Another phishing scam was directed at campus earlier today.  This message originated from a compromised account in Italy, and directed users to fill out a form hosted by an Internet provider located in Nigeria.  As always, please do not be fooled by such things.

UARK Private Message Phishing Scam

As we are nearing the end of the semester, the scam artists continue to harass the campus community with phishing scams.  The scam artists continue to forge uark.edu email addresses as a way to look more legitimate. The most recent (see below) claims that the recipient has received a private message from an old friend.

A new scam is making rounds around campus this afternoon.  Below is a copy of the newest scam.

UARK Collaborative Network Spam Email

Earlier today, April 23, 2012, a number of users around campus received an email message from a company known as weavemail.com touting a new service known as "UARK Collaborative Networks".  The University of Arkansas has not contracted with this business to the best of our knowledge.  As such, the message should be considered as spam. IT Security staff has sent a message to company asking them to cease and desist in spamming the campus community or from using the UARK or Razorbacks name as a part of their advertisements. 

An example of their message is shown below.

Mac Users Vulnerable to Flashback Virus

Several Mac computers on the University of Arkansas campus were affected by malicious software known as Flashback that has infected over 600,000 Macs worldwide. The IT Services Security Team strongly recommends that Mac OS X users immediately install the latest Apple security updates and the latest version of Symantec Antivirus software. Get information on updating Apple software and virus definitions at http://techarticles.uark.edu/169 and install the latest version of Symantec AntiVirus at http://its.uark.edu/antivirus.

The Flashback virus targets a vulnerability in Java software on Mac computers and is designed to steal personal information without the user noticing. In response to the virus outbreak, Apple released two updates, “Java for OS X 2012-13” and “Java for Mac OS X 10.6 Update 8.” More information about the updates is available at http://support.apple.com/kb/HT5244.

The IT Services Security Team continues to monitor this virus and will provide further information when available. Find up-to-the-minute IT Security updates at http://techarticles.uark.edu/security/newsandupdate_notifications/.  Report security concerns or ask questions by contacting security@uark.edu.

The most recent phishing scam to strike University of Arkansas users includes a link impersonating UA Mail. This scam is designed to trick you into entering your UARK password and is a malicious phisher’s attempt at identity theft. If you unintentionally provided your UARK login information, change your UARK password immediately at passweb.uark.edu.

When receiving unsolicited email appearing to be from a university department or office, verify its legitimacy by directly contacting the department or office. IT Services will NEVER request your password or other personal information over email. Always look for the secure “S” in “https” before logging into an unfamiliar web page. When in doubt, contact the Help Desk at 575-2905.

Spam and other abusive email should be reported to abuse@uark.edu with full header information. Learn more about reporting abuse athttp://techarticles.uark.edu/email/reportabusiveemailwithexpandedheaders/.

Learn more about identifying phishing and spam email at http://techarticles.uark.edu/security/securityphishingandspam/ or about writing verifiable emails at http://techarticles.uark.edu/security/verifiable_email/.

Below is a copy of the phishing scam email and the website which impersonated UA Mail:

The rash of very clever phishing scams has continued.  The scam artists have continued to modify their communications in an attempt to trip up email users and bypass our spam filters.  This particular message impersonates the email address of news@uark.edu and provides valid information for the IT Services HelpDesk.   However, IT Services will continue to remind users to never provide their UARK username and password to any website which is not hosted at the University of Arkansas.  Careful reading of the email will show that the website is not located at uark.edu but instead is located at docs.google.com. IT Services also recommends that all units, colleges and departments take some time to review the Tech Article located at http://techarticles/security/verifiable_email/ .  This article provides helpful hints for departments who need to send out formal communications which are verifiable and less likely to be seen as a phishing scam. We are including screen captures of the email message and the website below.  If you have any questions, please feel free to contact IT Security via email at security@uark.edu, or the IT Services HelpDesk at 479-575-2905.  (And yes! Please verify the authenticity of this email communication.)

Good afternoon everyone and Happy Leap Day!

A new phishing scam was directed at campus earlier this afternoon. The scam message (see below) asks users to click on a web site link to see important information. The URL located in the email message redirects to a Google Docs spreadsheet which claims to be connected to our old Xpressmail web email system. This web form (also below) asks the user to provide their UARK username and password.

Should a user fall victim to this scam and provide their password to this website, the scam artists would be able to access any systems such as ISIS, BlackBoard, Basis, or campus email systems. IT Services would like to remind users to be especially paranoid when it comes to their UARK username and password. Never provide this information to any website which does not end with uark.edu. Should you receive any email message asking you to supply this private information, please contact the originating department and validate that the message did send the message.

If you have any questions, please feel free to contact the IT Security staff via email at security@uark.edu or the IT Services Help Desk at 575-2905.

Earlier this morning, a new phishing scam was directed at a small set of the University of Arkansas population. This scam message marks a new and potentially more difficult to detect evolution of phishing scams.

The forged email message appears to originated from the University of Arkansas and uses a bogus email address of info2012@uark.edu. Unlike most phishing scams, this message does not have many tale-tell signs that this is a scam. The message however points the end user to an external website which contained University of Arkansas branding. This contact form requested the recipient's UARK username and password to retrieve the supposed important notice. While writing up this message, the hosting provider has already responded to report of abuse and shut down the contact form to prevent further abuse.

IT Security would like to remind the campus community to be especially vigilant when it comes to email messages you receive. Be suspicious of any email messages which claim to originated from the University which do not refer to you by your name and/or do not provide you any way to validate the source of the information. Also, do not provide your UARK username and password to any website which is not hosted at the University of Arkansas and ends with uark.edu.

If you have any questions about this, please feel free to contact IT Security via email at security@uark.edu or the IT Services Help Desk at 575-2905.

Newest Phishing Scam for February 14, 2012 -

Each and every day the University of Arkansas is under attack by scam artists who are trying to gain access to our network and computing resources. Despite the best efforts of IT Services staff, the occasional scam message will get through our first lines of defense. It is our hope that educating our faculty, staff and students about the threats will help bolster the final line of defense, that is the end user. To that end, IT Security staff is sending this notification about the newest scam message to make it through the spam filters.

The newest phishing scam originated from a compromised user account at another school, and encouraged users to fill out a form to request an email quota increase. We are including screen captures of both the email and the web form below.

I would like to remind our readers concerning some of the tale-tell signs that this email and web form are fraudulent.

• The email message did not originate from a University of Arkansas address.
• The email message did not refer to the recipient by name (and optionally include their University ID Number).
• The email message did not provide any contact information for the department involved in the communication and can be used for validating the message.
• The URL in the body of the message did not direct the user to a secured website located at the University of Arkansas. If legitimate, the URL would have started with https:// and contained uark.edu at the end.

As always, we ask that users be constantly vigilant with their UARK username and password. The University will never ask you to respond to an email message with your account password, or provide these to an insecure website located off campus. Should you see an email requesting that you provide private information, such as credit card numbers, account passwords or similar, it is most likely a phishing scam. End users are encouraged to forward suspected scam email messages with its full headers to abuse@uark.edu for validation and potential inclusion to the campus spam filtering system.

If you have any questions, please feel free to contact the IT Security staff at 575-2905, or via the email address of security@uark.edu.

The scam artists are at it again. This time they forged an email message claiming to be from info@uark.edu. Unfortunately, this newest variety made its way past our scam filters as well as the spam tagging system on campus. Changes have been made to limit the exposure of this scam. Any users who have provided their UARK username and password in response to the below email message should change their password as soon as possible.

---- Start of Scam Message ----- From: HELPDESK Date: Fri, 27 Jan 2012 15:06:44 -0500 To: Subject: HELPDESK!!!

Congratulation! You can now login to The UNIVERSITY OF ARKANSAS news forum and get the latest information and news/update. Please use the database link to login for more information about this service.

Sign. HELPDESK UNIVERSITY OF ARKANSAS 365 N. MCILROY AVE FAYETTEVILLE AR 72701-4002 © Copyright University of Arkansas.

------ End of Scam Message-------

As a reminder to the campus community, scam artists are constantly trying to gain access to UARK email accounts. Your UARK username and password are very valuable to would-be intruders. IT Security continues to urge users to protect your UARK username and password. DO NOT provide this information to any website which does not contain "https://" at the beginning of the URL and uark.edu at the end of the domain name.

The most recent scam message is listed below:

-------Start of Scam Message---- From: Report of the server system. [mailto:lugargon@usal.es] Sent: Monday, November 28, 2011 2:03 PM Subject: {SPAM?} Email Account User Alert

User accounts Warning

Your mailbox has exceeded one or more size limits set by the administrator.

Mailbox size is 78,944 KB. the limit of box size: 70000 KB

      This is a warning that your mailbox reaches 70000 KB.

It may not be able to send or receive new messages until reduce the size of your mailbox. To make more space available, you need to click and fill out the form below and submit in this regard to help increase the size of the mailbox.

http://buzurl.com/cm13

Fill out the link below and click

Report of the server system. -------End of Scam Message----

Earlier this morning, scam artists sent the below email message to our campus. The scam claims to originate from the abuse@uark.edu address and that users need to respond to the message to avoid termination of their account. As with the scam we reported to technical staff yesterday, we continue to urge users to protect their account credentials. Your UARK account ID and Password are very valuable to non affiliated users, so please be appropriately paranoid to any message asking you to supply this information via email or via a web form.

If you have replied to this message, please change your password as soon as possible via PASSweb (passweb.uark.edu).

-------Start of Scam Message----

Date: Tue, 01 Nov 2011 12:00:19 +0300 From: University of Arkansas Sopport Team Reply-To: chia.chang1@9.cn To: undisclosed-recipients: ;

Subject: {SPAM?} CLICK REPLY BEFORE FILLING DETAILS

Attention:

An Attempt has been made to login from a new computer. For the security of your account, we are poised to open a query. Kindly verify your login details by responding to this email and providing your Username/ID {************@uark.edu} Password {************} in the spaces.

Do not ignore this message to avoid termination of your webmail account.

::University of Arkansas::

This message was sent using IMP, the Internet Messaging Program.

-------End of Scam Message----

Good afternoon everyone,

Earlier this afternoon, a new phishing scam was directed at campus (see below). This scam has a subject line of "Attention!!! Confirm your Uark.edu Account" and purports that we are currently engaged in account maintenance. Campus users are asked to log in with their UARK account credentials (userid and password) or risk having their account suspended.

IT Services would like to remind users that your account ID and password are very valuable. Be careful with these account credentials and protect them as you would with your wallet or purse.

If you believe you have fallen victim to this scam, please go to PASSweb (passweb.uark.edu) immediately and change your password.

---- Start of SCAM MESSAGE------ From: uarktech@uark.edu [mailto:decg@ceva.net] Sent: Monday, October 31, 2011 3:31 PM Subject: Attention!!! Confirm your Uark.edu Account Dear subscriber,

We are currently engaged in account maintenance service.

As a subscriber, you are required to confirm your continued membership.

Failure to confirm your continued membership will lead to service suspension.

Click here to Login and confirm in one simple step.

This is to improve our service qualities. We apologize for the inconveniences.

Thanks,

The University of Arkansas ------End of SCAM MESSAGE ------

Another Day, Another Phishing Scam. In the past day, there has been a number of scam messages originating from a compromised user account at another University. A copy of this scam is included below. Continue to be vigilant when it comes to email communications.

-----Original Message----- From: Outlook Express [mailto:ymwshg@psu.edu] Sent: Monday, October 10, 2011 7:34 PM Subject: Re-configure your email information ! QVXDZQLYNN

Dear Outlook username ,

• Please reconfigure your Microsoft Outlook information again .
• Click on the link below to setup .

hxxp://webmail-microsoft.com.outlook.campusuniv.selfip.biz/outlook/index.php?id=NV8324

Microsoft Outlook 2011 .

========================================== Message Code

JROPDRHKCNLINEEPKLRHDWJTYTVXWLOXQSQSIR

Greetings everyone, Earlier today, IT Services started receiving notices from the campus community concerning a new scam being directed at our campus.

The message appears to be from Wells Fargo bank and takes a new approach to gain access to account IDs and passwords. In this particular scam, the unsuspecting user is encouraged to take a survey and in exchange will be given a statement credit on their bank account. Clicking on the link would take you to an impostor website where you are asked for private information including banking account number, log in ID and password.

Please do not be fooled by the scam. As always, please feel free to forward new scams or similar junk messages to abuse@uark.edu.

-----Original Message----- From: Wells Fargo [mailto:umoisq@psu.edu] Sent: Friday, October 07, 2011 12:05 PM To: support@tr21g10.aset.psu.edu Subject: *** $50 will be credited to you *** DWYEDYBXYS

Dear Valued Customer,

You have been chosen by the Wells Fargo Bank to take part in our quick and easy 4 questions survey. In return we will credit $50 to your account just for your time!

Helping us better understand how our customers feel benefits everyone. With the information collected we can decide to direct a number of changes to improve and expand our online service. It will be stored in our secure database for maximum of 5 business days while we process the results of this nationwide survey.

To Continue click on the link below:

hxxp://bankofamerica-online.student.uscampus.gotdns.org / wellsfargo.com/index.php?customer=EDU-9BN384392

WellsFargo Customer Service

Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

Encrypted Message QZMXCIKFTLKCHKGUXJTKBTBVGGOZUKQCZSGGXS

IT Services has received reports of new phishing email scams appearing to come from a person whose name is familiar to the community. These scam messages claim that the person is overseas, in trouble, and waiting for assistance from the local embassy or consulate. The message then asks the recipient for financial help.

In some cases, attackers have taken control of the alleged sender’s off-campus email account, such as Gmail or Hotmail. In other cases, the attacker has created an account that closely resembles a real account. For example, instead of john.doe@gmail.com, the attacker uses johnn.doe@gmail.com. Sample emails are shown at the bottom of this message.

Please be wary of any email that asks you to follow a link or send money–even those that appear to come from people you know. In general, follow these rules:

• Never click on links in email messages. • Never respond, even if the email looks real, to unsolicited messages, or provide personal or financial information requested in an email. • Report suspicious messages to abuse@uark.edu and delete them immediately. • If you think you have responded to a phishing email, change your account password immediately. If you use the same password for multiple accounts, change it for those services as well.

For additional questions, contact the IT Security Office at security@uark.edu or the Help Desk at 575-2905.

Example message 1:

From: Lynn F. Jacobs (lynnfjacobs@yahoo.com) Date: Mon, August 15, 2011 3:56:12 -0500 Subject: HI

Hope you get this on time, I made a trip to the UK(Scotland) and had my bag stolen from me with my passport and credit cards in it. The embassy is willing to help by letting me fly without my passport, I just have to pay for a ticket and settle Hotel bills. Unfortunately for me, I can’t have access to funds without my credit card, I’ve made contact with my bank but they need more time to come up with a new one. I was thinking of asking you to lend me some quick funds that I can give back as soon as I get in. I really need to be on the next available flight. I can forward you details on how you can get the funds to me. You can reach me via my alternative email lynfjacobs@yahoo.com or on May Marriott Aberdeen Hotel front desk phone, the numbers is +44702-409-8795.

Example message 2: From: Paula Barnes (drbarnes@BELLSOUTH.NET) Date: Mon, 15 Aug 2011 07:57:15 -0700 Subject: My trip to spain

Hope you get this on time,sorry I didn’t inform you about my trip in Spain for a program, I’m presently in Madrid and am having some difficulties here because i misplaced my wallet on my way to the hotel where my money and other valuable things were kept.I want you to assist me with a loan of ($2,400) to sort-out my hotel bills and to get myself back home. I have spoken to the embassy here but they are not responding to the matter effectively,I will appreciate whatever you can afford to assist me with,I’ll Refund the money back to you as soon as i return, let me know if you can be of any help. I don’t have a phone where i can be reached. Please let me know immediately. Regards, Paula

Good Morning everyone. The scam artists continue to try to fool users into providing their user credentials. Do not get tripped up by these messages which claim to be from the University Administration.

In today's scam, a compromised webmail user from a college in the UK was used to send out a message like the one below.

As you will see, our spam detection system tagged the message as spam (see the {SPAM?} in the subject line. Also, unlike legitimate messages from the University, this message does not contain appropriate departmental contact information to validate the message, or include a greeting that includes the formal name the University has on file. Last but not least, the form URL contains an address outside of the University and is not a secured form.

Things like this should tip you off that the notice is faked. Please remember to keep your user credential private. The University will never ask you to provide this information via email or an off-campus website. We will however send a reminder notice to change your password once a semester (or approximately 120 days) via PASSweb.

From: compromised-user@somecollege.ac.uk Sent: Friday, July 15, 2011 8:46 AM Subject: {SPAM?} University of Arkansas Admin Notice (Upgrade Your Email Limit Quota)

You have exceeded your uark.edu email limit quota of 450MB. You need to upgrade your email limit quota to 1.7GB within the next 48 hours. Use the below web link to upgrade your email account:

http :// www.formcompany.com /contact-form-edu01-190298.html

Thank you for using uark.edu email. Copyright ©2011 University of Arkansas Helpdesk Centre.

Wire Transfer Email Warning

In the last few days, university email accounts have received messages referring to wire fund transfers or similar subjects. These messages are spam and should be ignored. These messages also encourage the receiver to download a PDF file or access a website for further information. In either case, it is likely a virus or other form of malware.

IT Services recommends that users be cautious about files sent in email from an unknown source.

A new phishing scam is making its way though campus email today. Don't be fooled! Remember that we will NEVER ask for your password in anything that we do.

If you've fallen for the phishing scam, the best thing you can do is change your password immediately using our tool at passweb.uark.edu.

This morning, foreign computer systems compromised the email accounts of several University of Arkansas users. The accounts were used to send large amounts of spam. Over 800,000 spam messages were sent during this spam outbreak.

The accounts have been locked out and the spam outbreak stopped, but the University will feel the effects of this event for several days, if not all of next week.

Everyone stay alert for phishing scams.

We'll see more of these as we head into spring break. If you receive a phishing scam, let us know about it. Forward a copy to abuse@uark.edu and tell your friends (but not through email!)

If you're not sure, call our help desk at 479-575-2905.

We'll NEVER ask for your password.

NEWS: New Phishing Scam Spoofs System Administrator

The University of Arkansas has recently been targeted by a new phishing scam. Several users have reported getting a message with the subject line "MESSAGE FROM SYSTEM ADMINISTRATOR.” The e-mail requests “required details" to "upgrade your webmail account" and encourages users to click on a link. Those who have responded to this scam should go to passweb.uark.edu and reset their account passwords immediately.

The IT Services Security Team expects that more scams will appear as spring break approaches. It is important that users be aware of the warning signs in fraudulent e-mail. Beware of any e-mail addressed generally; for example, “Dear University of Arkansas webmail user.” IT Services will never send e-mail threatening to delete one’s account for any reason, unless the user is no longer affiliated with the university and the account must be purged. The Security Team also warns against e-mail that requests users click on a link within the e-mail or reply with password or other personal information.

Legitimate e-mail from IT Services includes contact information for the Help Desk so users can call to verify or report suspicious-looking messages. The Help Desk can be contacted at 575-2905 or helpdesk@uark.edu.