Another day, another clever criminal trying to break into our network. This time they tried using the Google Drive to do it. Tuesday morning several employees found this in their inbox.
The Word Doc link is totally legit. If you click the link, it takes you to this document.
Clicking the link in the Word document takes you to a legitimate website that has been compromised. The site asks you to login to Office 360 to access the document. Of course if you do, you are giving some miscreant your Office 360 login credentials. They can then sell your credentials on the dark web or use them themselves to wreak havoc on your data as well as the data of others. Fun, Fun, Fun.
Because the Google Drive file share and the website are legitimate, they won’t be flagged by anti-virus or the firewall. It is actually very clever. However although it may get by the technology, a person can easily spot this as malicious. In fact, we had two different reports sent to email@example.com about this one. Way to go MRU!!
For those of you who aren’t already yelling at the screen, “Come on, that is so obvious”, I am going to walk you through the red flags. First one is the email is sent by Benjamin Kuiper from the email address firstname.lastname@example.org. Clearly not a Mount Royal email and he is not listed in the directory. Fail number one.
Second, the doc says it was being shared by Benjamin and David Hyttenrauch. This doc was sent to people on David’s team so even though they didn’t know who Ben was, they sure as heck knew who David was. This got the desired attention. However, you can’t send an invite to share one file from two people. Clearly, this Word doc was shared by Benjamin and the sneaky dude entered the rest of the deceiving information into the Add a note field in the Share with others dialog box to make it looks like Dave was involved. Fail number two.
Third, when you open the document it tells you that you have a file waiting for you on the OneDrive. OneDrive file shares are not sent with links in Word documents. Fail number three.
Lastly, if you were to hover over the link in the Word document you would see that it does not go to OneDrive. Fail number four.
As clever as criminals are, most of them can be stopped by alert employees who take the time to look at emails with links and attachments critically. As we have seen in this example, the majority of the time phishing emails contain clear clues that something is not right. Don’t get caught up in the emotion of the moment. Like our wonderful employees, take the time to really look and make sure that the email is what it appears to be. Your data, your colleagues and your IT department will thank you.
Today Facebook announced that they have discovered hackers have stolen 50 million access tokens. These tokens allow them to take over an account without having to login with a password. They did it by taking advantage of a vulnerability in the View As feature that allows users to see what their account looks like when viewed by others.
To solve the problem, they have logged out all the users who they believe were affected and disabled the View As feature. As often happens in these types of breaches, there is a possibility that at a later date they may find there are more people affected than originally thought.
To be on the safe side I suggest that you logout of Facebook by going to Settings and selecting Security and Login. There you can logout of all your devices at once with a single click. Alternatively, this might be a good time to get rid of Facebook all together.
It has been a busy week. There are two phishing emails going around campus at the moment. The first one starts out rather innocently.
However if you respond to it, like half a dozen people did, you receive a second one.
You are probably wondering why anyone would respond to the first email. First of all the email was from a department head, so that tends to get people’s attention and generate an emotional response. Also, almost all who responded were looking at the email message on their phone. They were unable to clearly see the sender’s email address or the grammar errors. This is just another reminder as to why it is so important to wait until you get to a large screen to take action on an email. It is also a reminder to not respond to our emotions. If you read an email and are responding emotionally to it, that is your cue to pause for a minute and take a closer look.
Impersonator number two is a bit more sneaky. Check out this bad boy.
I just love how they added the signature line to this one. They must have received an email from Mount Royal at some point. This is the stuff that keeps me up at night. The grammar is perfect. The content is plausible and looks legitimate. The fuzzy logo is a bit of a tell, but other than that it’s not an easy one to spot.
That was the bad news. Now for the good news. In both cases IT services was notified of the threat by Mount Royal University employees who forwarded the email to email@example.com. Their quick thinking gave us a heads up right away so we could block both email addresses and prevent further attacks. They are superheros!!
Keep an eye out for these types of emails in the future. If you find one, forward it in its entirety (no screenshots please) to firstname.lastname@example.org and you can be a superhero to!!
A college that we communicate with regularly has had one of their email accounts compromised. As a result, several people around campus have received emails with requests to Download Attachments from Sharefile. The emails look like this:
The name of the college and the email sender have been blurred out to protect their privacy.
What makes these emails so devious is that they come from someone that Mount Royal staff have been conversing with recently. This makes it much more challenging to identify them as malicious.
This is a gentle reminder to everyone to contact the email sender when you receive an unexpected email with a link or attachment using a contact number that you have used in the past or have found through Google. Even if you have been speaking with them recently if you aren’t expecting the email, call to confirm its legitimacy. Just because an email looks like it comes from someone you know, doesn’t mean it does.
That is what our brave Mount Royal employee did and as a result prevented a potentially serious cyber security incident. Had they simply clicked on the Download Attachments button and followed the instructions, they would have given the hacker their Docusign credentials. Who knows what that would have led to.
Mount Royal employees are receiving emails from a vendor that are actually replies to a legitimate message. As the message is a reply and it is from someone we do business with, employees have been tricked into opening the attachment more than once putting our network at risk.
How the heck did they manage to reply to a message that the vendor had sent ages ago? Simple, the vendors email account was hacked. Once the hackers had access to the email account all they had to do was scroll through the emails in the sent folder until they found one that mentions an invoice and reply to it. Of course they attached an edited invoice containing a nice little keylogger trojan onto it first.
Those that opened the attachment found a blank document and then contacted the Service Desk to see why. The Service Desk calmly explained all their keystrokes were being recorded by malware they had unintentionally installed and then sent support staff to re-image (wipe clean and re-install) their machines.
Unfortunately this is not the first time that Mount Royal University has been targeted by this type of attack. Late last year another vendor had their email account compromised and multiple Mount Royal staff members received replies to an old meeting invite containing a document that “required their input”. That document contained malware as well and once again we were re-imaging machines.
How do you know when an email from a vendor contains a malicious link or attachment? Truthfully, you don’t. The only red flag on either of these emails was the date of the original message. The email thread was months old and was used in the attack because it contained a subject that would allow an attachment to be added to it without looking odd. However, a recent message could also have been used if it had contained the right content.
So how do you protect yourself from such attacks? You call the vendor when you receive an email with a link or attachment and confirm that they sent the email. You do not reply to the email as if their email account has been compromised, you will be conversing with the hacker. Do not use the contact information found in the email to contact the vendor either. The hacker may have changed the email signature. Use a contact number that you find in a Google search or that you have used before.
Yes, horrors, you have to actually pick up the phone and talk to a person. However, it will practically eliminate the risk of having your machine wiped clean and the operating system re-installed. Not a fun way to spend the morning.
One sure sign that spring is on its way…tax scammers pop up along with the tulips. Although we are a ways away from enjoying the tulips, the scammers are out in full force. One Mount Royal employee came into work to find this on his voicemail.
Click the far left of the bar to listen to the voicemail message.
Pretty nasty huh? So how to do you know this is a scam? Simple, the CRA will never phone you and threaten legal action or arrest. They will never send someone to your house to collect payment or to arrest you either. This was a voicemail, so it was easy to calmly listen to the message and analyze it to determine if it was legitimate.
What do you do if they have you on the phone and they are threatening you? The scammers can be very insistent and believable causing considerable stress and confusion. If you experience a call like that from the CRA, tell them you will call them back and hang up. You can then contact the CRA at 1-800-959-8281. If there are any issues with your taxes, whoever answers the phone will be able to address them.
Watch out for phishing emails from the CRA as well. As I mentioned in a post last year, the CRA will never email you unless you have given them previous permission to do so and they will never send you an email with links unless you have specifically requested a document.
Yesterday one of our staff members checked her voicemail and found a nasty message from an “Officer” Robert William asking her or her attorney to call him immediately before “the legal situation unfolds”. Our quick thinking staff member Googled the number, 905-581-1528 and discovered that it was a phone scam.
Had she called them, she would have been asked her personal information including her SIN. Armed with that info, the crooks would have applied for credit cards and loans in her name, leaving her on the hook for the payments. Only after months of paperwork and expensive legal fees would she have been able to clear her credit record and name.
This is just a reminder to never give out information people already should have, over the phone, in an email or text. If someone calls you and tells you they are from your bank, a vendor, the CRA, RCMP or Calgary Police Service:
- Ask for their name.
- Tell them you will call them back.
- Call the organization’s switchboard directly using a number that you obtain from a Google search or that you have used before.
- Ask for the individual by name.
If they insist that the only way to reach them is through a number that they give you, you know that it is not a legitimate call. If they tell you that they may not be available when you call back, you should be able to have your account or file reviewed by someone else in the same department.
Remember, no legitimate agency threatens legal action over the phone.
Last week I posted about a scary new phishing email making the rounds. This phishing email is hard to detect because if appears as a reply to a previous email and it comes from someone you know. The email reads as follows:
Please see attached and confirm.
A Word document is attached to the email. If you open the email you get the following notification.
If you follow these instructions, you give Word permission to run the malicious macro embedded in the document and your machine is infected with malware. To make matters worse, it will then send out a similar email reply to select people on your contact list spreading the infection.
Several people in the Mount Royal community have already received this email and opened the attachment. Their machines were infected and are being re-imaged. We are unable to determine who will receive this phishing email next and it is too new for our anti-virus software to detect.
This is only one example of a whole family of malware that uses Word macros to infect your computer. The good news is, if you have macros disabled by default and you do not Enable Editing or Enable Content as instructed, you cannot be infected.
Some other examples of fake notifications to look out for are:
In each one of these instances, following the instructions will infect your machine with malware that could spread to friends, family and colleagues.
How to protect yourself from infection:
- Make sure Word Macros are disabled by default:
- Select File>options>Trust Center.
- Click the Trust Center Settings button.
- Select Macro Settings from the left menu.
- Select Disable all macros with notification.
- Click the OK button to exit the Trust Center Settings.
- Click the OK button to exit the Trust Center.
Note: Disabling macros in Word does not disable them in Excel and vice versa. You must change the settings in each application.
- Verify with the sender before opening any attachments.
- If you are prompted to Enable Editing or Enable Content, ignore the request. You do not need to Enable Editing or Content to view a document.
If you are unsure about the safety of an attachment, please contact the IT Service Desk. If you think you have received a phishing email, please forward the entire email to email@example.com.
The US Department of Homeland Security has issued an alert for the Bad Rabbit ransomware strain. It has crippled organizations in Russia and the Ukraine and has been found in the US. It is only a matter of time before it begins appearing here.
What does it do?
- It encrypts your files and extracts the login credentials for your computer.
How do I know I have been victimized?
- Your computer will start to run slowly.
- You are directed to a webpage that gives you 41 hours to pay the ransom to get access to your files or the ransom will go up.
How do you get infected?
- When visiting a legitimate website, a pop up appears asking you to install Adobe or the Adobe Flash Player.
- Downloading and installing either of these programs installs the ransomware.
What is IT Services doing to fight this attack?
- Our anti-virus is up to date.
- We are actively monitoring systems to detect any abnormal activity on the network.
What can I do to fight this attack?
- If you are prompted to download Adobe Flash Player or Adobe:
- Close the browser tab that contains the prompt.
- Open a new browser tab and visit www.adobe.com/ca.
- Search the Adobe website for the application and download it from there.
- If you are a victim, disconnect from the network immediately (pull the network cable or disconnect from WiFi) and contact the IT Service Desk at 403-440-6000.
If you have any questions or concerns, please contact the IT Service Desk.
In past posts I have talked about the importance of keeping your computer up to date by shutting it down each night. This week that is more important than ever. On Tuesday MIcrosoft released its latest updates for Windows, Office and other software which includes patches for 62 different vulnerabilities.
What is so important about patching these vulnerabilities? Hackers have known about some of these for a while and have already created malware that takes advantage of them. Keep your machine secure, shut down your machines this afternoon and get your updates.