IT News

Please ignore the Blackboard "Information Posted" Phishing Scam

Fri, 24 May 2013 00:00:00 -0400

Email that appears to come from Blackboard Learn with a Subject of "Information Posted," is a phishing scam. The message says, "An important information has been posted for you online by your school," and contains a "click here now" link to "sign in immediately." This message is an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

Any email that asks you to to enter your UVM password on a non-UVM web site is a phishing scam. Do not click links in such messages and do not reply. Hover your cursor over links to see where they would take you; if it's not going to "http://www.uvm.edu/" or "http://uvm.edu/", don't click. UVM will never ask you to enter your UVM Net-ID and password on a non-UVM web page -- even if it looks like a UVM page, and even if it's on a reputable site, such as Google Docs, 123contactform.com or contactme.com, or if it contains UVM graphics and you've been directed there by an email that appears to come from a UVM email address.

And any email that asks you to to reply in order to complete a security process for your email account, or to reply with your UVM password, is a phishing scam.

What to do if you've clicked on the link

If you've followed the link in the message, or replied to this email or one like it, you should change your password immediately at www.uvm.edu/account. Contact the UVM Computing Helpline if you need assistance changing your password.

For more information about phishing scams, view our Web page on protecting your NetID and password.

If you are ever uncertain about the legitimacy of an email message concerning your uvm.edu account, please contact the Computing Help Line at 656-2604, or submit a help request online.

If you would like to report phishing, please forward the phishing email, as an attachment, to is-spam@labs.sophos.com and to abuse@uvm.edu. (To forward a message as an attachment using Thunderbird, go to the Message menu and select Forward As > Attachment.)

The Blackboard "Information Posted" Phishing Scam

The message below was most certainly not sent by UVM's President.

From: Blackboard Learn [mailto:learn@blackboard.com]
Sent: Thursday, May 23, 2013 9:48 AM
Subject: Information Posted

Dear Member,

An important information has been posted for you online by your school.

Please sign in immediately, click here now.

Thank you.

Blackboard Learn.

The "Hello" Phishing Scam

Fri, 10 May 2013 00:00:00 -0400

Email with a Subject of "Hello," saying your " incoming mails is on pending status due to our recent database" is a phishing scam. This message, like others that tell you to "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

And any email that asks you to to reply in order to complete a security process for your email account, or to reply with your UVM password, is a phishing scam.

What to do if you've clicked on the link

The "Hello" Phishing Scam

The message below was most certainly not sent by UVM's President.

Subject:   Hello
Date:   Thu, 9 May 2013 19:45:33 -0400 (EDT)
From:   THE UNIVERSITY OF VERMONT

Your two incoming mails is on pending status due to our recent database upgrade Click,
hxxp://theuniversityofvermont.webs.com/ to lo-gin for online account upgrade and await Helpdesk for response,we
apologies for any inconvenience and appreciate your understanding.

Sign
Tom Sullivan
The University of Vermont
Burlington VT 05405
Telephone:802 656-3131
© 2013 THE UNIVERSITY OF VERMONT

Backup Tapes To Be Kept for 25 Months

Fri, 10 May 2013 00:00:00 -0400

For many years, Enterprise Technology Services (ETS) has stored backup tapes for most of our main IT systems for a full 7 years after creating them. We are planning to change this practice and reduce the time tapes are kept to 25 months.

This change only affects backup tapes; it does not affect online email, files, folders, or the online content of information systems such as Banner and PeopleSoft.

After discussing our current 7-year retention practice with our auditors and compliance officer, it is clear that backups should be used for business continuity, not retention. Data retention should be accomplished in the system of record (i.e. within Peoplesoft, Banner, etc...) or via some other documented method.

In addition to inadvertently retaining information much longer than required for individual business areas, the 7-year backup retention is very expensive in both tape costs and secured storage vaults. Keeping backups for 7 years requires us to store thousands of tapes in a highly secure and environmentally controlled environment. For the University to manage these costs, we need to reduce the length of time we keep these backups. We are running out of space to store tapes and would need a sizable investment to increase the storage capacity. It also requires us to keep old tape drives, servers, and software available so we can recover the old tapes.

This message is to make sure you understand that the backups are performed for business continuity, not archival or retention, purposes and that you should have archival and retention procedures that match the requirements of your particular business area -- something we can't do with a single practice for all our enterprise systems.

If you feel this change in procedure will affect your ability to meet UVM's retention requirements, please let us know as soon as possible by emailing ets@uvm.edu.

If we don't hear of any significant problems with this change, ETS will proceed with reducing our retention to 25 months starting shortly after June 10, 2013.

Phishing Alert: "Webs 3.0 Support Center"

Thu, 09 May 2013 00:00:00 -0400

Did you receive an email with a Subject of "Webs 3.0 Support Center"? This message, like others that tell you to "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

And any email that asks you to to reply in order to complete a security process for your email account, or to reply with your UVM password, is a phishing scam.

What to do if you've clicked on the link

The "Webs 3.0 Support Center" Phishing Scam

From: "Sigunick, Judith M"
Subject: Webs 3.0 Support Center
Date: May 9, 2013 4:19:42 AM EDT
To: "undisclosed-recipients:"

Webs 3.0 Support Center
Hello, We received a notice at your email address. Please you are to re-validate your WEB-MAIL, and we need to verify you own this email address. we need you to fill in the informations by Clicking the following: CLICK HERE

Webs 3.0 Support Center

"Your mailbox " Phishing Scam

Tue, 07 May 2013 00:00:00 -0400

Did you receive an email with a Subject of "Your mailbox "? This message, like others that tell you to "activate," "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

UVM will never ask you to enter your UVM Net-ID and password on a non-UVM web page -- even if it looks like a UVM page, and even if it's on a reputable site, such as Google Docs, 123contactform.com or contactme.com, or if it contains UVM graphics and you've been directed there by an email that appears to come from a UVM email address.

And any email that asks you to to reply in order to complete a security process for your email account, or to reply with your UVM password, is a phishing scam. Email security updates are applied by UVM system administrators, with no action required on your part.

What to do if you've clicked on the link

The "Your mailbox " Phishing Scam

From: Thomas Jovanovski
Subject: Your mailbox
Date: May 7, 2013 7:45:06 AM EDT
To: Undisclosed recipients:;

Your mailbox has exceeded limit please Click Here to validate your e-mail.

Thanks System Administrator

"50MB Storage" Email is a Phishing Scam

Mon, 06 May 2013 00:00:00 -0400

An email with a Subject of "50MB Storage", like others that tell you to "upgrade," "activate," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "50MB Storage" Phishing Scam

Subject:   50MB Storage
Date:   Fri, 3 May 2013 08:23:38 -0600 (MDT)
From:   University of Vermont
To:   undisclosed-recipients:;

Your email has reached its maximum quota of 50MB storage, you might not
receive further emails. Visit the URL below or copy and paste into your
browser login and follow the instruction to up-grade for more storage
space.

hxxp://www.johnsnursery.ca/forms/use/uvm/form1.html

Ensure to click log out if using a public computer.

University of Vermont

"Incident INC000090173: ITS- Service Information" Phishing Scam

Thu, 02 May 2013 00:00:00 -0400

Did you receive an email with a Subject of "Incident INC000090173: ITS- Service Information"? This message is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "Incident INC000090173: ITS- Service Information" Phishing Scam

Subject:   Incident INC000090173: ITS- Service Information
Date:   Thu, 2 May 2013 12:29:05 -0500
From:   Griffiths, Edley
Reply-To:
To:   Undisclosed recipients:;

IMPORTANT: We discovered series of illegal attempts on your mail account from different IP locations. This is for your own safety and to avoid your account from been closed.

If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by clicking the link below. If you are unable to click the link copy and paste it on your browser.

hxxp://casauthbeta-confirmactivate.atwebpages.com/login.php

This is an automated message. Please do not reply to this email.

Thanks,
Customer Support

"Importantant message from webmaster" and "Activate Your Account!!" Phishing Scam

Thu, 02 May 2013 00:00:00 -0400

Did you receive an email with a Subject of "Importantant message from webmaster" or "Activate Your Account!!"? This message, like others that tell you to "activate," "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "Importantant message from webmaster" and "Activate Your Account!!" Phishing Scam

This message is an all-in-one phishing scam, containing at least four bogus reasons (TOS violation, suspicious activity, verifying all account(s), efficiency, a database upgrade) to click on the link. And 48 hours becomes "immediately" within the span of two paragraphs. The Subject line varies.

UVM will never send you email directing you to a non-UVM web page for any account-related function.

Subject:   Importantant message from webmaster
Date:   Wed, 1 May 2013 15:57:46 -0400
From:   Benson Michelle MBenson3 @ schools.nyc.gov

Your email account will be DISABLE within 48-hours(reason: violation of
terms of Service) We are sorry, but your account will temporarily disabled
due to suspicious activity, We are currently verifying all account in order to
increase the Efficiency of our service features. Upgrade taking place at
our data base,If you feel we have done so by mistake, kindly click the
link below to confirm your account.

hxxp://webhelpdesk1.webs.com/

Failure to do this will immediately render your Web-email address
deactivated from our database.

Thanks.

Phish: University of Vermont,Information Technology Services.

Tue, 30 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "University of Vermont,Information Technology Services."? This message, like others that tell you to "activate," "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "University of Vermont,Information Technology Services." Phishing Scam

This message appears to come from a uvm.edu address, but that is a forgery. Hovering your cursor over the link shows that it would take you to a non-UVM web site, at 123contactform.com/. The message also contains a stolen UVM graphic (not shown below).

From: University of Vermont
Subject: University of Vermont,Information Technology Services.
Date: April 29, 2013 6:28:19 PM EDT
To: TO
Reply-To: noreply@uvm.edu

This email is being sent to you because of violation security breach
that was detected by our servers. Our server detected that one of the
messages you received from a contact has already infected your
web-mail with a dangerous virus.

You can no longer be allowed to send messages or files to other
users to prevent the spread of virus to other @uvm.edu web-mail
users. Please follow the link below to perform maintenance work needed
to improve the protection of the web-mail for us to verify and have your
account cleared against this virus.

CLICK HERE

WARNING!!! E-MAIL OWNERS who refuses to upgrade his or her
account within 48hrs after notification of this update will permanently
be deleted from our data base and can also lead to malfunctioning of
the client or user's account and we will not be responsible for loosing
your account.

.

"Notice!" Phishing Scam

Fri, 26 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "Notice!"? This message, like others that tell you to "activate," "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "Notice!" Phishing Scam

The link in this message appears to go to a uvm.edu address, uvm.edu/activate, but hovering your cursor over the link shows that it really would take you to a non-UVM web site, penicandrarini.com/tech-port/.

Date: Fri, 26 Apr 2013 10:03:02 +0200 (CEST)
From: The University of Vermont
Reply-To: The University of Vermont
Subject: Notice!

Dear User,  

NOTICE: Email Account Disabled for Verification  

Due to our automatic maintenance, this email account has been suspended and requires activation by user.  

Activate now by logging on : uvm.edu/activate  

Thank you.  

The University of Vermont Team

"Attn:Dear Valued Suscriber" Phish Swims Again

Thu, 25 Apr 2013 00:00:00 -0400

If you've received email with the subject, "Attn:Dear Valued Suscriber," "Dear Valued UVM.EDU Suscriber," or "Dear Valued Subscriber," please delete it. It is a scam. Do not click on the link in the message.

What to do if you've clicked on the link

If you would like to report phishing, please forward the phishing email, as an attachment, to. (To forward a message as an attachment using Thunderbird, go to the Message menu and select Forward As > Attachment.)

Here are three samples showing variations of the Dear Valued Subscriber scam:

From: "Maricela Lovera Sanchez"
Subject: Attn:Dear Valued Suscriber,
Date: April 24, 2013 7:39:26 PM EDT

Your E-mail Account needs to be updated with our F-Secure R-HTK4S new version anti-spam/anti-virus/anti-spyware. Please click this link below: hxxp://infomailaccount777.webs.com/

We Are Sorry For Any Inconvenience.

Regards,
WEBMAIL ADMINISTRATOR
Copyright 2013
All rights reserved.ABN 31 088 377 860 All Rights Reserved

--------------------------------------------------

From: "Maricela Lovera Sanchez"
Subject: Dear Valued Suscriber,
Date: March 25, 2013 8:15:00 PM EDT

Your E-mail Account needs to be updated with our F-Secure R-HTK4S new version anti-spam/anti-virus/anti-spyware. Please click this link below: hxxp://customercareaccountinfo.webs.com/

We Are Sorry For Any Inconvenience.

Regards,
WEBMAIL ADMINISTRATOR
Copyright 2013
All rights reserved.ABN 31 088 377 860 All Rights Reserved

--------------------------------------------------------------------------------

Subject:   Dear Valued UVM.EDU Suscriber,
Date:   Wed, 27 Mar 2013 03:27:24 -0400
From:   UVM.EDU Customer Care
Reply-To:   upgradeaccount2012@live.com

--
Your E-mail Account needs to be updated with our F-Secure R-HTK4S new
version anti-spam/anti-virus/anti-spyware. Please click

this link below:hxxp://customercareaccountinfo.webs.com/

We Are Sorry For Any Inconvenience.

Regards,
WEBMAIL ADMINISTRATOR
Copyright 2013
All rights reserved.ABN 31 088 377 860 All Rights Reserved

"Announcement" Email Scam

Mon, 22 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "Announcement"? This message, like others that tell you to "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

And any email that asks you to to reply in order to complete a security process for your email account, or to reply with your UVM password, is a phishing scam.

What to do if you've clicked on the link

The "Announcement" Phishing Scam

From: The University of Vermont
Subject: Announcement
Date: April 22, 2013 7:20:24 AM EDT
To: "Kapoole, Myron"
Reply-To: The University of Vermont

Dear subscriber,

We are currently performing database maintenance and upgrade on our webmail log for a better performance. We are very concerned about stopping the proliferation of spam. We have implemented Sender Address Verification (SAV) to
ensure that you do not receive unwanted emails and to give you the assurance that your messages to message center have no chance of being filtered into bulk email folder.

Also a DGTFX virus has been detected in your folders. Your email account has to be upgraded to our new and Secured DGTFX anti-virus 2013 version to prevent damages to our webmail log and your important files.

To help us confirm and protect your account, fill the columns below and send back to us to validate your email account or your email account will closed to avoid the spread of the virus.

Account Username:
Account Password:

We assure you of more quality services at the end of this maintenance. Note that your password will be encrypted with 1024-bit RSA keys for your password safety.

Regards

Webmail Development Team
File number: cw/8941/624

Phishing Scam: "Your e-mail will expire soon!"

Thu, 18 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "Your e-mail will expire soon!"? This message, like others that tell you to "upgrade," "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "Your e-mail will expire soon!" Phishing Scam

The "[SPAM?:##]" notation in this message's Subject line shows that UVM's spam filtering software, Pure Message, has analyzed the message and determined with a fair level of confidence that it is spam or a scam of some sort. You can keep messages like that out of your Inbox by going to the UVM Net-ID account management page, www.uvm.edu/account, and clicking on "Spam and virus settings." Choose a threshold of 50.

From: University of Vermont [mailto:services@uvm.edu]
Sent: Wednesday, April 17, 2013 2:47 PM
Subject: [SPAM?:##] Your e-mail will expire soon!

Dear User,

Your e-mail will expire soon.

To avoid any interruption please click the link below and upgrade your e-mail

Click Here to Upgrade

The University of Vermont

"Update" Phishing Email

Tue, 16 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "Update", concerning "an automatic security update and verification exercise"? This message, like others that tell you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "Update" Phishing Scam

From: Roy Shobert
Date: April 16, 2013 6:29:40 AM EDT
Subject: Update

There has been an automatic security update and verification exercise on your email address.
To complete this update and verification, you are to visit here. Please note that you have within 24 hours to complete it in order to avoid loss of data.

Be Careful Seeking News of the Waco Explosion andBoston Marathon Bombings

Mon, 15 Apr 2013 00:00:00 -0400

When tragedy strikes, so do scammers and other malicious actors. While searching for news and when looking for ways to help, please keep these cautions in mind.

Expect to receive email soliciting donations to aid the victims, or perhaps first responders. Even if you're familiar with the charity, don't contribute by clicking on links in emails; go directly to the charity's web site.
Avoid text-message scams in which texting to a certain number contributes to a charity. Again, go to the charity's web site to confirm the campaign.
When searching for news, go directly to sites such as www.nytimes.com, or use familiar, reputable search sites like news.google.com. Even reputable search services can offer links to malicious web sites, so as you consider your search results, click only on familiar sites.
Don't click links in email messages that claim to offer news, photos, or video (see the example below).

If you do receive scam emails, you can protect others by forwarding the messages, as attachments if possible, to is-spam@labs.sophos.com.

Here is an example of a scam received April 17:

From: "Donald Ames"
Subject: Video of Explosion at the Boston Marathon 2013
Date: April 17, 2013 5:05:31 AM EDT
To:

hxxp://78.90.133.133/boston.html

Update, April 17: A scam email campaign is using a variety of email Subject lines, including the following:

o    “2 Explosions at Boston Marathon”
o    “Aftermath to explosion at Boston Marathon”
o    “Boston Explosion Caught on Video"
o    "BREAKING - Boston Marathon Explosion"
o    "Video of Explosion at the Boston Marathon 2013"
o    "Runner captures. Marathon Explosion"
o     2 Explosions at Boston Marathon
o    Aftermath to explosion at Boston Marathon
o    Arbitron. Dial Global. Boston Bombings
o    Boston Explosion Caught on Video
o    BREAKING - Boston Marathon Explosion
o    Explosion at Boston Marathon
o    Explosion at the Boston Marathon
o    Explosions at Boston Marathon
o    Explosions at the Boston Marathon
o    Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
o    Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com
o    Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com
o    Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
o    Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com

If you receive email with one of these Subject lines, or similar, do not click on any links contained in the message. Clicking on the links in these messages infects your computer with malicious software by exploiting a Java vulnerability.

Update, April 19: A similar spam campaign is expoiting the Waco, TX fertilizer plant explosion.

Phish: "Mailbox Capacity Exceeded"

Thu, 11 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "Mailbox Capacity Exceeded"? This message, like others that tell you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message; simply delete the email.

What to do if you've clicked on the link

The "Mailbox Capacity Exceeded" Phishing Scam

From:   Ortego, Terri
Date:   Thu, 11 Apr 2013 10:50:21 -0400
Subject:   Mailbox Capacity Exceeded

To:   undisclosed-recipients:;

Your mailbox has exceeded its allowable storage space.

To improve storage capacity for better functionality of your e-mailbox, you are required to click or copy and paste the below link in a web page, then follow the instruction therein. Click below to enhance mailbox capacity
hxxp://casauthenificationcenterconfirmsbeta.medianewsonline.com/login.php

Thanks for your co-operation!
Administrator Help Desk
Warning Code :ID67565434

"Webs 3.0 Support Center" Phishing Email

Wed, 10 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "Webs 3.0 Support Center"? This message, like others that tell you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message; simply delete the email.

What to do if you've clicked on the link

The "Webs 3.0 Support Center" Phishing Scam

Subject:   Webs 3.0 Support Center
Date:   Wed, 10 Apr 2013 09:01:53 -0400
From:   Gabrielle Diaz
To:   undisclosed-recipients:;

Webs 3.0 Support Center
Hello, We received a notice at your email address. Please you are to re-validate your WEB-MAIL, and we need to verify you own this email address. we need you to fill in the informations by clicking the following: CLICK HERE

Webs 3.0 Support Center

"UPDATE YOUR WEBMAIL ACCOUNT‏‏" and "Dear e-mail account holder" Phishing Scams

Mon, 08 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "UPDATE YOUR WEBMAIL ACCOUNT‏‏" or with no Subject and a message beginning with "Dear e-mail account holder"? Each of these messages, like others that tell you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "UPDATE YOUR WEBMAIL ACCOUNT" Phishing Scam

From: University of Vermont system administrator [mailto:support.admin@libero.it]
Sent: Monday, April 08, 2013 3:43 AM
Subject: UPDATE YOUR WEBMAIL ACCOUNT

Your mailbox has exceeded the limit of 20 GB, which is set by your manager You are currently 20.9GB, you will not be able to create new e-mail to send or receive again until you re-validate your mailbox.To validate your mailbox, you can click University of Vermont/update

Thank you,University of Vermont system administrator

The "Dear e-mail account holder‏‏" Phishing Scam

Date: Sat, 6 Apr 2013 12:12:41 -0600
From: test1
Reply-To: webmaster.master@hotmail.com

Dear e-mail account holder. Your Account will undergo regularly
scheduled maintenance. Access to your mailbox via our mail portal will
be unavailable for some period of time during this maintenance period.We shall
be carrying out service maintenance on our database and e-mail account
center for better online services. We are deleting all unused e-mail
accounts to create more space for new accounts.In order to ensure your email
account is inactive, do click or copy and paste the link below on your browser
to verify the status of your email account

hxxp://webmailsverification.webs.com/

Web-mail Security Team
Copyright ©web-mail security team 2013. All rights reserved
Server Control Room

Update FireFox and Thunderbird Now: Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

Thu, 04 Apr 2013 00:00:00 -0400

MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY ADVISORY

MS-ISAC ADVISORY NUMBER:
2013-035

DATE(S) ISSUED:
4/3/2013

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

OVERVIEW:
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey applications, which could allow for remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:
·      Firefox versions prior to 20.0
·      Firefox Extended Support Release (ESR) versions prior to 17.0.5
·      Thunderbird versions prior to 17.0.5
·      Thunderbird Extended Support Release (ESR) versions prior to 17.0.5
·      SeaMonkey versions prior to 2.17

RISK:
Government:
·      Large and medium government entities: High
·      Small government entities: High
Businesses:
·      Large and medium business entities: High
·      Small business entities: High
Home users: High

DESCRIPTION:
Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. The details of these vulnerabilities are as follows:
·      Miscellaneous memory safety hazards (MFSA 2013-30) (CVE-2013-0788) (CVE-2013-0789) (CVE-2013-0790): Multiple memory-corruption vulnerabilities exist in the browser engine that could lead to arbitrary code execution.
·      Out-of-bounds write in Cairo library (MFSA 2013-31) (CVE-2013-0800): This issue is caused when performing an out-of-bounds write in Cairo graphics library, and could cause a potential exploitable crash.
·      Privilege escalation through Mozilla Maintenance Service (MFSA 2013-32) (CVE-2013-0799): A privilege-escalation vulnerability requiring local system access exists as a result of an error that occurs when using Mozilla Maintenance Service.
·      World read and write access to app_tmp directory on Android (MFSA 2013-33) (CVE-2013-0798): The app-tmp directory for Firefox on Android is readable and writable, giving third parties the ability to alter and/or replace Firefox add-ons that are being stored temporarily in the app_tmp directory before installation.
·      Privilege escalation through Mozilla Updater (MFSA 2013-34) (CVE-2013-0797): An error exists where the Mozilla Updater can be made to load a malicious local DLL file, resulting in privileged escalation procedure to occur. In order for this vulnerability to be exploited the malicious DLL must be placed in a specific location locally on a host prior to Mozilla Updater being run. Local file system access is necessary in order for this issue to be exploitable.
·      WebGL crash with Mesa graphics driver on Linux (MFSA 2013-35) (CVE-2013-0796): A denial-of-service condition exists resulting in a possible exploitable condition. This issue occurs when the 'WebGL' library crashes and primarily affects the Linux users using a Mesa graphics driver.
·      Bypass of SOW protections allows cloning of protected nodes (MFSA 2013-36) (CVE-2013-0795): A security-bypass vulnerability affecting the System Only Wrappers (SOW) exists which if exploited could allow an attacker to clone a protected node, and possibly result in a privilege escalation condition and the execution of arbitrary code.
·      Bypass of tab-modal dialog origin disclosure (MFSA 2013-37) (CVE-2013-0794): A method for removing the origin indication on tab-modal dialog boxes in combination with browser navigation exists. This could allow for attackers to overlay a page to show another sites content, and could possibly be used in phishing campaigns.
·      Cross-site scripting (XSS) using timed history navigations (MFSA 2013-38) (CVE-2013-0793): A cross-site scripting vulnerability exists and can be exploited when an attacker uses timed history navigations to load an arbitrary website with that page's baseURI property pointing to another site instead of the seemingly loaded one.
·      Memory corruption while rendering grayscale PNG images (MFSA 2013-39) (CVE-2013-0792): A memory-corruption vulnerability exist that affects specially crafted grayscale PNG images. This issue occurs if the gfx.color_management.enablev4 preference is enabled in the about:config – by default, this preference is not enabled.
·      Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40) (CVE-2013-0791): An out-of-bounds read issue exists affecting the 'CERT_DecodeCertPackage' function of the Network Security Services (NSS) library, and if exploited could result in a memory corruption and a non-exploitable crash.

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:
·      Upgrade vulnerable Mozilla products immediately after appropriate testing.
·      Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
·      Do not open email attachments or click on URLs from unknown or untrusted sources.
·      Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:
Mozilla:
http://www.mozilla.org/security/announce/
http://www.mozilla.org/security/announce/2013/mfsa2013-30.html
http://www.mozilla.org/security/announce/2013/mfsa2013-31.html
http://www.mozilla.org/security/announce/2013/mfsa2013-32.html
http://www.mozilla.org/security/announce/2013/mfsa2013-33.html
http://www.mozilla.org/security/announce/2013/mfsa2013-34.html
http://www.mozilla.org/security/announce/2013/mfsa2013-35.html
http://www.mozilla.org/security/announce/2013/mfsa2013-36.html
http://www.mozilla.org/security/announce/2013/mfsa2013-37.html
http://www.mozilla.org/security/announce/2013/mfsa2013-38.html
http://www.mozilla.org/security/announce/2013/mfsa2013-39.html
http://www.mozilla.org/security/announce/2013/mfsa2013-40.html

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0789
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0790
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0794
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0797
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0798
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0799
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800

SecurityFocus:
http://www.securityfocus.com/bid/58818

Multi-State Information Sharing and Analysis Center
Center for Internet Security
31 Tech Valley Drive
East Greenbush, NY 12061
7x24 SOC: 1-866-787-4722 or (518) 266-3488
Email: soc@msisac.org

TLP:WHITE
Traffic Light Protocol (TLP): WHITE information may be distributed without restriction, subject to copyright controls.
http://www.us-cert.gov/tlp/

Don't catch these phish: "Automatic security update‏‏" and "Verify your email address"

Mon, 01 Apr 2013 00:00:00 -0400

Did you receive an email with a Subject of "Automatic security update‏‏" or "Verify your email address"? Each of these messages, like others that tell you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message, and don't reply to it; simply delete the email.

What to do if you've clicked on the link

The "Verify your email address" Phishing Scam

From: "Admin"
Date: March 29, 2013, 9:58:27 PM EDT
To: userlist@emaildistribution.com
Subject: Verify your email address
Reply-To: upgrade.services2@hawaiiantel.net

Important Updates to your Email Security

Date: 3/29/2013

We regret to announce that we would be making some scheduled vital maintenance
and significant upgrades to the Webmail system. During this process, you might
experience some login problems while accessing your account. A much needed
Security Update and maintenance is to be carried out shortly. All Users are
hereby, required to participate in our simple maintenance process and security
test.

Email Termination or Cancellation of Service:

Webmail Users are advised to participate in this process. Failure to do this
is a violation of our Security Terms and would prompt the Termination or
Cancellation of Service of such User account and User Email address. Please,
ensure your email participates in this update process.

What To Do?

To carry out this maintenance and participate in this process, simply hit the
reply button to “Reply” to this email message. Just replying to this message
alone would ensure your account is kept active during and after the Security
Update process. Reply now to avoid account termination and service suspension.

NOTE: Reply back to this email for further guide towards completing this
process.

Sincerely,

IT & Email Administration Team
Copyright © 2013. All rights reserved.

The "Automatic security update‏‏" Phishing Scam

From: Nilsson Pietro, RÖRNCST [mailto:pietro.nilsson@infranord.se]
Sent: Saturday, March 30, 2013 4:30 AM
To: undisclosed-recipients:
Subject: Automatic security update‏‏

There've been an automatic security update on your Email Account.Click here to login and complete update
Please note that you have withing 24 hours to complete this update. because you might lose access to your Email account.

"Web-mail Box Security Alert" is a Phishing Scam

Fri, 29 Mar 2013 00:00:00 -0400

Did you receive an email with a Subject of "Web-mail Box Security Alert"? This message, like others that tell you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message; simply delete the email.

What to do if you've clicked on the link

The "Web-mail Box Security Alert" Phishing Scam

From: E-helpdesk@uvm.edu [E-helpdesk@uvm.edu]
Sent: Friday, March 29, 2013 10:42 AM
Subject: Web-mail Box Security Alert

Dear E-mail User,

This is to notify you that an unauthorized IP address 907.274.12.17 has been detected by your webmail box admin security service accessing your E-mail account. You are requested to verify and secure your E-mail account manually for our new online security service by login into your E-mail account with the link below. You need to verify your E-mail account with your E-mail login ID and Password to secure your E-mail account:

xxtp://agcforms.com/form/30871346962

Regards,
E-mail Admin Service
-------------------------

"Dear Valued UVM.EDU Subscriber" Email Scam

Tue, 26 Mar 2013 00:00:00 -0400

If you've received email with the subject, "Dear Valued UVM.EDU Suscriber" or "Dear Valued Subscriber," please delete it. It is a scam. Do not click on the link in the message.

What to do if you've clicked on the link

Here are two samples showing variations of the Dear Valued Subscriber scam:

"Webmail Account Warning" Email Scam

Wed, 06 Mar 2013 00:00:00 -0500

Did you receive an email with a Subject of "Webmail Account Warning"? This message, like others that warn you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message; simply delete the email.

What to do if you've clicked on the link

The "Webmail Account Warning" Phishing Scam

Subject:   Webmail Account Warning
Date:   Wed, 6 Mar 2013 14:30:44 +0000
From:   Layla Sacker

Webmail Account Warning

This mail is from Webmail Service; we wish to bring to your notice the
Condition of your email account.We have just noticed that you have exceeded your
email Database limit of 500 MB quota and your email IP is causing conflict because it
is been accessed in different server location. You need to Upgrade and expand your
email quota limit before you can continue to use your email.

Update your email quota limit to 2.6 GB, use the below web link:

========>   hxxp://webmasterrr.webs.com/

Failure to do this will result to email deactivation within 72 hours

Thank you for your understanding.

Copyright 2013

Technical Upgrading

Phishing Scams: "Warning!" and "Final Warning!"

Tue, 26 Feb 2013 00:00:00 -0500

Did you receive an email with a Subject of "Warning!" or "Final Warning!"? This message, like others that warn you to "verify," "validate," or "re-validate" your mailbox or your email account, or increase your quota, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message; simply delete the email.

What to do if you've clicked on the link

The "Warning!" and "Final Warning!" Phishing Scams

Here is the phishing message some of us received recently. The Subject line may vary.

Subject:   Final Warning!
Date:   Tue, 26 Feb 2013 20:46:50 +0100 (CET)
From:   University Of Vermont
Reply-To:   University Of Vermont

You Are Currently Running On Low GB Due To Hidden Files
And Folder On Your Mailbox,Please Click Here

hxxp://to.ly/jD51

To create more space on Your Mailbox And Increase Your Quota.
Thanks For Co-operating with Us
©2013 University Of Vermont.

Scam Alert: "Email Action Required!(VERIFY)" and "Verify Your e-mail Immediately"

Fri, 22 Feb 2013 00:00:00 -0500

Did you receive an email with a Subject of "Email Action Required!(VERIFY)" or "Verify Your e-mail Immediately"? This message, like others that warn you to "verify," "validate," or "re-validate" your mailbox or your email account, is a phishing scam -- an attempt to steal your UVM credentials (your Net-ID and password). Please do not click on the link in the message; simply delete the email.

What to do if you've clicked on the link

The " Verify Your e-mail Immediately" and "Email Action Required!(VERIFY)" Phishing Scams

Here is the phishing message some of us received recently. The Subject line may vary, and in later versions, "UVM" is spelled correctly.

Subject:   Verify Your e-mail Immediately
Date:   Fri, 22 Feb 2013 06:33:17 -0500
From:   Lim, Noel

Verify Your e-mail Immediately

Due to excess abandoned VUM Email Accounts, we have decided to run a database clean-up and refresh all Email accounts. To prove the existence and functionality of your Email, please click on the link below and fill out the required columns.

hxxp://www.mypacificcourt.com/forms/use/vum/form1.html

Failure to do this will immediately render your Email deactivated from the database.Database refreshing shall commence once a response is not received within 48HRS.

Thank you.

UVM Computing.

NOTE:This e-mail message is intended for the named recipient(s) above, and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please do not read the content. Instead, immediately notify the sender and delete this e-mail message. Any unauthorized use, disclosure or distribution is prohibited. The Peel District School Board and sender assume no responsibility for any errors or omissions in the content or transmission of this email.