IT Security Blog

How we get notified of an account breach – 11/23/18



Not every hacker makes their money by breaking into  accounts and stealing funds or ransoming your data. Some hackers are content to simply  break into servers and steal usernames. passwords and other personal information that they then sell on the dark web.  It is quite a niche business.

To combat this evil, an enterprising fellow name Troy Hunt created a tool that scans the dark web looking for stolen data that is for sale.  You  can access this information for free at have i been powned. Simply visit the website and enter your email address. It will tell you if any of your accounts using that email have been breached.

This gives you the opportunity to change your password and username or delete the account.   This is an easy process if you don’t reuse passwords. It is a huge headache if you do.  What’s even cooler,  you can subscribe to an alert service so they will automatically notify you when there is a new  account breach.  This is so awesome, Mount Royal even subscribes.

We get notified when anyone with an email is involved in a breach.  We also get told which account was breached.  We are aware that password reuse still happens. By being notified of breaches we can make sure our users change their passwords so hackers cannot use their accounts to gain access to the network.

So if you are using your account to sign up for the adult furry website High Tail Hall, we will know about it. To make matters worse, we have to contact you to let you know about the breach.  It gets awkward for everyone.

This is a friendly reminder, only use your email account for business. IT Services thanks you.


Scammers sending emails that look like they came from your account – 10/24/18



There is a new twist on the you have been naughty scam.  Criminals are sending emails that once again claim that they have evidence that you have been visiting porn sites and if you don’t pay them, they will make that information public.

The newest form of the scam claims that they have installed a RAT (remote access Trojan) on your computer that allows them to send the evidence from your device. To drive home the point, the email looks like it has come from your email account.

The good news is, it is all a big bluff.  They don’t have access to your email, they are only spoofing the email address. Your account is secure.  Your reputation is intact and you can peacefully delete the email.


Fake emails asking you to update student loan info – 09/18/18



Its that time of the year again.  Books have been purchased, classes have begun and the fake student loan emails have arrived.  Be on the look out for emails asking you to update your banking information, confirm billing information and to view statements.

If you receive one of these emails treat it as you would any other email coming from an organization you know, visit their website directly using a bookmark or browser search results.  You can check your statements, update information and read notifications there.  If you still have concerns, their website will have their contact information and you can phone or message them.  Just make sure you don’t  use the contact information in the email, you may be phoning or emailing a real live criminal.


Just because a link looks safe, doesn’t mean it is – 09/07/18



For many of you, not clicking on email links is an obvious choice.  You wonderful folks are the ones who follow best practices and use a bookmark or browser search to access information given to you in an email.  However, there are braver souls out there who prefer to live on the wild side. They hover over links and then determine whether or not it is safe to click.

The argument I hear is…”I know the URL is correct, I have it memorized”. Here is the problem.  Unicode  is used to determine what character should be displayed in a field. It incorporates tons of different writing systems from various languages by giving each character of each language a different code. This is done even if they look the same to the naked eye. So an English “a” is considered to be a different character than a Cyrillic “a”, even though they look identical.  This allows hackers to create fake websites with domain names that look official right down to the domain name.  There is no way to tell by looking at them, which one is legitimate.

The fun doesn’t stop there.  Even if our hacker isn’t sophisticated enough to use the Unicode trick, there are several letters on a keyboard that are extremely similar and can be confused for one another. For example, the letters “I” and “l” are two different letters on the keyboard but look almost identical on the screen.

As clever as the hover trick is, if your hacker is using any of these techniques, you will end up with a data breach.  To truly make sure you aren’t going somewhere you would rather not, stick with the bookmarks and browser search results. Those will take you to the right website every time.



ALERT – Mount Royal targeted with fake Sharefile requests – 04/12/18

A college that we communicate with regularly has had one of their email accounts compromised. As a result, several people around campus have received emails with requests to Download Attachments from Sharefile.  The emails look like this:

The name of the college and the email sender have been blurred out to protect their privacy.


What makes these emails so devious is that they come from someone that Mount Royal staff have been conversing with recently. This makes it much more challenging to identify them as malicious.

This is a gentle reminder to everyone to contact the email sender when you receive an unexpected email with a link or attachment using a contact number that you have used in the past or have found through Google.  Even if you have been speaking with them recently if you aren’t expecting the email, call to confirm its legitimacy. Just because an email looks like it comes from someone you know, doesn’t mean it does.

That is what our brave Mount Royal employee did and as a result prevented a potentially serious cyber security incident. Had they simply clicked on the Download Attachments button and followed the instructions, they would have given the hacker their Docusign credentials. Who knows what that would have led to.

Criminals find a way around two step verification in Google – 04/11/18

Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.

How did they do it?  Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.

Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset.  Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset.  Pretty clever huh?

Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the  code.

For the record, no one will ask you if you don’t want to do something with your account.  As soon as someone asks you for confirmation to NOT do something, you know the jig is up.  This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.


ALERT – Mount Royal staff victimized by phishing email that is a reply to an old thread – 03/26/18

Mount Royal employees are receiving emails from a vendor that are actually replies to a legitimate message. As the message is a reply and it is from someone we do business with, employees have been tricked into opening the attachment more than once putting our network at risk.

How the heck did they manage to reply to a message that the vendor had sent ages ago? Simple, the vendors email account was hacked.  Once the hackers had access to the email account all they had to do was scroll through the emails in the sent folder until they found one that mentions an invoice and reply to it. Of course they attached an edited invoice containing a nice little keylogger trojan onto it first.

Those that opened the attachment found a blank document and then contacted the Service Desk to see why.  The Service Desk calmly explained all their keystrokes were being recorded by malware they had unintentionally installed and then sent support staff to re-image (wipe clean and re-install) their machines.

Unfortunately this is not the first time that Mount Royal University has been targeted by this type of attack.  Late last year another vendor had their email account compromised and multiple Mount Royal staff members received replies to an old meeting invite containing a document that “required their input”.  That document contained malware as well and once again we were re-imaging machines.

How do you know when an email from a vendor contains a malicious link or attachment?  Truthfully, you don’t.  The only red flag on either of these emails was the date of the original message. The email thread  was months old and was used in the attack because it contained a subject that would allow an attachment to be added to it without looking odd.  However, a recent message could also have been used if it had contained the right content.

So how do you protect yourself from such attacks? You call the vendor when you receive an email with a link or attachment and confirm that they sent the email. You do not reply to the email as if their email account has been compromised, you will be conversing with the hacker.  Do not use the contact information found in the email to contact the vendor either.  The hacker may have changed the email signature.  Use a contact number that you find in a Google search or that you have used before.

Yes, horrors, you have to actually pick up the phone and talk to a person.  However, it will practically eliminate the risk of having  your machine wiped clean and the operating system re-installed.  Not a fun way to spend the morning.

Fake Email Appears to Come from Google – 02/16/18

Has this email shown up in your inbox?

It comes from an email address that totally looks legit. The email address displayed is the one you gave Google when setting up your gmail account. When you hover over the links it seems legit.  Do you click or not?

You definitely don’t click. Cyber criminals are getting better and better at creating emails that look completely legitimate.  Trying to determine whether to click or not, is getting harder and harder. If you receive emails from a company or organization that you know, do not click on links or open attachments but go directly to their website to look for the info.

If you receive this message from Google in your inbox:

  1. Login to your Google account.
  2. Go to My Account.
  3. Scroll down to locate Sign- in and security.
  4. Select Device activity & security events. If there is an issue with your account, the details will be listed here and you can change your password.

Of course if you had enabled two step verification, you wouldn’t have to worry. The criminal wouldn’t be able to access your account even if they had your password and you would have been notified outside of email that there was an attempted breach.


How do you know for sure your buddy sent you that email? You don’t. – 02/14/18

While navigating the scary world of cyber security, most of us have felt safe clicking on whatever we find in an email from a trusted friend or colleague. After all we know who they are.  However, did you know that it is possible for a cyber criminal to send you an email with your friend’s name and email address sitting in the sender field? That’s right. You can receive an email that appears to come from someone you know, but in reality comes from a criminal.

How is one to determine if the email actually comes from the person who appears to have sent it? If you simply reply to the email and ask, you may be talking to the hacker. If you use any contact information in the email, you may be talking to a hacker. The only way to determine if an email legitimately comes from someone you know is to call them using a phone number you know is legit .  That’s right, you have to pick up a telephone, call them and ask if they sent you the email. I know many of you are shaking at the thought of having to actually have a conversation over the phone, however this is the only sure way to know if the email came from them.

Some of you may be thinking, “Hey I can just email them using an email address that I know is legit”. Problem is, their email account may be compromised and they may not even know it. Others may be thinking, “I can just look for phishing red flags“. You are right, you sure can. However, cyber criminals are getting better and better at constructing emails. There are fewer and fewer red flags to spot.  If you choose not to make the call, you are taking a risk. Make your life less stressful, just pick up the phone. One call can guarantee the click is a safe one.

Payroll related phishing email making the rounds – 02/02/2018

Another day, another phishing attack making the rounds. The latest asks you to confirm your identity by clicking on a link and logging in. These emails often refer to  issues with your paycheck or benefits that need to be resolved. Replying to one of these emails and asking for more information results in a very quick and convincing response assuring you everything is on the up and up.

If you ever receive an email asking you to use a link to login to confirm your identify, close the email and login to the site directly using a bookmark or Google search result. If the request is legitimate, you will be able to find it on the official web site.  If you cannot find the information and are still not sure of the email’s legitimacy, contact them by phone or email using contact information taken from their official site.  If you do determine that the email is a phish, forward it to and then report it as phishing to Google.

As always, if you are in doubt contact the IT Service Desk.