Cybersecurity Blog

MRU slammed with fake Geek Squad subscription renewals – 11/25/2022

 

 

We have seen them before, the fake subscription renewals that arrive with the fake invoice attached. The hope is we will panic and call to cancel. When we do, they attempt to convince us that they over refunded us by thousands and demand we pay it back or they try to get us to install software on our machine so they can issue the refund. The result is an empty bank account, malware on your machine or both.

This week some very lazy attackers hit the campus with hundreds of these emails with various subject lines that all included the same fake Best Buy – Geek Squad subscription renewal invoice. I say they were lazy because the majority of them contained messages with no more than a word or two.  inboxes across the University were hit, many with several different versions of the same email.

I am delighted to report that instead of being taken in by these emails, dozens of people reported them. Our cybersecurity inbox was slammed and more reports keep coming in. Thank you to everyone who gave us a heads up.  Keep up the great work!

 

Campus flooded with fake ITS email notifications – 11/01/2022

 

While the trick and treaters were out collecting candy, cyberattackers hit the campus looking for their own treats…MRU login credentials. Over a thousand emails flooded campus inboxes. While the email subjects were varied, the contents were the same.

 

 

This email has two big red flags; the generic sending email address and the link that goes to a Jotform. While Jotform is a legitimate service used to create forms, much like Google forms, the use of the form was far from legitimate.  If you clicked the link you would be told that to access the pending emails, you would have to enter your MRU email credentials into the form. Once you do, the attackers have your credentials.

Of course as MFA is enabled on your account, they can’t just enter your stolen password and gain access to your email. They need to by pass the MFA. The most popular method at the moment is to bombard you endlessly with MFA prompts by repeatedly signing into your email. The hope is, you will get tired of being prompted and just tap, Yes it is me, just to get them to end. Some people finally give in.

I am proud to say that once these emails hit inboxes, the cybersecurity email was flooded with reports. Many of those reports included appreciation for the cybersecurity awareness training that prepared them for the attack.  Well done everyone!  Well done.

 

New Google feature looks like phishing – 03/25/2021

 

Google has launched a new feature for Google meet. Any time there are more than two people in a meeting, you will automatically receive an attendance list attached to an email. This email has the name of the meeting in the subject line. This works great when you have created the meeting in your calendar and given it a name. The email makes sense and it looks legit.

However, if you create the meeting through the Google chat or the Meet button in the Gmail window, there is no way to give the meeting a name, so Google does that for you. As a result you end up with an email subject line that includes a bunch of random capital letters in quotes.

At first glance this email looks really, really phishy. You have this weird looking subject, an attachment and you didn’t request an attendance report. But if you take a closer look at the sender’s email address, you realize that this is in fact coming from Google and it is a legitimate email.

If you receive an email like this and you are uncertain what to do with it, then please report it. However, hopefully now that you have a little more information you won’t feel so quite uncomfortable when that odd email shows up unannounced from Google.

 

 

Shared/delegated email accounts and MFA – 01/12/22

Google has started sending reminders to those who haven’t yet enabled multi-factor authentication (MFA) on their Mount Royal email account.  For those with a single email account the process is easy. However if you use a delegated, google group or shared email account there may be some confusion. Do you have to enable MFA or not? Well that depends on what type of account you have and how you use it.

Delegated accounts allow you to access emails from your own Mount Royal email account. Neither you nor anyone else that uses the account ever logs into it.  If you click on your profile pic in Gmail and see the account listed with delegated next to it, it is a delegated account.

Even though you may have received a notification to enable MFA on that account, you don’t have to. We know that is confusing so we are working on identifying all the delegated accounts so hopefully you will not get notifications in the future.

Shared accounts require you to login with a separate username and password to access emails.  The username and password are often shared by several people. They are usually set up because the generic account needs a Youtube channel or to set up its own google forms. If you have a shared account, please do not ignore the MFA notifications and contact the IT Service Desk to find out if MFA is required. This will be determined on a case by case basis depending on how the account is used.

Google groups aren’t actually email accounts so you don’t see them listed with your delegated accounts. They are mail lists that you subscribe to or create.  They are often set up to send emails directly to your inbox,  however you can also access the emails from the Google Group app. As Google groups are part of the Google Workspace, you don’t need to MFA them separately.  They are protected when you enable MFA on your MRU email account.

For more information on enabling MFA visit the Multi-factor Authentication web page.

The use and care of your MRU email address – 12/07/212

 

We are regularly notified that Mount Royal email addresses have been involved in a data breach through Have I been pwned. When we receive that notification, we are told what account provider was affected and which email addresses were involved.  This allows us to contact those who had their accounts compromised and ask them  to change their passwords.

With multi-factor authentication enabled, this is less of an issue. Even if a password is stolen, the attacker will not be able to get into a MRU email account without the second factor.  However it is still important that compromised passwords are changed, especially if the same one is being used for multiple accounts. So we are still receiving data breach notifications.

Usually the data breaches are for work related services. However, once in while we are notified that a gaming site, dating website or a site with adult content has been breached. If you have used your Mount Royal email address to access that site, we will be notified. It is awkward for everyone when that happens.

Please keep your private life private and only use your MRU email address for work purposes. We don’t need to know what you do for hobbies, how you spend your time outside of work or where you shop. Save us all the embarrassment and use another email address for your personal pursuits.  The security team thanks you.

 

Scammers use subscription renewals to trick you into downloading malware – 08/03-21

 

A social engineering tactic dubbed Bazacall is making a resurgence. This attack method first appeared in March, 2021. It starts with an email that arrives in your inbox. They use a variety of scenarios, however all encourage you to phone a number to resolve an issue. Their favorites appear to be notifying you that a subscription is going to be renewed or that a free trial is over. Details on the nature of that subscription are often left out, making it more likely that you will call to clear things up.

When you call, the “customer service rep” on the phone directs you to a very realistic website. Sometimes these websites are spoofed sites of real businesses, other times the businesses are completely fictitious. Once you are at the website they walk you through the steps to cancel the subscription, telling you what to click. Everything seems perfectly legitimate until you reach the final step. The last click on the website opens an Excel file that asks you to enable Macros.  If you continue to follow the instructions of the “rep”, the malware is downloaded and installed on your computer. The type of malware varies but typically they give remote access to your machine, allowing the attackers to gain access to to other devices on the network.

This phishing attack method is particularly dangerous as the email doesn’t contain any attachments or links which allows it to pass through inbox filters. In addition when you open it, it looks official and innocent. After all what can happen if you just call to cancel a subscription that you don’t want? However once you call, the “rep” is very good at social engineering. He or she develops trust and insists that this is the only way to ensure the charge doesn’t appear on your credit card.

The best way to defend yourself against this type of attack is to recognize that emails with vague information about a subscription being renewed are malicious. Thankfully with this attack you have a second chance to defend yourself. You can refuse to enable Macros when asked.  Remember to use your common sense and don’t let yourself be bullied. There is no justification for enabling Excel Macros to cancel a subscription.  If it doesn’t make sense, hang up.

 

What exactly is the purpose of your spam folder? 05/27/21

 

The lowly Gmail Spam folder. It appears to collect nothing but garbage and is routinely ignored. It does however, have a function.  It’s purpose is to keep spam and malicious emails out of your inbox while still allowing you to review them. These suspicious emails  aren’t automatically deleted as Google recognizes it isn’t perfect and may wrongly identify an email as spam or malicious.

How should you manage your Spam folder? For the most part, it can be ignored.  If you find that you are missing an email, you can go looking for it. However, I don’t recommend checking your Spam folder daily. If you are worried about missing emails, then a weekly check should be sufficient.

If you find an email in your Spam folder that you don’t think should be there, don’t move it immediately to your inbox. Open it first and check the banner at the beginning of the message. Google lets you know why the message was put there. If it is because it was marked Spam previously, then it is safe to move to your inbox. If however, it indicates that it contains a malicious link or attachment then leave the email where you found it as Google doesn’t make mistakes identifying malicious emails.

Fortunately, malicious emails found in your Spam folder don’t need to be reported to the IT Security Team. Google is already filtering them from inboxes so we don’t need to alert your colleagues. This saves us from replying to 57.3 million emails.   You can simply delete them and get on with your day. Even better, let Google delete them for you. Messages in Spam that are 30 days old are automatically deleted.

 

Is the etransfer notice from MRU malicious or legit? – 12/07/20

 

This past year, Student Fees began issuing refunds through Interac e-transfers.  Although students are notified in advance that a refund is coming, there is still some confusion about the legitimacy of these emails.

A sure fire way to ensure the refund is legitimate is to login to MyMRU and check your account balance. If you have been issued a refund, the amount will be posted there. If it matches the amount in the notification email then you know the e-transfer is legitimate.

If you are still not sure, you can email Student Fees at studentfees@mtroyal.ca and ask them if they sent you an e-transfer.

 

Issues with the PhishAlarm button? Clear your cache – 11/03/20

 

This week the phishing training program resumed.  This gave everyone a chance to use the new PhishAlarm button to report the suspicious emails.  For most of you, it worked great!. For some of you, not so much.

As the PhishAlarm button is a browser based tool  (it works through your web browser), it can act up when your browser acts up. This is true for all browser based tools. When this happens it can usually be remedied by clearing your cache.

Your cache is where images and content are downloaded and stored. Your browser does this to save time loading a web page. The first time you visit it, it will load some key information into your cache. The next time you visit that page, instead of downloading it from the internet again, it goes to the cache and loads it from there. This makes the webpage load much faster. This is true whether the page is a just a boring website or a web based application.

So the next time the PhishAlarm button gives you an error message or any other web based application gives you trouble, clear your cache.  It will empty all the information stored there and download it from the Internet again.  This basically resets the application and it usually starts working. For details on how to clear your cache, check your browser’s help files.

Happy Reporting!!

Hackers targeting educators – 11/04/20

 

There is a new phishing attack that is taking advantage of the widely acknowledged technology issues facing students, families, and educators. It is targeting educators, using infected attachments that masquerade as student assignments.  The attachments contain ransomware that encrypts your files and locks you out of your devices until the ransom is paid.

In this type of attack, the hackers pose as a parent or guardian submitting a student’s assignment on their behalf. They claim that the student was unable to upload the document due to technical issues. The emails are very emotional and are designed to tug on the heart strings of the educator.

The subject lines the attackers have been using are:
• Son’s Assignment Upload
• Assignment Upload Failure for [Name]
• [Name]’s Assignment Upload Failed

Here is an example of the types of emails being used.

 

Often the attachment is a Word document . Once you open it, you are asked to  “enable editing” and “enable content”. If you do, the ransomware is loaded onto your device.

This attack is very targeted, using contact lists available on the school’s websites to determine who to send emails to. Although the attackers are currently focusing on K through 12 schools, it is expected it will move to post secondary institutions next.

To avoid these types of attacks:

  • Only accept assignments submitted through regular channels.
  • Do not open an attachment unless you check the sender’s email address and know who the email is coming from.
  • Verify the sender actually sent the message whenever possible.
  • Do not enable content or editing on Word documents unless you are 100% certain of the sender’s identity.
  • Do not enable macros on Word or Excel documents unless you have talked to the sender of the email to verify it is safe to do so.

If you are unable to contact the sender and aren’t sure of the legitimacy of an email, report is using the PhishAlarm button or by forwarding it to cybersecurity@mtroyal.ca.