Cybersecurity Blog

Scammers getting really clever with MasterClass phishing emails – 04/28/22

Over the last few weeks phishing emails with fake invoices from MasterClass have been popping up in inboxes all over campus.  I have been posting them to the Phish Bowl, but you can see an example here.

Most of you will have probably noticed that the attachment itself isn’t malicious.  Instead the scammers are hoping you will call them and ask for a refund. If you do, there a number of scams they can pull.

The simplest is asking for your credit card number so they can issue a fund to the correct card.  They assure you that the refund will appear on your credit card statement within 48 hours. Of course, no such refund is made. Instead they go on a 48 hour shopping spree on your dime.

The more sophisticated scams  take you through a “refund” process where they deposit funds directly into your bank account. They then show you a fake screen shot that indicates they accidentally refunded you too much money and then ask you to e-transfer the excess funds.  When you point out that the refund doesn’t appear on your online bank account statement, they say that it will take 24 hours to do so. If you ask to wait until it shows up, they say if they don’t fix the error now, they will get fired.  They can be very persuasive. Sometimes they will cycle you through several “supervisors” and “mangers” to convince you that the excess funds must be returned immediately.

Of course, they never charged your card in the first place, nor will you ever see the money refunded to your bank account. Instead you will have handed over thousands of dollars to the scammers.

Fortunately, it doesn’t appear as though there have been many people on campus who have fallen for this scam.  As a result, the scammers have upped their game. We are now seeing the following email arrive in inboxes shortly after the one I previously shared.

You see people are getting smart. The scammers are realizing that an email with an attachment maybe isn’t the best way to get people to call them. Instead, they have set up a remote support session. The diabolical part,  is this email comes from a legitimate service,  Zoho Assist.  So malware filters won’t think anything is amiss. Your only clue is the little note at the bottom that mentions the email comes from a generic email account instead of MasterClass itself.  This is something they hope won’t notice as the previous email has already got you thinking about that MasterClass subscription you didn’t sign up for.

I have to admit, this is very very clever. The good news is, if you take your time and look closely you can identify the scam and delete the email before things ever get to the excess refund stage.

New Google feature looks like phishing – 03/25/2021

 

Google has launched a new feature for Google meet. Any time there are more than two people in a meeting, you will automatically receive an attendance list attached to an email. This email has the name of the meeting in the subject line. This works great when you have created the meeting in your calendar and given it a name. The email makes sense and it looks legit.

However, if you create the meeting through the Google chat or the Meet button in the Gmail window, there is no way to give the meeting a name, so Google does that for you. As a result you end up with an email subject line that includes a bunch of random capital letters in quotes.

At first glance this email looks really, really phishy. You have this weird looking subject, an attachment and you didn’t request an attendance report. But if you take a closer look at the sender’s email address, you realize that this is in fact coming from Google and it is a legitimate email.

If you receive an email like this and you are uncertain what to do with it, then please report it. However, hopefully now that you have a little more information you won’t feel so quite uncomfortable when that odd email shows up unannounced from Google.

 

 

Scammers use subscription renewals to trick you into downloading malware – 08/03-21

 

A social engineering tactic dubbed Bazacall is making a resurgence. This attack method first appeared in March, 2021. It starts with an email that arrives in your inbox. They use a variety of scenarios, however all encourage you to phone a number to resolve an issue. Their favorites appear to be notifying you that a subscription is going to be renewed or that a free trial is over. Details on the nature of that subscription are often left out, making it more likely that you will call to clear things up.

When you call, the “customer service rep” on the phone directs you to a very realistic website. Sometimes these websites are spoofed sites of real businesses, other times the businesses are completely fictitious. Once you are at the website they walk you through the steps to cancel the subscription, telling you what to click. Everything seems perfectly legitimate until you reach the final step. The last click on the website opens an Excel file that asks you to enable Macros.  If you continue to follow the instructions of the “rep”, the malware is downloaded and installed on your computer. The type of malware varies but typically they give remote access to your machine, allowing the attackers to gain access to to other devices on the network.

This phishing attack method is particularly dangerous as the email doesn’t contain any attachments or links which allows it to pass through inbox filters. In addition when you open it, it looks official and innocent. After all what can happen if you just call to cancel a subscription that you don’t want? However once you call, the “rep” is very good at social engineering. He or she develops trust and insists that this is the only way to ensure the charge doesn’t appear on your credit card.

The best way to defend yourself against this type of attack is to recognize that emails with vague information about a subscription being renewed are malicious. Thankfully with this attack you have a second chance to defend yourself. You can refuse to enable Macros when asked.  Remember to use your common sense and don’t let yourself be bullied. There is no justification for enabling Excel Macros to cancel a subscription.  If it doesn’t make sense, hang up.

 

What exactly is the purpose of your spam folder? 05/27/21

 

The lowly Gmail Spam folder. It appears to collect nothing but garbage and is routinely ignored. It does however, have a function.  It’s purpose is to keep spam and malicious emails out of your inbox while still allowing you to review them. These suspicious emails  aren’t automatically deleted as Google recognizes it isn’t perfect and may wrongly identify an email as spam or malicious.

How should you manage your Spam folder? For the most part, it can be ignored.  If you find that you are missing an email, you can go looking for it. However, I don’t recommend checking your Spam folder daily. If you are worried about missing emails, then a weekly check should be sufficient.

If you find an email in your Spam folder that you don’t think should be there, don’t move it immediately to your inbox. Open it first and check the banner at the beginning of the message. Google lets you know why the message was put there. If it is because it was marked Spam previously, then it is safe to move to your inbox. If however, it indicates that it contains a malicious link or attachment then leave the email where you found it as Google doesn’t make mistakes identifying malicious emails.

Fortunately, malicious emails found in your Spam folder don’t need to be reported to the IT Security Team. Google is already filtering them from inboxes so we don’t need to alert your colleagues. This saves us from replying to 57.3 million emails.   You can simply delete them and get on with your day. Even better, let Google delete them for you. Messages in Spam that are 30 days old are automatically deleted.

 

Why is someone you know asking for your phone number? – 03/10/21

The MRU community have been finding emails in their spam folder similar to this one.

The email looks like it comes from a colleague or instructor. However the email contains some red flags.  The biggest one being they are asking for your personal phone number. If they don’t already have it, they shouldn’t be asking for it. In addition, it was found in the Spam folder.

Google puts emails that it thinks are suspicious but they aren’t sure of into the Spam folder. If you see an email in your Spam folder, assume it is malicious and always confirm legitimacy with the sender before you respond.  Confirmation is best done over the phone, however in situations like this where an MRU email wasn’t used, it is enough to contact the sender through an MRU email.

It is hard to say what the end game of this scam is. However, this is often step one in a gift card scam where they compel you to purchase gift cards and then give them the redemption codes. These redemption codes can then be sold on the dark web.

 

Is the etransfer notice from MRU malicious or legit? – 12/07/20

 

This past year, Student Fees began issuing refunds through Interac e-transfers.  Although students are notified in advance that a refund is coming, there is still some confusion about the legitimacy of these emails.

A sure fire way to ensure the refund is legitimate is to login to MyMRU and check your account balance. If you have been issued a refund, the amount will be posted there. If it matches the amount in the notification email then you know the e-transfer is legitimate.

If you are still not sure, you can email Student Fees at studentfees@mtroyal.ca and ask them if they sent you an e-transfer.

 

Not sure an MRU email is legit? Contact the sender. – 12/02/20

 

With phishing attacks on the rise and everyone being vigilant sometimes legitimate communications are flagged as suspicious. This week we had a student report their e-transfer refund notification. Last month it was Cybersecurity Awareness Month notifications and the month before that it was a survey. While I am absolutely delighted that people are erring on the side of caution, I thought I would share a little tip that might make it easier to determine if a communication is official or not.

Without exception, official communications include who to contact if you have questions. There may not be a name but there will always be a department or email.  Senders know that you may have questions and in true Mount Royal University fashion, we want to be able to help. If you are not sure if an email is legit, look for that contact information. Take note of it and then search the Mount Royal website or directory to find an email that either matches the one in the message or is for the department that sent the email.

Once you know you have legitimate contact information, create a new email asking for verification that the email is official. It only takes a couple of minutes and it will get you an answer faster than if the IT security team does the same thing.

Note that I am not telling you to use the links in the email to contact the sender. That is because some emails are sent using services and the URL for the links take you to that service before you are sent to the final destination rather than directly to the intended URL.  This makes it difficult to determine if the links are legit or not. To be on the safe side, just create a new email to contact the sender for verification.

I am hoping that my little tip, will empower some of you and make you feel more in control of your inbox. That said, we will always be happy to have you report those emails that you just aren’t sure of. Keep up the good work!

 

Issues with the PhishAlarm button? Clear your cache – 11/03/20

 

This week the phishing training program resumed.  This gave everyone a chance to use the new PhishAlarm button to report the suspicious emails.  For most of you, it worked great!. For some of you, not so much.

As the PhishAlarm button is a browser based tool  (it works through your web browser), it can act up when your browser acts up. This is true for all browser based tools. When this happens it can usually be remedied by clearing your cache.

Your cache is where images and content are downloaded and stored. Your browser does this to save time loading a web page. The first time you visit it, it will load some key information into your cache. The next time you visit that page, instead of downloading it from the internet again, it goes to the cache and loads it from there. This makes the webpage load much faster. This is true whether the page is a just a boring website or a web based application.

So the next time the PhishAlarm button gives you an error message or any other web based application gives you trouble, clear your cache.  It will empty all the information stored there and download it from the Internet again.  This basically resets the application and it usually starts working. For details on how to clear your cache, check your browser’s help files.

Happy Reporting!!

Hackers targeting educators – 11/04/20

 

There is a new phishing attack that is taking advantage of the widely acknowledged technology issues facing students, families, and educators. It is targeting educators, using infected attachments that masquerade as student assignments.  The attachments contain ransomware that encrypts your files and locks you out of your devices until the ransom is paid.

In this type of attack, the hackers pose as a parent or guardian submitting a student’s assignment on their behalf. They claim that the student was unable to upload the document due to technical issues. The emails are very emotional and are designed to tug on the heart strings of the educator.

The subject lines the attackers have been using are:
• Son’s Assignment Upload
• Assignment Upload Failure for [Name]
• [Name]’s Assignment Upload Failed

Here is an example of the types of emails being used.

 

Often the attachment is a Word document . Once you open it, you are asked to  “enable editing” and “enable content”. If you do, the ransomware is loaded onto your device.

This attack is very targeted, using contact lists available on the school’s websites to determine who to send emails to. Although the attackers are currently focusing on K through 12 schools, it is expected it will move to post secondary institutions next.

To avoid these types of attacks:

  • Only accept assignments submitted through regular channels.
  • Do not open an attachment unless you check the sender’s email address and know who the email is coming from.
  • Verify the sender actually sent the message whenever possible.
  • Do not enable content or editing on Word documents unless you are 100% certain of the sender’s identity.
  • Do not enable macros on Word or Excel documents unless you have talked to the sender of the email to verify it is safe to do so.

If you are unable to contact the sender and aren’t sure of the legitimacy of an email, report is using the PhishAlarm button or by forwarding it to cybersecurity@mtroyal.ca.

 

Don’t take candy from strangers – 09/16/20

 

All malware is not created equal.  This week a particularly devious piece landed in an MRU inbox.  It was wrapped up in a zip file attachment. Here is what the malicious email looked like:

 

 

This malicious email is hard to identify as it contains a previously sent email thread. Interestingly enough, there is no human behind this email. It was sent by malware. When it gets on your machine it picks an email in your inbox and replies to it. Sending a copy of itself to an unsuspecting recipient.

The email is generic enough to work with pretty much any email. However it is the vagueness that flags it as suspicious.  The other tell is the sender’s email address. Because this is malware and not a person sending out the email, the sender’s email address is incorrect.

If you decide to click and open the attachment, you see an Excel spreadsheet with this in the first cell.

 

 

If you missed the other two red flags, this one is your last chance to dodge the bullet. This very official looking graphic is asking you to enable editing and content to be able to “decrypt” the document  It is also telling you what type of device to use to view it.  Anytime you have this kind of instruction given to you to view a document, close it immediately and report it.

The instructions are not there to enable you to view the document. They are there to ensure the malware can be installed and will function.  By asking you to enable editing and content, it is bypassing the safety controls we have in place to prevent the running of macros. It is not “decrypting” anything.  If you can’t open a document just by clicking on it, consider it a threat.

This is another reminder how important it is to check the sender’s email address before you open an attachment or click on a link.  If you recognize it, contact the sender using another method and confirm that they sent the email. If you don’t recognize it, don’t click. You wouldn’t take candy from a stranger, you shouldn’t take attachments from them either;  no matter how enticing they are.