Cybersecurity Blog

Is the etransfer notice from MRU malicious or legit? – 12/07/20

 

 

This past year, Student Fees began issuing refunds through Interac e-transfers.  Although students are notified in advance that a refund is coming, there is still some confusion about the legitimacy of these emails.

A sure fire way to ensure the refund is legitimate is to login to MyMRU and check your account balance. If you have been issued a refund, the amount will be posted there. If it matches the amount in the notification email then you know the e-transfer is legitimate.

If you are still not sure, you can email Student Fees at studentfees@mtroyal.ca and ask them if they sent you an e-transfer.

 

Not sure an MRU email is legit? Contact the sender. – 12/02/20

 

 

With phishing attacks on the rise and everyone being vigilant sometimes legitimate communications are flagged as suspicious. This week we had a student report their e-transfer refund notification. Last month it was Cybersecurity Awareness Month notifications and the month before that it was a survey. While I am absolutely delighted that people are erring on the side of caution, I thought I would share a little tip that might make it easier to determine if a communication is official or not.

Without exception, official communications include who to contact if you have questions. There may not be a name but there will always be a department or email.  Senders know that you may have questions and in true Mount Royal University fashion, we want to be able to help. If you are not sure if an email is legit, look for that contact information. Take note of it and then search the Mount Royal website or directory to find an email that either matches the one in the message or is for the department that sent the email.

Once you know you have legitimate contact information, create a new email asking for verification that the email is official. It only takes a couple of minutes and it will get you an answer faster than if the IT security team does the same thing.

Note that I am not telling you to use the links in the email to contact the sender. That is because some emails are sent using services and the URL for the links take you to that service before you are sent to the final destination rather than directly to the intended URL.  This makes it difficult to determine if the links are legit or not. To be on the safe side, just create a new email to contact the sender for verification.

I am hoping that my little tip, will empower some of you and make you feel more in control of your inbox. That said, we will always be happy to have you report those emails that you just aren’t sure of. Keep up the good work!

 

Issues with the PhishAlarm button? Clear your cache – 11/03/20

 

 

This week the phishing training program resumed.  This gave everyone a chance to use the new PhishAlarm button to report the suspicious emails.  For most of you, it worked great!. For some of you, not so much.

As the PhishAlarm button is a browser based tool  (it works through your web browser), it can act up when your browser acts up. This is true for all browser based tools. When this happens it can usually be remedied by clearing your cache.

Your cache is where images and content are downloaded and stored. Your browser does this to save time loading a web page. The first time you visit it, it will load some key information into your cache. The next time you visit that page, instead of downloading it from the internet again, it goes to the cache and loads it from there. This makes the webpage load much faster. This is true whether the page is a just a boring website or a web based application.

So the next time the PhishAlarm button gives you an error message or any other web based application gives you trouble, clear your cache.  It will empty all the information stored there and download it from the Internet again.  This basically resets the application and it usually starts working. For details on how to clear your cache, check your browser’s help files.

Happy Reporting!!

Hackers targeting educators – 11/04/20

 

 

There is a new phishing attack that is taking advantage of the widely acknowledged technology issues facing students, families, and educators. It is targeting educators, using infected attachments that masquerade as student assignments.  The attachments contain ransomware that encrypts your files and locks you out of your devices until the ransom is paid.

In this type of attack, the hackers pose as a parent or guardian submitting a student’s assignment on their behalf. They claim that the student was unable to upload the document due to technical issues. The emails are very emotional and are designed to tug on the heart strings of the educator.

The subject lines the attackers have been using are:
• Son’s Assignment Upload
• Assignment Upload Failure for [Name]
• [Name]’s Assignment Upload Failed

Here is an example of the types of emails being used.

 

Often the attachment is a Word document . Once you open it, you are asked to  “enable editing” and “enable content”. If you do, the ransomware is loaded onto your device.

This attack is very targeted, using contact lists available on the school’s websites to determine who to send emails to. Although the attackers are currently focusing on K through 12 schools, it is expected it will move to post secondary institutions next.

To avoid these types of attacks:

  • Only accept assignments submitted through regular channels.
  • Do not open an attachment unless you check the sender’s email address and know who the email is coming from.
  • Verify the sender actually sent the message whenever possible.
  • Do not enable content or editing on Word documents unless you are 100% certain of the sender’s identity.
  • Do not enable macros on Word or Excel documents unless you have talked to the sender of the email to verify it is safe to do so.

If you are unable to contact the sender and aren’t sure of the legitimacy of an email, report is using the PhishAlarm button or by forwarding it to cybersecurity@mtroyal.ca.

 

Don’t take candy from strangers – 09/16/20

All malware is not created equal.  This week a particularly devious piece landed in an MRU inbox.  It was wrapped up in a zip file attachment. Here is what the malicious email looked like:

 

 

This malicious email is hard to identify as it contains a previously sent email thread. Interestingly enough, there is no human behind this email. It was sent by malware. When it gets on your machine it picks an email in your inbox and replies to it. Sending a copy of itself to an unsuspecting recipient.

The email is generic enough to work with pretty much any email. However it is the vagueness that flags it as suspicious.  The other tell is the sender’s email address. Because this is malware and not a person sending out the email, the sender’s email address is incorrect.

If you decide to click and open the attachment, you see an Excel spreadsheet with this in the first cell.

 

 

If you missed the other two red flags, this one is your last chance to dodge the bullet. This very official looking graphic is asking you to enable editing and content to be able to “decrypt” the document  It is also telling you what type of device to use to view it.  Anytime you have this kind of instruction given to you to view a document, close it immediately and report it.

The instructions are not there to enable you to view the document. They are there to ensure the malware can be installed and will function.  By asking you to enable editing and content, it is bypassing the safety controls we have in place to prevent the running of macros. It is not “decrypting” anything.  If you can’t open a document just by clicking on it, consider it a threat.

This is another reminder how important it is to check the sender’s email address before you open an attachment or click on a link.  If you recognize it, contact the sender using another method and confirm that they sent the email. If you don’t recognize it, don’t click. You wouldn’t take candy from a stranger, you shouldn’t take attachments from them either;  no matter how enticing they are.

 

 

Sneaky fake evaluation form found in MRU inboxes – 06/05/20

With the Phish Bowl up and running I don’t do many posts about phishing emails any more.  However one showed up on campus this week that provides such a great teaching opportunity, that I had to write about it.

Here is the offender:

 

 

To make things even more confusing, the email links to a legitimate Google Form. Clicking on the Fill Out Form button, does indeed take you to a Google form.  Nothing malicious is loaded onto your machine and the form looks like a completely legitimate evaluation form, with one exception.  It asks for your Microsoft ID and password.

Any time any form asks you for a password, no matter how legitimate it looks, exit the form immediately. If you do enter your credentials and then realize that you shouldn’t , change them immediately.

 

Hackers use fake Cisco WebEx vulnerability to lure victims – 05/21/20

Criminals are sending phishing emails that look surprisingly legitimate. They appear to come from apparently trustworthy senders, like “cisco@webex[.]com” and “meetings@webex[.]com.” They emails urge recipients to take an immediate action in order to fix a security vulnerability in their WebEx software. The emails look like this:

 

 

If you click on the Join button, it will take you to a page that asks for your login credentials. Of course the login page belongs to the criminals and will only steal your credentials.

If you receive an email asking you to update software, do not click the links in the email. Instead, start up the software and check for updates by selecting Help from its menu and selecting About. You can also visit the official website for the software and load updates from there.

 

Criminals are creating look-a-like MRU webpages – 04/23/20

 

We have been notified that cybercriminals have registered and are using the domain www.mroyalu.ca as well as several other look-a-like domains. They are attempting to fool people into visiting their malicious websites.

While working from home, it is very important that you double check all links that you receive in emails and the sender’s email address.

If the link does not have mtroyal.ca, mru.ca, mrucougars.com or mymru.ca before the first single / in the URL, it is malicious.

Examples of legitimate URLs are:
mru.ca/cybersecurity
mru.ca/wellness
https://www.mtroyal.ca/AboutMountRoyal/WhyMRU/
https://www.mymru.ca/web/home-community

Examples of fraudulent URLs are:
https://www.mroyalu.ca/AboutMountRoyal/WhyMRU/
https://www.mymur.ca/web/home-community
https://www.my.mtroyal.ca/Home
Please do not let curiosity get the better of you, and attempt to visit any of these fraudulent websites. They will harm your machine and/or steal your data.

If the sender’s email address ends in anything other than @mtroyal.ca, then it is malicious.

Examples of legitimate email addresses are:
bpasteris@mtroyal.ca
cybersecurity@mtroyal.ca

Examples of fraudulent email addresses are:
bpasteris.mtroyal.ca@gmail.com
bpasteris@mroyalu.ca
bpasteris@mtroyal.email.ca

Please be extra cautious at this time.

Updated 04/27/20

 

Credit Registration stops a cybercriminal – 04/15/20

Every once in a while I get affirmation that all that I do to try and keep all of you safe is working. This was one of those weeks. I would like to take a moment to toot the horn of Credit Registration.

They receive hundreds of emails from students and prospective students every week. The majority of the time they have no idea who they are talking to.  To reduce the chances they will be cyberattack victims, they have put procedures into place that somewhat verify the sender’s identity. It isn’t fool proof, but it is a good balance between practicality and security. What is truly wonderful is their staff follow their procedures.

This week those procedures were tested and they passed.  Congratulations Credit Registration!

No, that isn’t your supervisor asking for your cell phone number – 04/09/20

 

This week has been a busy one for the security team. We have been slammed with a new phishing tactic, requests for cell phone numbers.  Campus inboxes are receiving emails that appear to be coming from a supervisor. They look like this.

 

 

While this one contains a misspelled word, others look perfectly legit. The only clue is the  weird sender email address.

Why do they want your cell phone number? Lots of reasons. First of all they can take your phone number and connect it to your email address which helps build out your data profile so advertisers can more easily target you with ads. Advertisers pay a premium for complete data profiles.

But the benefits don’t stop there. If they have your phone number, know where you work, have an email address and your name, they have enough information to impersonate you with your cell phone provider.  If the customer service agent that answers the call doesn’t follow proper procedures, the scammer can port your number to a different carrier or disable your SIM card and get a new one. Either way you lose control of your phone number and the criminal now has access to everything that uses your phone number for confirmation.  One MRU employee has already found out how damaging this type of attack can be.

Lastly they can send you lovely text messages containing links that appear to come from your bank, include offers for free stuff or opportunities to enter a contest. Clicking on these links load malware onto your device designed to steal passwords, contacts and data.

Your best defense against this type of attack, is to read the sender’s email address before you read the body of the message. If you see that the email is not from a Mount Royal account, you can delete the message before your emotions are triggered by the email content.

If you aren’t sure if an email is legit, you can check the Phish Bowl to see if it is listed there or you can forward the email to abuse@mtroyal.ca. If you find a phishing email, don’t forget to report it by clicking the PhishAlarm button or forwarding it to cybersecurity@mtroyal.ca so we can warn your colleagues.

Updated 05/29/20