Cybersecurity Blog

Ransomware Alert – Do not install a Chrome font pack! – 02/02/17

There is a new ransomware scam.  So new that antivirus software isn’t aware of it yet and therefore can’t detect it. Chrome for windows users that visit compromised websites are suddenly finding the text on the page becomes unreadable. An alert appears explaining that their browser doesn’t have the font needed to display the page properly and instructs them to install a font pack.  To add to the fun, they are unable to close the alert using the “x” button and they cannot close the browser.  If you choose to download and install the so called font pack, you are able to read the text but ransomware is also being installed in the background. The nasty thing is so sneaky, you don’t even notice that something is awry…at least not at first.

Your first clue is your computer starts to run rather slowly. Then you see folders on your desktop grey out and you can’t open them. As the encryption starts to spread you loose access to your documents one by one.  Then the lovely ransom note appears. However by this time you no longer have access to any of your files.

If you find your folders are greying out or you are unable to open files, please disconnect from the network immediately and call the Service Desk.

This latest ransomware uses a common tactic for delivering malware, the fake alert window. If an alert of any type pops up when you visit a webpage, encouraging you to install something to fix the problem, close the browser immediately.  Do not click on anything in the alert window including the “x” as some diabolical hackers design their malware to install regardless of where you click. If you are unable to close the browser, reboot your machine. By following this simple no click rule, you will save yourself a whole lot of frustration and heartache.

Alert – Mount Royal Targeted by Phishing Emails – 01/19/17

Members of the Mount Royal community are receiving emails that look an awful lot like they come from the ITS Service Desk.  Problem is, they aren’t.  The clever criminals are even shameless enough to hide their malicious link in an email that looks like it is trying to prevent cyber crime.  Here is what to look for:

Of course if you click on the link, some nice nasty malware gets loaded onto your system. If this email shows up in  your inbox, do not click on any of the links and delete it immediately.

The criminals are getting smarter and smarter and are starting to make fewer and fewer mistakes. Remember, before you click on a link in an email, or open an email attachment contact the sender and verify that the email is legitimate.

Phishing Scam Alert: OneClass Chrome Extension – 12/12/16

oneclass_graphic

 

As mentioned in a previous post, you should only download apps, browser extensions and the like from reputable sources. The latest alert is for the OneClass Chrome Extension.  It is a phishing scam that will attempt to send an email to everyone in your Blackboard courses and steal your usernames and passwords. Several Mount Royal students have already been affected by this scam.

How the phishing scam works:

  1. Students receive an email with a link to install the OneClass Chrome Extension.
  2. During the installation, the user will be prompted to accept its permission of “Read and change all your data on the websites you visit.”
  3. When the user accepts, a button will be created within Blackboard pages to “Invite your Classmates to OneClass”.
  4. The extension attempts to email everyone in the user’s Blackboard classes to promote the OneClass extension.
  5. The extension also attempts to collect user credentials (usernames and passwords).

If you receive the following phishing email, do not install the extension or click on any links on the email.  Please delete the email.

“Hey guys, I just found some really helpful notes for the upcoming exams for <University Name> courses at <URL removed>.  I highly recommend signing up for an account now that way your first download is free!”

If you have installed the OneClass Chrome extension, you should immediately remove it and change the password of any site you logged into while it was installed.

To remove the extension:

  1. Open your Chrome Browser.
  2. Select the 3 vertical dots in the upper right-hand corner. A menu appears.
  3. Select Settings. The settings page appears.
  4. From the menu on the left, select Extensions.
  5. Scroll down until you locate the OneClass Easy Invite extension.
  6. Select the Trashcan icon beside the “OneClass Easy Invite” extension. A dialog box appears.
  7. Select Remove.
  8. Close all Chrome windows and return to the Extensions page to verify the extension has been removed.

Remember to use the link on the MyMRU log in page to change your password, and to change your password on any other sites you used while the extension was installed.

Any students who need assistance can contact START http://www.mtroyal.ca/AboutMountRoyal/TeachingLearning/AcademicDevelopmentCentre/START/index.htm and any staff who need assistance can contact the Service Desk at 6000.

Dailymotion Accounts Hacked – 12/07/16

Hack concept

Around the 20th of October, 85 million usernames and emails were taken from Dailymotion servers along with 18 million hashed passwords. For those of you who don’t use Dailymotion, it is popular video sharing website. Because the passwords were encrypted, it will take some time for the cyber criminals to crack them. This gives users time to change their passwords on their Dailymotion account as well as change the password for any other accounts using the same password.

Once again this drives home the importance of having a different password for each account. It is not a matter of if one of your accounts will get hacked, it is a matter of when. Limit the damage…use unique passwords.

Alert – Phishing Email Targeting the Mount Royal Community – 11/24/16

Here is the latest phishing email pretending to come from the IT Service Desk.  How do you know it is a fake? It contains an email address that is not found on the Mount Royal network and it uses poor grammar. Other things that are suspicious but not clear giveaways are, it is addressed to account user instead of a person and the link takes you outside of the Mount Royal website.

If the following email shows up in your inbox, please do not click on any of the links or reply to the email. Please delete it immediately.

Looking for a handy desk reference to print off and refer to when trying to determine if an email is legitimate? Print out this one created by KnowBe4.

AdultFriendFinder Hacked! – 11/16/16

aff

A massive data breach of the adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts, including (and this is really bad) over 15 million “deleted” records that were not purged from the databases. Over the weekend it became clear that 339 million names, addresses and phone numbers of registered users at the AdultFriendFinder site were hacked. All these records are now owned by cyber criminals, exposing highly sensitive personal information. On top of the AdultFriendFinder records, 62M accounts from Cams.com, and 7M from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company.

Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can “check if your spouse is cheating on you”, or ways to find out if your own extramarital affair has come out.

Any of these 339 million registered AdultFriendFinder users are now a target for a multitude of social engineering attacks. People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.

There will be phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are going to pour over the data.

Be on the lookout for threatening email messages which slip through spam filters that have anything to do with AdultFriendFinder, or that refer to exposing your activity on the site and delete them immediately, both in the office or at the house.

Do not click on any links or open attachments in emails that appear to come from AdultFriendFinder. Instead, go directly to the website to change a password or get more information.

Please forward this to friends, family, colleagues and peers.

New Tech Support Scam – 11/07/16

Shocked young woman working on computer in office

The latest tech support scam pushes malicious code through a compromised webpage ad. When you visit a site instead of seeing a regular ad, you get a large pop that appears to be from Microsoft warning you that your system has been infected and asking you to call tech support to resolve the issue. No matter how your try you cannot get rid of the pop up.  The malicious code uses up all your computer resources freezing your computer.

The pop up looks just like it comes from Microsoft…how do you know for sure that it is a scam and not a legitimate warning from Microsoft? There are several tells that indicate this is not a legitimate warning:

  1. Anti-virus/malware warnings do not appear from within a web page or browser.
  2. Microsoft does not send  warnings of systems being infected.
  3. Legitimate anti-virus/malware warnings from your anti-virus software do not ask you to call tech support.
  4. You cannot get rid of the pop up.

If you encounter this annoying scam, what do you do? The good news is all the code is doing is using up computer resources, it isn’t actually harming your computer. To get rid of the pop up and free up your computer, just launch your Task Manager and shut down the browser. If you cannot launch the Task Manager, turn the computer off.  Whatever you do, do not call the tech support number. They are scammers and will simply rob you of hundreds of dollars.

Dropbox and Adobe Breach Affects Mount Royal Users 10/24/16

In 2012 there was a very large breach of Dropbox  and Adobe credentials. At that time, Dropbox and Adobe passwords were compromised. We have been notified that Mount Royal email addresses were associated with this breach. As a result, we are concerned that some users may have used their Mount Royal password for their Dropbox or Adobe login as well.

If there is any chance that you used your MyMRU password for Dropbox or Adobe we are asking you to change your MyMRU password immediately. This will also change your Mount Royal Gmail/Google and Blackboard passwords. To change your password, please use the “Change your password” link located on MyMRU.

As login credentials for any site can be compromised, we are encouraging everyone to always use a unique password for each of their accounts. Using a password manager such as KeePass is an easy and safe way to generate, keep track of and store your passwords.

For tips on creating strong, secure passwords and using KeePass, please refer to the Creating Passwords section of the mru.ca/itsecurity webpage.  

We thank everyone for doing their part to keep their accounts secure.

ALERT – Increased number of emails with malicious links

University email addresses are receiving an increased number of malicious emails today due to several compromised @mtroyal.ca accounts.

Here is what you need to know:
1. Please be extra vigilant about opening links and documents that you did not expect, even if you know the sender.
2. As a temporary measure to address this issue, internal mail is being checked by Google’s spam filters. Usually, internal messages bypass spam checking, so please check your spam folder if you think that a legitimate email may have been flagged as spam by accident.
3. If you have already clicked on a suspicious link today, please change your password and contact ITS as soon as possible.
If you need assistance or have other questions, contact the IT Service Desk.