TCF Bank Account Phishing Redux

Last Tuesday, October 19th, another mass email went out to University of Minnesota students attempting to trick gullible students into giving up their TCF bank online login credentials. This is the second of such I have received in the past two months. This time the message was about the same, pointing to a different compromised site. As before, I am posting the message for the world to see.

Dear TCF Bank Customer,

We have noticed unusual activity in some of our customers accounts and 3rd-party access to Online Banking. Because our customers security is our main priority, we request you to verify your account and confirm you are the owner. Validating your account will require about 3 minutes of your time.

To access the activation form click on the following link:

Click here to access your account

Once you have verified and confirmed your account, you can continue using our services as usual.

Elizabeth G. Hayes,
Security Executive,
TCF Bank.

Do people actually fall for this? While it is not verbatim of the previous attempt, it is very similar (to the point anti spam filters should have blocked it). By the time I actually read the email, the compromised site was already cleaned up. There has been an improvement since the last mass phishing attempt, the “U” now provides spam assassin for the central email accounts, you just have to enable it.

And, just a side thought here, why do we still allow BCC to exist in its current form? If we automatically trashed all BCCs from an external network (or not from our address book/contacts list, or from a pre approved sender list), spam like this would have one less avenue to reach our inboxes.

-John Havlik

[end of transmission, stay tuned]

Stupid Phishers

Last night at 10:20PM CST, the droid’s green status light started blinking. It was an email on one’s school email. Titled “An Important Message From The University of Minnesota”, the message claimed that one needed to provide information in order to retain one’s email account after a mail server upgrade. 25 minutes later the message was sent again. The email, in it’s textual entirety is as follows:

Dear Webmail User,

Due to high volume of unused account on our server and the upgrade of The University of Minnesota webmail Service, we hereby request every webmail account holders to submit the below information for our server upgrade purposes.





failure to submit the above information may lead to automatic closure of your webmail account as we are upgrading our server to serve you best.

We appreciate your continued co-operation.

Well, let’s see here. Let’s start with information the sender already had (if they were legitimate). Anyone that has a University of Minnesota email can find the full name of any UMN email address, so asking for one’s name was not necessary. Second, asking for one’s email address, why? Seriously, emails don’t just randomly appear in inboxes (well truth be told, gmail has delivered mail not addressed to one, in one’s inbox before).

Now onto the information that sender doesn’t need to know (to do their job, assuming they are legitimate). One’s password, which one did they want, the email one? Oh wait, with the way the University does its online authentication, the password would be one’s x500 password. The fact that the University uses a global authentication system means that the password is irrelevant for email servers (or any individual server for that matter). Never mind the fact that you should never, under any circumstances send a password via email (especially to unknown recipients). Finally, the request for one’s department. Well that one makes even less sense. One’s department is completely irrelevant to one’s University email account.

At one point, one was tempted to reply with fake information (possibly containing highly inflammatory language). Looking at the headers, one found that the email was sent through Yahoo’s mail servers (originating from, the reply to address was (feel free to sign this address up for copious amounts of spam, send fake replies to undermine their Phishing operations, or do both).

If all of that wasn’t enough to place the message into the spam/phisher bin there was the top image, linked from a non UMN website. The phisher also used a footer that official UMN email has not used for at least a semester now.

-John Havlik

[end of transmission, stay tuned]