Educause Security Discussion mailing list archives

Re: Fraudulent Domain

From: Ryan Gallagher <gallagher () UNCA EDU>
Date: Mon, 24 Sep 2018 14:42:46 -0400

We had a similar incident a bit over a month ago.  If any vendors have
supplied you with a copy of the fraudulent message(s), you may want to
check for a phone number in the message.  Our fraudsters used a phone
service with a fake voice recording purporting to be our University.  I had
to track the provider down and get them to take the phone number down.

On Mon, Sep 24, 2018 at 1:23 PM Jason Todd <jtodd () westernu edu> wrote:

We had an identical issue a few years ago. We sent several reports through
the registrar’s contact channels that didn’t get anywhere. What worked for
us was sending a fax, yes, a fax on university letterhead to the registrar
claiming DCMA violation.



-Jason



Jason Todd

Network Security Officer

Western University of Health Sciences



*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Menne, Michael S
*Sent:* Monday, September 24, 2018 9:55 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Fraudulent Domain



We have had a similar issue arise. Our domain is mnsu.edu.  We have had a
few phishing attempts come from mnsuu.com.  Using that domain they have
duplicated at least two e-mails and directed users to copies of our login
pages.  We haven’t requested takedown of the domains, but we have requested
takedown of the sites when they pop-up. We have also blocked the domains
through OpenDNS and Office 365 Advanced Threat Protection SafeLinks.



*Michael Menne, CISSP*

*Chief Information Security Officer*

*IT Solutions Information Security*

*Minnesota State University, Mankato*

*Phone:  (507) 389-5705*



*Are you ready for ransomware? Make sure your data is backed up and you're
able to restore it! *

*Learn more. <https://link.mnsu.edu/cyberaware>*



[image: cid:image001.png@01D341A0.236300E0]



*Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all copies
of the original message.*







*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Brad Judy
*Sent:* Monday, September 24, 2018 11:36 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] Fraudulent Domain



I’m battling an identical battle at the moment. So far, the registrar for
the domain has not replied to my email and voicemail contacts with their
abuse department. I’m curious to hear the other advice you receive.



Brad Judy



Information Security Officer

Office of Information Security

University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203

Office: (303) 860-4293

Fax: (303) 860-4302

www.cu.edu
<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C3789e1de1bba41afed7908d6223be123%7C0c0d13782eaf49c7afa98b40189a1b5c%7C0%7C0%7C636734037912140758&sdata=K0kE5NiKlSSdIkJPWmWhl%2BU1ZoD286BqMdlf7Fn2MxY%3D&reserved=0>



[image: cu-logo_fl]





*From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
"Gomez, Joshua" <J.Gomez () SNHU EDU>
*Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Monday, September 24, 2018 at 9:12 AM
*To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *[SECURITY] Fraudulent Domain



Hello Everyone,



We have had a fraudulent domain pop up impersonating the University
sending out fake Purchase Orders to suppliers.  This website domain does
not have an active website but we still reported the domain to reputation
reference websites such as VirusTotal, ESET, Google Safe Browsing etc.  We
plan to contact the registrar of the website and having our legal team
request a DMCA takedown notice.



What other steps can we take to expedite having this fraudulent domain
taken down?



Thanks



Josh



*Joshua Gomez* | *Consultant, Information Security*

Information Technology Solutions

Physical Address: 1230 Elm Street, Manchester, NH 03101

Mailing Address: 2500 North River Road, Manchester, NH 03106

Office Phone: 603-626-9100 x7777 | Service Portal
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsnhu.service-now.com%2Fsp&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C3789e1de1bba41afed7908d6223be123%7C0c0d13782eaf49c7afa98b40189a1b5c%7C0%7C0%7C636734037912140758&sdata=fRuMWlslj3H4je27dEiCLYQRtFDs2JMYz3kdZ1paWGE%3D&reserved=0>



[image: SNHU horizontal logo]







Please consider the environment before printing this e-mail.



-- 

*Ryan GallagherInformation Security Officer*
University of North Carolina at Asheville
828-250-3996

*NOTICE: E-mail correspondence to and from this sender may be subject to
the N.C. Public Records Law and, as such, may be disclosed to third
parties.  However, this e**mail message, and any attachments, may also
contain confidential, privileged or legally-sensitive information, and may
be protected from disclosure.  If you are not the intended recipient of
this message or their agent, or if this message has been addressed to you
in error, please immediately alert the sender by reply email and then
delete this message and any attachments.*

Current thread:

Fraudulent Domain Gomez, Joshua (Sep 24)
- <Possible follow-ups>
- Re: Fraudulent Domain Brad Judy (Sep 24)
  - Re: Fraudulent Domain Menne, Michael S (Sep 24)
    - Re: Fraudulent Domain Jason Todd (Sep 24)
    - Re: Fraudulent Domain Ryan Gallagher (Sep 24)