Cybersecurity Blog

Must Read – Check the email address before responding to an email – 02/06/19

 

 

 

Once again Mount Royal inboxes are receiving emails from scammers impersonating Mount Royal employees.  The email appears to come from a colleague and asks if the recipient is available. If the recipient responds, the scammer then asks for gift cards.

These emails are easy to identify as the email address is not a Mount Royal email address. Thing is, people are in such a rush these days they don’t bother checking it. They see the name of their colleague and respond.

While responding to the scammer is not necessarily risky, it does encourage them. They now know that you don’t check email addresses. Next time they may be a bit more clever and include a malicious link or attachment.

When reading any email, the first place your eyes should go is to the email address. If it doesn’t match the sender’s name, delete the sucker immediately. You don’t even have to read it.  It is easy, it saves you time and it will make your IT department very very happy.

 

Must Read – Hard to detect MailChimp phish hits MRU 01/15/19

The latest phishing attack to hit inboxes on campus is absolutely diabolical.  It looks 100% legitimate and contains legitimate looking links. In addition, the technique the clever criminals are using  by-passes our protective measures preventing us from keeping it out of inboxes. If we block it, we block all MailChimp emails.

Lets take a closer look at this bad boy.

 

 

Pretty impressive isn’t it? What is even more impressive is hovering over the links displays Mandrill.com which is MailChimps legitimate tool for tracking clicks, dealing with payments and account settings etc.  However, if you click the link you get sent to:

 

 

While us14-mailchimp kinda looks legit, it is the wrong URL for MailChimp. However, the page looks like a MailChimp login page.  We didn’t follow along further to see what happens after you enter your username and password. However, we are pretty sure the next page would be asking for credit card information.  The crooks are pretty darn smart. If you login and then get wise and not enter your credit card information, they still get access to your MailChimp account which they can use to send out more phishing emails to other unsuspecting users.  It’s brilliantly done.

As smart as the hackers are, Mount Royal employees are smarter. This email was forwarded to abuse@mtroyal.ca by one of our own.  That’s right, one of our own employees tagged this bit of nastiness.  I couldn’t be prouder! They didn’t recall having a paid MailChimp account and recognized that the sent email address was off.

So how do you protect yourself from an attack this well executed? Do what your colleague did, don’t click the links in the email. If you have a MailChimp account, login to it directly using a bookmark or search result. If there is a problem with your account, the information will be available there. If everything turns out to be in order, you know the email is a phish. Forward it in it’s entirety to abuse@mtroyal.ca and your work as a cyber security superhero is done!

 

Must Read – They’re back and this time they’re impersonating David Docherty – 12/12/18

 

 

 

The MRU impersonators are at it again.  Apparently they didn’t get bites just pretending to be a supervisor so they have upped their game.  Their third attempt uses an email that appears to come from Dr. Docherty himself.

 

As with the other attempts, if you respond to this email you are asked to purchase gift cards. This is just another reminder to check the sender’s email address when you find yourself responding emotionally to an email.

 

How we get notified of an account breach – 11/23/18

 

 

Not every hacker makes their money by breaking into  accounts and stealing funds or ransoming your data. Some hackers are content to simply  break into servers and steal usernames. passwords and other personal information that they then sell on the dark web.  It is quite a niche business.

To combat this evil, an enterprising fellow name Troy Hunt created a tool that scans the dark web looking for stolen data that is for sale.  You  can access this information for free at have i been powned. Simply visit the website and enter your email address. It will tell you if any of your accounts using that email have been breached.

This gives you the opportunity to change your password and username or delete the account.   This is an easy process if you don’t reuse passwords. It is a huge headache if you do.  What’s even cooler,  you can subscribe to an alert service so they will automatically notify you when there is a new  account breach.  This is so awesome, Mount Royal even subscribes.

We get notified when anyone with an @mtroyal.ca email is involved in a breach.  We also get told which account was breached.  We are aware that password reuse still happens. By being notified of breaches we can make sure our users change their passwords so hackers cannot use their accounts to gain access to the network.

So if you are using your @mtroyal.ca account to sign up for the adult furry website High Tail Hall, we will know about it. To make matters worse, we have to contact you to let you know about the breach.  It gets awkward for everyone.

This is a friendly reminder, only use your @mtroyal.ca email account for business. IT Services thanks you.

 

Must Read – You are our first line of defense – 11/15/18

 

 

As part of our phishing training program, I visit repeat clickers and analyze their business processes to determine why they are having difficulty identifying phishing emails. An interesting trend is appearing.  Time after time, I hear people say that they thought IT Services had tools that filtered out all malware so anything that reached their inbox was safe to click.

I am going to set the record straight. There is no anti-virus, anti-malware or other type of software or technology that can identify all malware or malicious links. While IT Services has wonderful tools that help them stop most attacks, they cannot stop everything. Every organization is vulnerable to new strains of malware and hundreds of new strains are developed every day.  Whether at work or at home, you cannot rely on anti-virus/anti-malware to protect you 100% of the time.

You are our first line of defense. If you avoid clicking or opening something that you shouldn’t, the odds of being victimized decreases exponentially.  Simply by pausing when you are triggered emotionally by an email or when an email contains a link or attachment, you can reduce your chances of a cyber attack by 75%.  We can’t do it alone, we need your help.  Join us in the fight against cyber crime, stop and think before you click.

 

 

Must Read – Phishing emails are targeting educational organizations – 10/26/18

 

A new type of phishing email is making the rounds.  This one targets the employees of a specific educational institution and appears to come from the president. It includes the right signature line and logo to enforce the deception.  Subject lines of the emails include:

  • Codes of conduct
  • Ethical standards
  • Proper workplace behavior
  • Rules governing conflicts of interest

The emails tends to announce new policies around employee conduct or discusses the renewed focus on ethical professional behavior. They look something like this:

They include an attachment that when opened, takes the employee to a web page that look like a legitimate login page.  What makes this one truly diabolical is once the login credentials are entered, the employee is taken to a legitimate website so they think nothing is amiss.

This is a great time to remind everyone to confirm the legitimacy of emails containing links or attachments that they are not expecting. As criminals can now make it look like an email is coming from someone our know, right down to the correct email address, there is no way to tell if an email is a phish or not unless you contact the person who appears to have sent it.

 

Must read – changes to Google Team Drive permissions – 10/11/18

 

 

This week Google rolled out the first of two changes to the Google Team Drive permissions.  The names have been changed.  The new names and their permissions are:

  • Manager = full access
  • Contributor =edit access
  • Commenter = comment access
  • Viewer = view access

Please check your Team Drive members list and ensure that the new permissions are correct.  After the name change, I found members who previously had only edit access were  given Manager or full access to the drive.

This week’s contest entry code for the Cyber Security Challenge is w2snl4tr.

Must Read – Scammers pretending to be Mount Royal employees – 09/27/18

 

It has been a busy week. There are two phishing emails going around campus at the moment.  The first one starts out rather innocently.

 

 

However if you respond to it, like half a dozen people did,  you receive a second one.

 

 

You are probably wondering why anyone would respond to the first email.  First of all the email was from a department head, so that tends to get people’s attention and generate an emotional response.  Also, almost all who responded were looking at the email message on their phone.  They were unable to clearly see the sender’s email address or the grammar errors.  This is just another reminder as to why it is so important to wait until you get to a large screen to take action on an email. It is also a reminder to not respond to our emotions. If you read an email and are responding emotionally to it, that is your cue to pause for a minute and take a closer look.

Impersonator number two  is a bit more sneaky.  Check out this bad boy.

 

 

I just love how they added the signature line to this one.  They must have received an email from Mount Royal at some point.  This is the stuff that keeps me up at night.  The grammar is perfect.  The content is plausible and looks legitimate.  The fuzzy logo is a bit of a tell, but other than that it’s not an easy one to spot.

That was the bad news.  Now for the good news.  In both cases  IT services was notified of the threat by Mount Royal University employees who forwarded the email to abuse@mtroyal.ca.  Their quick thinking gave us a heads up right away so we could block both email addresses and prevent further attacks.  They are superheros!!

Keep an eye out for these types of emails in the future.  If you find one, forward it in its entirety (no screenshots please) to abuse@mtroyal.ca and you can be a superhero to!!

 

Must Read – Iranian Hackers are trying to steal university research – 08/31/18

 

 

Iranian hackers are sending out phishing emails that appear to come from within a targeted university. The emails contain a link and urge the recipient to sign in to an internal resource, the favorite being the library system.  The link is to a fake login page that records login credentials.

The hackers appear to be trying to steal research data.  The campaign is world wide with over 16 universities targeted and over 300 fake websites created. Canadian universities are among the targets.

If you receive an email asking you to login to one of our internal resources, do not click on any links in the email.  Instead, access that resource using a bookmark or a link on www.mtroyal.ca.  You can also contact the department in charge of that resource and ask them if they sent out an email. Pay special attention to emails asking you to login to the library system.

If you are unsure of the legitimacy of any email, you can forward it to abuse@mtroyal.ca and IT Services will be happy to investigate for you.

 

Must read – Using your @mtroyal email for personal stuff? Please don’t. – 07/20/18

 

 

On a regular basis, account providers are hacked and their customer data is stolen and put up for sale on the dark web in large data dumps. Usernames and passwords are often included in the information.  As over 30% of users reuse passwords and usernames, once a hacker has that information they can access several accounts.  As part of our ongoing efforts to keep Mount Royal’s data safe, we subscribe to a service that lets us know if any @mtroyal.ca email addresses appear in these lists. If an account provider gets hacked and a user used an @mtroyal.ca email address as a username, we get notified about the breach. We then force a password change on the account to ensure it stays secure.

Where things get uncomfortable is when users decide to use their @mtroyal.ca email address for personal accounts.  Many account providers who deliver special interest content do not have the best security practices and are often hacked. We really don’t want to know that you belong to the Jelly of the Month Club or you are a member of Poniverse (those are the G-rated ones). Please save us and yourselves the embarrassment.  Use your @mtroyal.ca account for business purposes only.