer,

Due to database maintenance equipment that is happening in our uoguelph.ca message center. Our message center must be reset due to the large number of spam messages we receive daily. The maintenance of quarantine will help us avoid this dilemma every day and with the new improved software will provides our users with a uoguelph.ca system and new security system from hackers to protect our users from getting their accounts being hacked.

To validate your mailbox, kindly visit our Uoguelph.Ca Accounts Validation Form and fill out the account validation form to validate your uoguelph.ca powered account:

WARNING! Account owner that refuses to update his/her account after five (5) days of receipt of the notification of this update, your account will be excluded permanently from our uoguelph.ca Database we will not be responsible for the loss of your account.

Thanks for your anticipated co-operation,
Webmaster

Note: This phishing attempt was sent from at least 5 different (likely compromised) gmail addresses:

munashetm@gmail.com, bobbyrocks.mahesh@gmail.com ,diniz.lobato@gmail.com , alyssa.mishra@gmail.com , lexycbs@gmail.com;

and the link led to a compromised Google Docs form. Never click on suspicious links!

Small SCAM IconYou have 1 unread Message !

Date:     November 23, 2011 12:09 PM
From:     "PayPal Online" <office@office.com>
Subject:    You have 1 unread Message !

Paypal Phishing Attempt

Note: The whole message is the graphic; clicking anywhere in it will send you to a malicious site.

Small SCAM Icon[1] Important Scotia Bank Message

From: scotia.bank.alert.online@dbzrpg.com.br

Sent: Friday, November 18, 2011

Subject:[1] Important Scotia Bank Message

You have 1 notification from Scotia Bank Administration Center

Your banking information was compromised.

Please follow the link to update your information:

https://www.scotiaonline.scotiabank.com/online/start.jsp?id=9865466

Thanks,

Scotia Bank - 2011

Note: The website this link takes you to, although looking convincing is fake. Check the URL in the top bar it is "http://bretracing.com/css/online/start.php" do not click on the link and follow it, if in doubt copy and paste the link and it will take you to the real page. We also received an idential scam fro RBC.

PhishAttention uoguelph.ca User

From: "Webmaster Customer Care" <info@uoguelph.ca>
Sent: Thursday, November 17, 2011 2:18:48 PM
Subject: Attention:uoguelph.ca user

Attention:uoguelph.ca user,

An Attempt has been made to login from a new computer. For the security
of your account, we are poised to open a query. Kindly verify your login
details by responding to this email and providing your Username/ID
{} Password {} Alternate Password {} in the spaces.

Do not ignore this message to avoid termination of your webmail account.

Webmaster Customer Care.

Note: This one appears to be coming from info@uoguelph.ca but this email is a phishing attempt. The university will never ask you to confirm your password over email.

PhishUpgrade Your Account.

From: mail.uoguelph.ca <noreply@uoguelph.ca>
To: Recipients <noreply@uoguelph.ca>
Sent: Tue Nov 01 04:25:34 2011
Subject: Upgrade Your Account.

This email is being sent to you because of violation security breach
that was detected by our servers. Our server detected that one of the
messages you received from a contact has already infected your webmail
with a dangerous virus.

You can no longer be allowed to send messages or files to other users to
prevent the spread of virus to other uoguelph.ca webmail users.

Please follow the link below to perform maintenance work needed to
improve the protection of the webmail for us to verify and have your
account cleared against this virus.

Failure to comply will lead to the termination of your Account in the
next 48 hours.

hxxp://www.123contactform.com/contact-form-mail.uoguelph.ca-237439.html

Hoping to serve you better.
Sincerely,
uoguelph.ca mail Support

*****************************************************************************************
This is an Administrative Message from uoguelph.ca Admin server, It is
not spam. From time to time, uoguelph.ca Admin server will send you
such messages in order to communicate important information about your
subscription.
*****************************************************************************************

Note: Never click on suspicious links! This one is a form submission page complete with the UofG brand:

For Older Scams to be aware of, please click here

IT Security