Cybersecurity Blog

If you don’t report, we don’t know – 03/17/20

 

 

With the world on melt down, cyberattackers took advantage of the mayhem to send out a slew of spear phishing emails to several departments. Most of them had a member who reported the suspicious email right away. As a result, we were able to notify their colleagues before most of them had even opened it.

Unfortunately, one department was left vulnerable. None of their members reported the malicious email sent to them. We eventually found it, but we it was much later and there was a delay in the notification going out.  This delay increased the chances that someone would become a cyberattack victim.

We know that all of you have much on your mind trying to figure out how to teach and work from home. However during this challenging time, please don’t forget to take those extra two seconds to let us know when something suspicious lands in your inbox. The sooner we know, the sooner we can let everyone else know and reduce the risks to everyone’s data, including yours.

 

What do you do with those invites from Alignable? – 02/14/20

Across  campus an email similar to the following has been popping up in inboxes.

According to their website, Alignable is

…the online network where small business owners across North America drive leads and prospects, generate referrals, land new business, build trusted relationships, and share great advice.

Their website is slick and professional. It has an impressive lists of testimonials. In addition logos of media outlets are prominently displayed. Everything on the site is designed to make the service look like it is widely used and trusted.

While there is no doubt that this a legitimate service, their marketing practices appear to be a bit troubling. Those reporting the Alignable invites to abuse@mtroyal.ca often remark that they do not know the person who sent the invite. Others complain that they did not sign up for the service but yet everyone in their contact list has been spammed.

These complaints are not just coming from our community. The Better Business Bureau has 19 similar complaints. While Trustpilot gives it a 51% excellence rating and a 40% bad rating with very little in between. When you see ratings on the extreme ends of the spectrum like that, that usually indicates that a bot is posting the good reviews.

Scouring the rest of the internet, influencers indicate that it is an amazing tool that you should try while other folks warn to stay away unless you want to spam your contacts.  It is difficult to know what the real story is.

What I can tell you is unhappy users have experienced the following:

  • They have been signed up for the service when they click the cancel button on the would-you-like-to-join dialog box.
  • They have had their entire contact list spammed with invites without their permission.
  • They have had invites sent out on their behalf without ever joining the service.

It is not possible to say whether these actions are deliberate or Alignable has a glitch in its service. Either way I suggest that before you accept one of their invitations,  you treat the email like any other coming into your inbox and contact the person who sent it to you to make sure it is legitimate. While you are at it, you should ask them about their experiences with the platform.  If they give you green lights, then you are good to go. If not, delete the email.

What have your experiences been with Alignable? I would love to hear about them. Please post your comments below.

 

 

Email from The Spamhaus Project is fake – 01/31/20

 

The latest phishing email to arrive in MRU inboxes is this beauty that looks like it comes from The Spamhaus Project, an international organization that creates block lists of spammy and phishy email senders.

 

 

This email is a bit clever as they use a link to the real Spamhaus Project website to try and convince you the email is legitimate while threatening to block your email address. Unfortunately the painfully bad grammar, zip file attachment and wrong email address clearly mark it as a phishing attempt.

You have to give them credit for trying though, if you are in a hurry and don’t take the time to read the email carefully, the odds are pretty good you will panic and click. Don’t get caught, slow down and stop and think before you click.

 

 

Mount Royal University’s email policy clarified – 01/31/20

 

Updated: 02/07/20

 

In the When to use your @mtroyal.ca email  address article, I outlined some general guidelines on how to determine which email address you should use for creating accounts and accessing online services.  This article generated a slew of questions related to availability of email accounts once someone leaves the University.  I thought it would be helpful to clarify who gets to keep their accounts, under which circumstances and why.

Our email policy states

The University provides an email account to all faculty, staff and students to be used in the course of their duties or activities at the University. The University may also provide an email account for alumni, retirees, and professor emeriti, as well as other at the discretion of the University.

All email accounts and associated addresses are the property of the University.

So what does this actually mean and how is this policy implemented? Well that depends on who you are and under what circumstances you leave the University.

  • If you are a staff member your access to your email will be terminated regardless of why you leave. This is to ensure business continuity.
  • If you are a faculty member the same rule applies unless you are leaving due to retirement. Retired faculty members get to keep their emails as long as they adhere to the email policy. This is part of their collective agreement.
  • Students retain permanent access to their email account.

Regardless of who you are and why you left, the University owns the email account and at any time they can revoke your access. The most common reason is not following the email policy. However it is at the discretion of the University to revoke it for any reason that they deem credible. Some of those reasons may be a change in policy or a change in email provider.

Therefore you should never consider your @mtroyal.ca email account to be yours for life. It is yours until the University decides it is not.  That is why I suggested all MRU account holders follow the guidelines outlined in  the When to use your @mtroyal.ca email  address article. The guidelines ensures that you maintain access to your accounts even if your access to your @mtroyal.ca email address is lost.

Another thing to consider is FOIP requests. According to the email policy, any email sent with your @mtroyal.ca account is subject to a FOIP request regardless of whether the content of the email is personal in nature or not. If you don’t want your personal emails to show up in a FOIP request, don’t use your @mtroyal.ca account to send them.

If you have any questions about email access or the email policy please contact the Service Desk, they will be happy to help.

 

When to use your @mtroyal.ca email address – 01/27/20

 

 

In today’s modern world, the lines between our personal lives and our work or school lives often becomes blurred. We are shopping on Amazon on our lunch hour and answering University emails from our laptop at home.  This often makes it difficult to determine when you should use your @mtroyal.ca email to sign up for an account or service and when you should use your personal email.

A good guideline is to use your personal email address for anything that you want to use or have access to even if you aren’t working or attending Mount Royal University. For those services and accounts that you will only access WHILE working or attending the University, use your @mtroyal.ca email address.

When sending university related emails, use your @mtroyal.ca account. It reduces the chances your email will be mistaken for a phishing attempt and reported to abuse@mtroyal.ca.

Following these guidelines reduces our network’s exposure and vulnerability. It also makes it easier for you to maintain access to services and accounts when you retire, graduate or work for another organization.  In addition, it means you will get fewer notifications from us that your email was part of a data breach. Less work for us, less hassle for you…everybody wins!

 

How cybersecurity experts become victims – 11/26/19

 

 

Every month I send out a nice little phishing training email to give our wonderful users across campus some practice identifying them. Those people that click and are repeat clickers, work in IT or are a Cybersecurity Champion all tell me the same thing. They were trying to determine whether to click or not while they were in a hurry or while they were on their phones.

The dangers of doing this were highlighted in the Our Community article, I knew I’d been scammed which details how one of Mount Royal’s community members became a victim of a gift card scam. Now KnowBe4 has written its own article describing how one of their cybersecurity professionals clicked in three phishing training emails in two months.  In both cases the individuals were well educated in how to identify a phishing email but were in a hurry and using their phones. The message that keeps getting repeated is to SLOW down.

Before you decide what to do with an email, STOP. If you are on your phone, deal with it later at your workstation. If you are in the midst of doing 100 things, deal with it when you have time to evaluate it properly.

Taking theses simple steps will help keep you from becoming a victim.

 

Watch for payroll related phishing emails – 11/05/19

 

Tuesday morning was an exciting one for the security team. Over 900 inboxes received the following email.

 

 

I am delighted to report that a huge number of you were superheros and forwarded the email to abuse@mtroyal.ca. Thanks to you we were able to block the target page and limit any damage. Even though so many of you spotted the email as a phish right away, with the high number of recipients Marketing and Communications made the unusual decision to issue a campus wide alert.

While we were investigating the incident, we discovered that the attacker spent a lot of time viewing our Payroll webpage. There is an excellent chance that the attacker will use this information in the near future to create another phishing email.

We are asking everyone across campus to keep an eye out for payroll or HR related phishing emails in the next little while. If you receive an email that appears to come from HR or Payroll, please check the email address for accuracy. If it is correct, please call the sender to confirm that they actually sent the email.

Should you find the email to be malicious, do what your colleagues did this morning and forward the email to abuse@mtroyal.ca. You too can be a superhero!

 

Fake login pages mimic the real thing giving you no clue you have just been compromised – 10/25/19

 

 

For a while now, I have been warning about clicking on links in emails from organizations that you know. Instead, I have encouraged all of you to visit the organizations website directly using a bookmark. A report of a new phishing campaign targeting Stripe users shows why this advice is so important to take.

This campaign involves an email that tells the intended victim that there is something wrong with their account details. They are asked to login to their Stripe account to update them and given a handy button that appears to take them to the Strip login page. The page is of course a spoof and although it looks exactly like the real one, all credentials entered are collected by the thieves.

The fraudulent page is set up so that once you have entered your credentials in the fake login page, they use them to log you into your actual account. From your point of view, nothing is amiss. They now have your login credentials, you are non the wiser and they have hours if not days to withdraw funds before you even notice.

Although this campaign is targeting Stripe users at the moment, the same tactic is used to target all sorts of users. This is a gentle reminder to not click on links in emails from organizations that you know, but to use a bookmark instead. If you don’t have the site bookmarked you can use a search results, however proceed with caution as more and more fraudulent sites are appearing there.

 

New phishing email tactic, the found student pass – 10/17/19

Those clever cybercriminals have come up with another tactic to get you to click on something you shouldn’t. Introducing the “I found an ID pass”, phishing email.

 

 

What makes this email so diabolical, is it has no sense of urgency. In fact it asks nothing of you at all. It simply lets you know that a pass was found and it is being mailed. It’s calm, indifferent manner lull’s you into thinking the email is harmless. It counts on the reader being so curious that they throw caution to the wind and click on the link to see whose ID was found. Quite ingenious really.

If you receive an email of this sort, delete it and wait for the mail to arrive.

 

MRU employee checks for email legitimacy and talks to the hacker – 10/17/19

One sure fire way to avoid becoming a victim of a cyberattack is to call the email sender to verify that they in fact sent the email.  That is a message that I preach over and over again all over campus. I am happy to report that my message is being heard and acted upon…sort of.

Here is the email that one of our staff received in their inbox.

 

 

The staff member knows the sender and aside from the poor grammar, the email is spot on. The  attachment was indeed a Sharepoint document, so she opened it. However when she found nothing but a greeting link to another document she paused.  She knew that email addresses could be spoofed and realized she should confirm the legitimacy of the email. So she sent this email.

 

 

She correctly did not reply to the original email.  But created a new one and sent it using an email address in her contact list. This is the reply that she received.

 

 

 

Before she could check the invoice, she received this email.

 

 

The sender’s email account had been hacked!  It didn’t occur to our staff member that if someone else was using her colleague’s email address, it wouldn’t be her colleague who responded .  She gets an A for verifying the legitimacy of the email.  But she gets a F for talking to the hacker.

The lesson has been learned. When confirming email legitimacy, use the darn phone.  A 30 second phone call can save you from a world of hurt.