Cybersecurity Blog

Must Read – MRU inboxes receive malicious Google Drive file share 03/20/19

Another day, another clever criminal trying to break into our network. This time they tried using the Google Drive to do it. Tuesday morning several employees found this in their inbox.

 

 

The Word Doc link is totally legit.  If you click the link, it takes you to this document.

 

 

Clicking the link in the Word document takes you to a legitimate website that has been compromised. The site asks you to login to Office 360 to access the document. Of course if you do, you are giving some miscreant your Office 360 login credentials.  They can then sell your credentials on the dark web or use them themselves to wreak havoc on your data as well as the data of others. Fun, Fun, Fun.

Because the Google Drive file share and the website are legitimate, they won’t be flagged by anti-virus or the firewall. It is actually very clever. However although it may get by the technology, a person can easily spot this as malicious. In fact, we had two different reports sent to abuse@mtroyal.ca about this one. Way to go MRU!!

For those of you who aren’t already yelling at the screen, “Come on, that is so obvious”, I am going to walk you through the red flags.  First one is the email is sent by Benjamin Kuiper from the email address benkuiper3000@gmail.com. Clearly not a Mount Royal email and he is not listed in the directory. Fail number one.

Second, the doc says it was being shared by Benjamin and David Hyttenrauch. This doc was sent to people on David’s team so even though they didn’t know who Ben was, they sure as heck knew who David was. This got the desired attention. However, you can’t send an invite to share one file from two people. Clearly, this Word doc was shared by Benjamin and the sneaky dude entered the rest of the deceiving information into the Add a note field in the Share with others dialog box to make it looks like Dave was involved. Fail number two.

Third, when you open the document it tells you that you  have a file waiting for you on the OneDrive. OneDrive file shares are not sent with links in Word documents. Fail number three.

Lastly, if you were to hover over the link in the Word document you would see that it does not go to OneDrive. Fail number four.

As clever as criminals are, most of them can be stopped by alert employees who take the time to look at emails with links and attachments critically.  As we have seen in this example, the majority of the time phishing emails contain clear clues that something is not right. Don’t get caught up in the emotion of the moment. Like our wonderful employees, take the time to really look and make sure that the email is what it appears to be. Your data, your colleagues and your IT department will thank you.

 

 

 

Why enabling two-factor authentication is more important now than ever – 02/28/19

 

 

Two-factor authentication (2FA) and it’s cousin, two-step verification is available on a variety of accounts such as Google, Facebook, LinkedIn, Yahoo, Twitter and Instagram. When it is enabled, after you successfully enter your password on a strange computer you are asked to respond to a prompt or enter a verification code sent to your phone.  This ensures that even if your password is compromised, your account will stay secure. That is unless the criminal has your phone as well.

If that is the case, you are having one heck of a day and require support that is outside the scope of this article. I hope your phone is password protected and I wish you good luck. I digress. Back to why enabling 2 FA has become so important.

Last month we saw enormous lists of login credentials popup on the dark web. While previously miscreants had to purchase this valuable information, these large collections of usernames and passwords are now available for free. Aspiring Kevin Mitniks the world over can now try their hand at cybercrime, no upfront credential purchase needed.

As a result we have seen a big jump in credential stuffing attacks. Some of them on home security cameras with terrifying results.  Ideally you should have a unique password for each account. However if this particular habit has not yet been entrenched, two-factor authentication will save your bacon

Although registering your email on Have I Been Pwned, will let you know if your password has been compromised, it takes time before a data breach shows up on their radar. With 2FA as soon as you receive a verification code or prompt on your phone,  you know someone has stolen your password. This early warning system allows you to change the passwords on your accounts that don’t have 2FA before any damage is done.

Hopefully I have convinced you that two-factor authentication is no longer something that is nice to have, but is essential to securing your data. The next question is, “How do I start using it?”. Thankfully, there is this really great quick reference guide that walks you through the steps on how to enable 2FA on your Mount Royal email account. And yes, I wrote it…that’s why it’s really great. If you have any questions or need some help with the process, please feel free to contact me.

You can also come down to Main Street on March 13, April 10 or May 7. I will be there with my prize wheel. If you talk to me about two-factor authentication, you can spin and win.

 

Must Read – The MRU impersonators are ramping things up – 02/28/19

 

Phishing emails that appear to come from Mount Royal University supervisors are making their appearance again. This time they are throwing in the whole, “I am going into a meeting with limited phone calls, so just reply to my email”  nonsense to try and keep you from calling the person directly to verify the legitimacy of the email.

Thankfully they are still using lame sender email addresses, so they are pretty easy to spot if you take the time to look. However,  they have started to use a new tactic that is concerning. They some how have gotten a hold of cell phone numbers and are now texting Mount Royal employees asking them to contact the texter immediately as they have a task for them. The messages appear to come from the employee’s supervisor.

How do you protect yourself from social engineering via text message?

  1. Don’t click on links in text messages
  2. Be suspicious of requests that are outside of regular procedures or processes
  3. Don’t give out information that the person you are talking to should already have

A good rule of thumb is, if it doesn’t feel right it probably isn’t.  If you get a strange request from your supervisor, politely let them know you will get right back to them and hang up. Then contact them using an email or phone number that you know is legitimate.

 

How we get notified of an account breach – 11/23/18

 

 

Not every hacker makes their money by breaking into  accounts and stealing funds or ransoming your data. Some hackers are content to simply  break into servers and steal usernames. passwords and other personal information that they then sell on the dark web.  It is quite a niche business.

To combat this evil, an enterprising fellow name Troy Hunt created a tool that scans the dark web looking for stolen data that is for sale.  You  can access this information for free at have i been powned. Simply visit the website and enter your email address. It will tell you if any of your accounts using that email have been breached.

This gives you the opportunity to change your password and username or delete the account.   This is an easy process if you don’t reuse passwords. It is a huge headache if you do.  What’s even cooler,  you can subscribe to an alert service so they will automatically notify you when there is a new  account breach.  This is so awesome, Mount Royal even subscribes.

We get notified when anyone with an @mtroyal.ca email is involved in a breach.  We also get told which account was breached.  We are aware that password reuse still happens. By being notified of breaches we can make sure our users change their passwords so hackers cannot use their accounts to gain access to the network.

So if you are using your @mtroyal.ca account to sign up for the adult furry website High Tail Hall, we will know about it. To make matters worse, we have to contact you to let you know about the breach.  It gets awkward for everyone.

This is a friendly reminder, only use your @mtroyal.ca email account for business. IT Services thanks you.

 

Scammers sending emails that look like they came from your account – 10/24/18

 

 

There is a new twist on the you have been naughty scam.  Criminals are sending emails that once again claim that they have evidence that you have been visiting porn sites and if you don’t pay them, they will make that information public.

The newest form of the scam claims that they have installed a RAT (remote access Trojan) on your computer that allows them to send the evidence from your device. To drive home the point, the email looks like it has come from your email account.

The good news is, it is all a big bluff.  They don’t have access to your email, they are only spoofing the email address. Your account is secure.  Your reputation is intact and you can peacefully delete the email.

 

Fake emails asking you to update student loan info – 09/18/18

 

 

Its that time of the year again.  Books have been purchased, classes have begun and the fake student loan emails have arrived.  Be on the look out for emails asking you to update your banking information, confirm billing information and to view statements.

If you receive one of these emails treat it as you would any other email coming from an organization you know, visit their website directly using a bookmark or browser search results.  You can check your statements, update information and read notifications there.  If you still have concerns, their website will have their contact information and you can phone or message them.  Just make sure you don’t  use the contact information in the email, you may be phoning or emailing a real live criminal.

 

Just because a link looks safe, doesn’t mean it is – 09/07/18

 

 

For many of you, not clicking on email links is an obvious choice.  You wonderful folks are the ones who follow best practices and use a bookmark or browser search to access information given to you in an email.  However, there are braver souls out there who prefer to live on the wild side. They hover over links and then determine whether or not it is safe to click.

The argument I hear is…”I know the URL is correct, I have it memorized”. Here is the problem.  Unicode  is used to determine what character should be displayed in a field. It incorporates tons of different writing systems from various languages by giving each character of each language a different code. This is done even if they look the same to the naked eye. So an English “a” is considered to be a different character than a Cyrillic “a”, even though they look identical.  This allows hackers to create fake websites with domain names that look official right down to the domain name.  There is no way to tell by looking at them, which one is legitimate.

The fun doesn’t stop there.  Even if our hacker isn’t sophisticated enough to use the Unicode trick, there are several letters on a keyboard that are extremely similar and can be confused for one another. For example, the letters “I” and “l” are two different letters on the keyboard but look almost identical on the screen.

As clever as the hover trick is, if your hacker is using any of these techniques, you will end up with a data breach.  To truly make sure you aren’t going somewhere you would rather not, stick with the bookmarks and browser search results. Those will take you to the right website every time.

 

 

ALERT – Mount Royal targeted with fake Sharefile requests – 04/12/18

A college that we communicate with regularly has had one of their email accounts compromised. As a result, several people around campus have received emails with requests to Download Attachments from Sharefile.  The emails look like this:

The name of the college and the email sender have been blurred out to protect their privacy.

 

What makes these emails so devious is that they come from someone that Mount Royal staff have been conversing with recently. This makes it much more challenging to identify them as malicious.

This is a gentle reminder to everyone to contact the email sender when you receive an unexpected email with a link or attachment using a contact number that you have used in the past or have found through Google.  Even if you have been speaking with them recently if you aren’t expecting the email, call to confirm its legitimacy. Just because an email looks like it comes from someone you know, doesn’t mean it does.

That is what our brave Mount Royal employee did and as a result prevented a potentially serious cyber security incident. Had they simply clicked on the Download Attachments button and followed the instructions, they would have given the hacker their Docusign credentials. Who knows what that would have led to.

Criminals find a way around two step verification in Google – 04/11/18

Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.

How did they do it?  Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.

Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset.  Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset.  Pretty clever huh?

Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the  code.

For the record, no one will ask you if you don’t want to do something with your account.  As soon as someone asks you for confirmation to NOT do something, you know the jig is up.  This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.

 

ALERT – Mount Royal staff victimized by phishing email that is a reply to an old thread – 03/26/18

Mount Royal employees are receiving emails from a vendor that are actually replies to a legitimate message. As the message is a reply and it is from someone we do business with, employees have been tricked into opening the attachment more than once putting our network at risk.

How the heck did they manage to reply to a message that the vendor had sent ages ago? Simple, the vendors email account was hacked.  Once the hackers had access to the email account all they had to do was scroll through the emails in the sent folder until they found one that mentions an invoice and reply to it. Of course they attached an edited invoice containing a nice little keylogger trojan onto it first.

Those that opened the attachment found a blank document and then contacted the Service Desk to see why.  The Service Desk calmly explained all their keystrokes were being recorded by malware they had unintentionally installed and then sent support staff to re-image (wipe clean and re-install) their machines.

Unfortunately this is not the first time that Mount Royal University has been targeted by this type of attack.  Late last year another vendor had their email account compromised and multiple Mount Royal staff members received replies to an old meeting invite containing a document that “required their input”.  That document contained malware as well and once again we were re-imaging machines.

How do you know when an email from a vendor contains a malicious link or attachment?  Truthfully, you don’t.  The only red flag on either of these emails was the date of the original message. The email thread  was months old and was used in the attack because it contained a subject that would allow an attachment to be added to it without looking odd.  However, a recent message could also have been used if it had contained the right content.

So how do you protect yourself from such attacks? You call the vendor when you receive an email with a link or attachment and confirm that they sent the email. You do not reply to the email as if their email account has been compromised, you will be conversing with the hacker.  Do not use the contact information found in the email to contact the vendor either.  The hacker may have changed the email signature.  Use a contact number that you find in a Google search or that you have used before.

Yes, horrors, you have to actually pick up the phone and talk to a person.  However, it will practically eliminate the risk of having  your machine wiped clean and the operating system re-installed.  Not a fun way to spend the morning.