Cybersecurity Blog

Ransomware Hidden in Scanned Document Attachments – 11/29/17

Please note: This post has was updated on 11/30/17!

Over 2 million malicious emails per hour are being sent out worldwide. The emails have the subject lines:

  • Scanned from Lexmark
  • Scanned from HP
  • Scanned from Canon
  • Scanned from Epson

They appear to come from a printer or copier and contain an attachment that appears to be a scanned document. The attachment has the extension .7z. Opening it loads a new strain of ransomware onto your computer.

If you receive an email that appears to come from a copier or printer and you haven’t recently scanned a document, report the email as phishing to Google. If you have scanned a document:

  1. Check the sender, it should say me.
  2. Check the email address, it should be yours.

If the email is not from you and does not have your email address, report it as phishing to Google.

 

 

Threatening voicemail left at Mount Royal – 11/21/17

 

Yesterday one of our staff members checked her voicemail and found a nasty message from an “Officer” Robert William asking her or her attorney to call him immediately before “the legal situation unfolds”.  Our quick thinking staff member Googled the number, 905-581-1528 and discovered that it was a phone scam.

Had she called them, she would have been asked her personal information including her SIN.  Armed with that info, the crooks would have applied for credit cards and loans in her name, leaving her on the hook for the payments.  Only after months of paperwork and expensive legal fees would she have been able to clear her credit record and name.

This is just a reminder to never give out information people already should have, over the phone, in an email or text.  If someone calls you and tells you they are from your bank, a vendor, the CRA, RCMP or Calgary Police Service:

  1. Ask for their name.
  2. Tell them you will call them back.
  3. Call the organization’s switchboard directly using a number that you obtain from a Google search or that you have used before.
  4. Ask for the individual by name.

If they insist that the only way to reach them is through a number that they give you, you know that it is not a legitimate call. If they tell you that they may not be available when you call back, you should be able to have your account or file reviewed by someone else in the same department.

Remember, no legitimate agency threatens legal action over the phone.

ALERT – Word macro virus circulating through Mount Royal University – 11/20/17

Last week I posted about a scary new phishing email making the rounds. This phishing email is hard to detect because if appears as a reply to a previous email and it comes from someone you know. The email reads as follows:

Morning,

Please see attached and confirm.

A Word document is attached to the email.  If you open the email you get the following notification.

If you follow these instructions,  you give Word permission to run the malicious macro embedded in the document and your machine is infected with malware.  To make matters worse, it will then send out a similar email reply to select people on your contact list spreading the infection.

Several people in the Mount Royal community have already received this email and opened the attachment.  Their machines were infected and are being re-imaged. We are unable to determine who will receive this phishing email next and it is too new for our anti-virus software to detect.

This is only one example of a whole family of malware that uses Word macros to infect your computer.  The good news is, if you have macros disabled by default and you do not Enable Editing or Enable Content as instructed, you cannot be infected.

Some other examples of fake notifications to look out for are:

In each one of these instances, following the instructions will infect your machine with malware that could spread to friends, family and colleagues.

How to protect yourself from infection:

  • Make sure Word Macros are disabled by default:
    1. Select File>options>Trust Center.
    2. Click the Trust Center Settings button.
    3. Select Macro Settings from the left menu.
    4. Select Disable all macros with notification.
    5. Click the OK button to exit the Trust Center Settings.
    6. Click the OK button to exit the Trust Center.

    Note: Disabling macros in Word does not disable them in Excel and vice versa. You must change the settings in each application.

  • Verify with the sender before opening any attachments.
  • If you are prompted to Enable Editing or Enable Content, ignore the request.  You do not need to Enable Editing or Content to view a document.

If you are unsure about the safety of an attachment, please contact the IT Service Desk. If you think you have received a phishing email, please forward the entire email to abuse@mtroyal.ca.

 

Have a music player app on your Android phone? It may be secretly running malware. – 11/16/17

 

Yes, it has happened again, apps have been found in Google Play loaded with malware. Google has removed 144 different music playing apps from Google Play that contain a new form of malware called Grabos.  What makes this malware so devious is it monitors your phone activity and switches its function based on whether you are using the infected app or not.  So, when you are paying attention the infected app acts as advertised, letting you download music for free. When you aren’t using the infected app, it sends information about your device, its specs, its location and the apps that are installed on it to the hacker’s server.  This information is then used to create targeted notifications that prompt you to download and install additional malware loaded apps which are then opened without your consent.

To make sure as many people as possible are infected, the infected app constantly prompts you to rate it and offers you faster download speeds if you share it with friends.

Because of the prompts to rate these infected apps and their covert nature, many of them have a very high rating on Google Play. The most popular one, with over one million downloads, is called Aristotle Music Audio Player 2017. For a complete list of infected apps, check out McAfee’s blog post.

If one of these is on your phone, uninstall it and then check to make sure all the apps installed on your phone are apps that you installed and were not installed by the malware. It would also be a good idea to change the passwords on all your accounts that you can access from your phone.

Although these apps have been removed from Google Play, they can still be found and downloaded from other locations on the Internet. Reduce your risk, only download apps from reputable sources with good reviews.

Scary New Phishing Attack is Hard to Detect – 11/15/17

 

The latest phishing attack uses an email that appears to come from someone you know and appears to be a reply to a previous message. This makes it very hard to detect. The body of the message asks the user to open a Word attachment that contains instructions on how to enable Word content.

Of course if you follow the instructions, a banking trojan is downloaded onto your computer that can steal your banking credentials, record your key strokes, take a screen shot capture, etc.

This is a reminder to NEVER enable the use of macros in Word documents. If you receive a Word document that asks you to enable editing, enable content or enable a macro, call the sender to verify that the email is legitimate and the attachment is safe.

Scam of the week – Netflix Suspension notification 11/07/17

A massive phishing campaign is underway. Emails with the subject line “Your suspension notification” are making the rounds. The email includes Netflix’s logo as well as mention of  “The Crown” and “House of Cards”  giving it a real sense of legitimacy.  Clicking the link takes you to a fake Netflix page asking for your login and credit card information.  Of course doing so gives your information to the bad guys.

With criminals getting so good at creating fake emails that look like they are legitimate, how do you know if it is a scam or if you really do have a problem with your account? Quite honestly, you don’t. That is why it is best to ignore the email entirely and go to their website directly using either a bookmark or Google search.  From their webpage, you will be able to access your account information and safely update it if it is required.

How do you know if that email from the NSLSC is legit? – 11/03/17

 

The National Student Loans Service Centre (NSLSC) is sending out emails to current and past students about the availability of the Repayment Assistance Plan. The emails provide information only and do not ask the reader to take action.

Why am I telling you this? In the past phishing emails have been sent that appear to come from the NSLSC.  They are aware of this and have notified universities of the impending emails to make sure that their legitimate emails  aren’t confused with phishing emails.  Seems like a great idea, right.  Let people know they are coming and then they will know they are legit. However, if a hacker gets wind of their announcement which includes the subject matter of the emails, the dates they will be sent and who they are from; it is easy for them to create spear phishing emails that look super authentic.

So what should you do if you receive an email from the NSLSC?

  1. Read the email. The legitimate emails contain important information on paying back your student loan.
  2. Don’t click on any links or open any attachments.
  3. Don’t comply with any requests for information.
  4. Don’t contact them using information contained in the email.
  5. Contact Student Awards and Financial Aid here at Mount Royal University if you want more information or to participate in a program. They will be happy to answer any questions that you have.