As employees all over the world are working from home, criminals are ramping things up hoping to take advantage of the less secure networks that people tend to have at home. We have surges in phishing emails on campus and across the world related to working from home as well as an increase in malicious websites. It has gotten so bad the US Secret Service has issued a warning. Here are some things to watch out for.
The fake VPN
As employees struggle to setup a home office, they are signing up and downloading VPN services at record rates. While all of our employees have the advantage of using SRAS, many smaller organizations do not have their own VPN tool and are asking employees to install one on their home computer. If your spouse or roommate are in this situation, warn them to be very careful about what VPN they download. Cyberattackers are offering fake VPN services that download malware onto your machine in record numbers. Make sure they check reviews of the service to ensure it is reputable before they install it on their machine.
Fake COVID-19 trackers
As people attempt to live their lives and stay safe, many are turning to maps that track the location and incidence of infections. Criminals are getting wise and creating their own versions of these tracking websites that infect your computer with malware.
Some enterprising scammers have also created phone apps that supposedly track the infection rate but load your device with ransomware instead. Stick to well known and reputable websites such as Alberta Health Services and the World Health Organization to get your information about the virus and stay away from any apps related to it including ones that tell you how to get rid of it.
Phishing emails about working from home and COVID-19
Phishing email attacks are off the scale. Everything from fake emails from your organization about working from home, to offers of vaccines and cures. One of their favorites is fake GoFundMe pages with coronavirus victims pleading for medical help. Another is pretending to be a colleague who is quarantined and needs help.
You name it, the depraved are going to try it. During this time it is especially important to be vigilant. If you receive an email that doesn’t come from a Mount Royal email address, question its validity. While you are working at home, make sure you use your Mount Royal email address to send business correspondence. DO NOT use your personal email address. This will make it easier for your colleagues to stay safe.
With the world on melt down, cyberattackers took advantage of the mayhem to send out a slew of spear phishing emails to several departments. Most of them had a member who reported the suspicious email right away. As a result, we were able to notify their colleagues before most of them had even opened it.
Unfortunately, one department was left vulnerable. None of their members reported the malicious email sent to them. We eventually found it, but we it was much later and there was a delay in the notification going out. This delay increased the chances that someone would become a cyberattack victim.
We know that all of you have much on your mind trying to figure out how to teach and work from home. However during this challenging time, please don’t forget to take those extra two seconds to let us know when something suspicious lands in your inbox. The sooner we know, the sooner we can let everyone else know and reduce the risks to everyone’s data, including yours.
This week I posted an article telling the horrific tale of a Mount Royal employee who had their phone number ported to another carrier and their email compromised even though they had two factor authentication enabled on their email account.
How was this possible? The authentication method that they had used was an SMS message sent to their phone. With this method, who ever has control over the phone number receives the authentication codes. The bad news is, if someone impersonates you and either asks for a new SIM card or moves your number to a different carrier they can get access to your email account. The good news is, there is a way to stop this.
Instead of using a text message sent to your phone as your second step, use an authenticator app or authenticator key. An authenticator app generates an authentication code using wifi, while an authenticator key must be plugged in or waved near a device for you to login. In both cases you have to be in physical possession of the second factor to get access to your account. Of course if your phone is stolen or your key is lost, you are locked out. However you can print off backup codes and have an extra key available in case that happens.
As coordinator of the cybersecurity awareness program here at MRU, I often have colleagues call me with their own personal tales of horror. One of the more recent ones involved a Port-out-scam. Here is a their tale, written in their own words…
Until recently, identity theft was definitely something that we never thought could happen to us. It’s something that we warned our grandparents, our parents and even our security-relaxed friends about. But we were totally safe, or so we thought.
Through this experience our lives have definitely changed forever. We have learned a great deal and are now more aware, and will be more vigilant. It was shocking to discover how easy it might be to lose everything.
Upon landing at the airport in Calgary at 2 AM following a holiday early in January, my boyfriend (for privacy we will call him James) turned his phone on to discover that he had no carrier service. We didn’t think it would be anything serious and joked about something being wrong with his last payment.
The next morning James called Telus and a Customer Service Agent informed him that he had ported his number out to Bell on Tuesday, to which he quickly replied that he had been out of the country, so that was impossible. After some convincing that this action was not taken by James, Telus quickly, and easily, ported the number back from Bell. We knew at this point that something was very wrong. He was also unable to get into his Microsoft Outlook email account; his password was denied.
Once James had his number back, he was able to use his phone (with SMS two-step authentication) to reset his password and get into his email accounts, where we quickly realized the horrifying truth that his identity was compromised. Someone had accessed his email account with his phone number, changed the password, and taken over. James’s email account is connected to everything: PayPal, Amazon, personal & joint banking, investments, taxes, etcetera. I am sure you can imagine the anxiety James and I felt in that moment of realization.
You’re probably thinking that James did something to be a target. He must have been lenient with his security questions, or displayed some weakness with online purchases or social media. We have gone over everything meticulously to try to figure this out, and with the help of many people, our conclusion is that he actually did nothing wrong. All the hackers needed to access his email was his phone number. He is not a prominent person and does not hold a prominent position, so not your typical target according to experts. Further, he is very private and careful, with the strongest security settings on his social media accounts where he is also conscious about everything he posts, and any business he does online shopping with.
Next came the long process of regaining control…. cancelling credit cards, bank accounts, informing all business and friends of the identity theft…setting up security watches on James’ Social Insurance Number through various government services…..hours of waiting on hold, explaining the situation and the frustrating experience of having to convince people of the seriousness of the situation.
We talked to Calgary Police Service (CPS), and while they made some good suggestions of things to change, credit checks to put in place, it was also frustrating that there was nothing they could do. Because no physical property was actually taken there will not be an investigation. We were also informed that we should maintain a close eye on all of James’ accounts for at least six to eight years as we don’t truly know what information the hackers obtained and they may resurface at a later date.
Microsoft Outlook support was useless because the same security measures that should help in this situation caused serious issues. The hackers were able to change the security settings in the account before James got it back. They added their own email addresses and phone numbers as new two-factor authentication security. It is part of the Microsoft Outlook security plan that when changes are made there is a 30-day freeze before further changes can occur. Despite hours speaking with Microsoft Outlook staff at all levels, they refused to close the accounts before the 30-day freeze.
Through all of this we learned that this is called a Port-out Scam. In this case, Telus confirmed to James that his account number was provided to Bell in the port. There was an incredible lack of due-diligence to verify one’s identity in this case. This type of scam has been known to play on the emotions of customer service agents at telecommunications companies and the lack of security measures in place to protect customers.
How does it work? The hacker would have acquired James’s name and phone number from somewhere to start – not difficult given the world we live in. Next they might have called Telus, pretending to be James, claiming they want to make a payment on their account, but they are not at home and didn’t have their account number – can they have it? The customer service agent should refuse, or ask detailed security questions only James can answer, but instead they provide the number. (CPS told us that hackers can also get addresses, email addresses and more this way) Next, armed with everything they need, they simply call another company (Bell in this case) and pretend to be James, saying they want to port their number over from Telus. Just like that the hacker owns your number and now they can get into anything your number is tied to for two-step authentication.
James called Bell to inform them of the theft and that they were used in the process of the theft, and, surprisingly, they brushed him off. Told him it was not their problem. Wanting to understand how this could possibly happen, I called Bell to casually inquire about moving over from my existing carrier and told the customer service agent I wanted to keep my phone number. She was more than happy to assure me it was no problem to keep my number – all I needed was my number, and to ensure my account with my previous carrier was in ‘good standing.’ It was way too easy.
The comical part in this experience is that while it was so easy for the hacker to steal James’s number, in order to cancel his phone number (once he got it back) the Telus Customer Service Agent’s protocol was to hang up and call James back to verify that it was his number, as well as asking for detailed account information and his driver’s licence number. This means that there is protocol that exists, but no assurance that it is followed regularly.
We are sharing this story as we hope that others will learn from this. We want telecommunications companies to start taking security seriously and we want you to be vigilant. Instead of assuming you are taking precautions and you are safe from identity theft, in 2020 it is safer to assume you are a target and take precautions for the day you will be attacked.
Is there a way to use 2FA that will provide security even if you are a victim of a port-out or SiM swap scam? Yes there is. Read How to prevent a two factor authentication compromise to find out.
The MRU community is made up of a diverse group of people. Some of you just like to forward suspicious emails to email@example.com without really doing much investigation on your own. Others like to make a game out of looking for phishing red flags. While still others follow email processing guidelines, just like I have asked. Thanks to all of you, my job is never dull.
That said, we thought it would be a good idea to give all of you one more tool to help with the challenging job of identifying phishing emails. IT Services is proud to announce the launch of the MRU Phish Bowl. The Phish Bowl contains a collection of all the phishing emails that we have received over the past few years. When you receive an email in your inbox and you aren’t quite sure if it is malicious, you can now search the Phish Bowl for it. If the exact email or a very similar one is posted then you know it is malicious and you can simply delete it.
Each post in the Phish Bowl shows you what the email looks like, points out the red flags and lets you know how to deal with similar emails in the future. Not only is it informative but it is also educational.
If an email doesn’t appear in the Phish Bowl, it doesn’t mean that the email is legitimate. You will still have to use the other strategies that you have been implementing to determine if it is malicious. The Phish Bowl is only an additional tool, not a replacement for your current vigilance.
The Phish Bowl is also helpful for those of you who are not sure if they should forward an email to firstname.lastname@example.org or not. If you do a search and find the email already listed, you know there is no need to report it. If it isn’t, then you know you may have a new nasty that needs to be reported.
We will be updating the Phish Bowl as new reports come in. You can access it here, or from the MRU Cybersecurity Hub at mru.ca/cybersecurity. Look for the Phish Bowl link in the section titled Stay Informed.
When we tabulated our survey results, we were delighted to find a significant reduction in password sharing on campus. However, our victory lap did not last long. Password sharing is happening less but there are scary numbers of people logging in and letting someone else use their account.
We understand that you have guests that come on campus and need wifi access, that you have new employees that you need to train and that sometimes a colleague’s or friend’s account isn’t working. However regardless of the reason, credentials should not be shared. Your credentials are only for your use. They give you exactly what you need to have access to, no more and no less. This protects you, your colleagues and the institution.
Stop for a minute and think about all the things only you can access with your login credentials that no one else has access to. Do you really want someone else to be able to access those things? Think about how embarrassing, uncomfortable or alarmed you would feel if a colleague or friend started exploring. I know what you are thinking, I can trust them. They wouldn’t do anything malicious with my account.
Regularly we hear about horror stories of friendships gone wrong, bitter colleagues, bad breakups and the resulting fallout. When things go bad it is impossible to predict how someone will react. You would be unpleasantly surprised to know the damage that has been caused when these things occur.
Even if letting someone else use your account doesn’t result in data armageddon, it is against the Acceptable Use of Computing and Communication Resources Policy. The good news is there is no reason to do so. IT Services can arrange access for anyone for any reason. We have a solution for every situation. Find yours in the Credential Use Guidelines. If you aren’t sure what to do, just call the IT Service Desk and let them know what your time frame is. They will get back to you right away and provide you with a solution.
Don’t give up control by logging in for someone else. Reserve your account for your use only.
Across campus an email similar to the following has been popping up in inboxes.
According to their website, Alignable is
…the online network where small business owners across North America drive leads and prospects, generate referrals, land new business, build trusted relationships, and share great advice.
Their website is slick and professional. It has an impressive lists of testimonials. In addition logos of media outlets are prominently displayed. Everything on the site is designed to make the service look like it is widely used and trusted.
While there is no doubt that this a legitimate service, their marketing practices appear to be a bit troubling. Those reporting the Alignable invites to email@example.com often remark that they do not know the person who sent the invite. Others complain that they did not sign up for the service but yet everyone in their contact list has been spammed.
These complaints are not just coming from our community. The Better Business Bureau has 19 similar complaints. While Trustpilot gives it a 51% excellence rating and a 40% bad rating with very little in between. When you see ratings on the extreme ends of the spectrum like that, that usually indicates that a bot is posting the good reviews.
Scouring the rest of the internet, influencers indicate that it is an amazing tool that you should try while other folks warn to stay away unless you want to spam your contacts. It is difficult to know what the real story is.
What I can tell you is unhappy users have experienced the following:
- They have been signed up for the service when they click the cancel button on the would-you-like-to-join dialog box.
- They have had their entire contact list spammed with invites without their permission.
- They have had invites sent out on their behalf without ever joining the service.
It is not possible to say whether these actions are deliberate or Alignable has a glitch in its service. Either way I suggest that before you accept one of their invitations, you treat the email like any other coming into your inbox and contact the person who sent it to you to make sure it is legitimate. While you are at it, you should ask them about their experiences with the platform. If they give you green lights, then you are good to go. If not, delete the email.
What have your experiences been with Alignable? I would love to hear about them. Please post your comments below.
The attackers are at it again, this time they have tried to hide behind threats of disciplinary action. Check out the latest phishing email to hit the campus:
This nasty thing mostly landed in spam folders. However, there are some of you that would have found this in your inbox. The premise is plausible and the pdf attachment looks harmless. If you were to open this email on your phone, the odds are very good that you would assume the email is legitimate. However if you open the attachment a nasty surprise awaits. This is a gentle reminder to double check the sender’s email address before you make a decision to act on an email.
Another day, another fake UPS email. Take a look at this sad excuse of a phishing email.
I really do expect more from an attacker. At least paste an out of focus logo into the email. If you want to steal my money, you should put in a bit more effort than this.
The latest phishing email to arrive in MRU inboxes is this beauty that looks like it comes from The Spamhaus Project, an international organization that creates block lists of spammy and phishy email senders.
This email is a bit clever as they use a link to the real Spamhaus Project website to try and convince you the email is legitimate while threatening to block your email address. Unfortunately the painfully bad grammar, zip file attachment and wrong email address clearly mark it as a phishing attempt.
You have to give them credit for trying though, if you are in a hurry and don’t take the time to read the email carefully, the odds are pretty good you will panic and click. Don’t get caught, slow down and stop and think before you click.