Cybersecurity Blog

Must Read – MRU inboxes receive malicious Google Drive file share 03/20/19

Another day, another clever criminal trying to break into our network. This time they tried using the Google Drive to do it. Tuesday morning several employees found this in their inbox.

 

 

The Word Doc link is totally legit.  If you click the link, it takes you to this document.

 

 

Clicking the link in the Word document takes you to a legitimate website that has been compromised. The site asks you to login to Office 360 to access the document. Of course if you do, you are giving some miscreant your Office 360 login credentials.  They can then sell your credentials on the dark web or use them themselves to wreak havoc on your data as well as the data of others. Fun, Fun, Fun.

Because the Google Drive file share and the website are legitimate, they won’t be flagged by anti-virus or the firewall. It is actually very clever. However although it may get by the technology, a person can easily spot this as malicious. In fact, we had two different reports sent to abuse@mtroyal.ca about this one. Way to go MRU!!

For those of you who aren’t already yelling at the screen, “Come on, that is so obvious”, I am going to walk you through the red flags.  First one is the email is sent by Benjamin Kuiper from the email address benkuiper3000@gmail.com. Clearly not a Mount Royal email and he is not listed in the directory. Fail number one.

Second, the doc says it was being shared by Benjamin and David Hyttenrauch. This doc was sent to people on David’s team so even though they didn’t know who Ben was, they sure as heck knew who David was. This got the desired attention. However, you can’t send an invite to share one file from two people. Clearly, this Word doc was shared by Benjamin and the sneaky dude entered the rest of the deceiving information into the Add a note field in the Share with others dialog box to make it looks like Dave was involved. Fail number two.

Third, when you open the document it tells you that you  have a file waiting for you on the OneDrive. OneDrive file shares are not sent with links in Word documents. Fail number three.

Lastly, if you were to hover over the link in the Word document you would see that it does not go to OneDrive. Fail number four.

As clever as criminals are, most of them can be stopped by alert employees who take the time to look at emails with links and attachments critically.  As we have seen in this example, the majority of the time phishing emails contain clear clues that something is not right. Don’t get caught up in the emotion of the moment. Like our wonderful employees, take the time to really look and make sure that the email is what it appears to be. Your data, your colleagues and your IT department will thank you.

 

 

 

Latest Netflix phishing email showing up in Mount Royal inboxes – 03/08/19

Another day, another Netflix phishing email making the rounds. This one is finding its way into Mount Royal inboxes. It’s very very convincing. At first glance it looks legit. However when you take a closer look, the grammar gives it away. Someone went to a lot of work to get this right, you almost feel sorry for them that they blew it with a grammatical error.  Take a look for yourself.

 

 

If it wasn’t for the grammatical error, you would think this is legit. It has a plausible sender email address and they have the nice little Terms of  Use link on the bottom with the privacy statement. If you were distracted, in a hurry or trying to read this on your phone, you would likely click.

This is a friendly reminder that when you see a link or attachment in an email, that is your cue to stop what you are doing and give that email 100% of your attention. If you cannot, mark it unread and return to it later when you have the time to properly examine it.

 

Must Read – The MRU impersonators are ramping things up – 02/28/19

 

Phishing emails that appear to come from Mount Royal University supervisors are making their appearance again. This time they are throwing in the whole, “I am going into a meeting with limited phone calls, so just reply to my email”  nonsense to try and keep you from calling the person directly to verify the legitimacy of the email.

Thankfully they are still using lame sender email addresses, so they are pretty easy to spot if you take the time to look. However,  they have started to use a new tactic that is concerning. They some how have gotten a hold of cell phone numbers and are now texting Mount Royal employees asking them to contact the texter immediately as they have a task for them. The messages appear to come from the employee’s supervisor.

How do you protect yourself from social engineering via text message?

  1. Don’t click on links in text messages
  2. Be suspicious of requests that are outside of regular procedures or processes
  3. Don’t give out information that the person you are talking to should already have

A good rule of thumb is, if it doesn’t feel right it probably isn’t.  If you get a strange request from your supervisor, politely let them know you will get right back to them and hang up. Then contact them using an email or phone number that you know is legitimate.

 

Must Read – Check the email address before responding to an email – 02/06/19

 

 

 

Once again Mount Royal inboxes are receiving emails from scammers impersonating Mount Royal employees.  The email appears to come from a colleague and asks if the recipient is available. If the recipient responds, the scammer then asks for gift cards.

These emails are easy to identify as the email address is not a Mount Royal email address. Thing is, people are in such a rush these days they don’t bother checking it. They see the name of their colleague and respond.

While responding to the scammer is not necessarily risky, it does encourage them. They now know that you don’t check email addresses. Next time they may be a bit more clever and include a malicious link or attachment.

When reading any email, the first place your eyes should go is to the email address. If it doesn’t match the sender’s name, delete the sucker immediately. You don’t even have to read it.  It is easy, it saves you time and it will make your IT department very very happy.

 

Must Read – Hard to detect MailChimp phish hits MRU 01/15/19

The latest phishing attack to hit inboxes on campus is absolutely diabolical.  It looks 100% legitimate and contains legitimate looking links. In addition, the technique the clever criminals are using  by-passes our protective measures preventing us from keeping it out of inboxes. If we block it, we block all MailChimp emails.

Lets take a closer look at this bad boy.

 

 

Pretty impressive isn’t it? What is even more impressive is hovering over the links displays Mandrill.com which is MailChimps legitimate tool for tracking clicks, dealing with payments and account settings etc.  However, if you click the link you get sent to:

 

 

While us14-mailchimp kinda looks legit, it is the wrong URL for MailChimp. However, the page looks like a MailChimp login page.  We didn’t follow along further to see what happens after you enter your username and password. However, we are pretty sure the next page would be asking for credit card information.  The crooks are pretty darn smart. If you login and then get wise and not enter your credit card information, they still get access to your MailChimp account which they can use to send out more phishing emails to other unsuspecting users.  It’s brilliantly done.

As smart as the hackers are, Mount Royal employees are smarter. This email was forwarded to abuse@mtroyal.ca by one of our own.  That’s right, one of our own employees tagged this bit of nastiness.  I couldn’t be prouder! They didn’t recall having a paid MailChimp account and recognized that the sent email address was off.

So how do you protect yourself from an attack this well executed? Do what your colleague did, don’t click the links in the email. If you have a MailChimp account, login to it directly using a bookmark or search result. If there is a problem with your account, the information will be available there. If everything turns out to be in order, you know the email is a phish. Forward it in it’s entirety to abuse@mtroyal.ca and your work as a cyber security superhero is done!

 

Hackers thwart two step verification with phishing emails – 01/02/19

Those clever hackers are at it again. They have figured out a way to get around two step verification on Gmail and Yahoo accounts.  They are using fake alerts to lure their victims into giving up verification codes.

The scam works like this.  First you receive an email saying your account may have been compromised. The email includes a button to take you to your account to check its activity.  However, when you click the button you are sent to the hackers web page which looks like an official login page. When you enter your password another fake web page appears asking for a verification code.  All of this seems perfectly normal as the pages look just like the real thing.

Unfortunately, the hacker has recorded your login credentials. They then use those credentials to login to the actual account website which generates a verification code that is sent to your phone. You receive the code seconds after entering your credentials, so you think nothing of it. You enter the verification code into the fake website. The code is recorded by the hackers and they enter it on the real two step verification page. To keep you from getting suspicious, you are sent to another fake web page asking you to change your password.  Once you “change your password” you are redirected to a real account web page. They now have access to your account and you are unaware something is amiss.

How do you protect against this type of attack? Don’t use links in emails to verify possible account compromises. Instead use a bookmark or search result to visit the account website and check the security status or change your password that way.

 

Brazen phishing email asks for passport information – 12/17/18

 

 

This week a new phishing email is popping up in Mount Royal inboxes. The cheeky criminals are coming right out and asking for passport details as well as other personal information. They don’t even bother with links or fancy look a like web pages.  They just ask for your information so they can send you money.  The email looks like this:

 

 

Because this is a low tech scam, people tend to let their guard down and be more receptive to getting hooked. The scammers count on this and hope the victim gets excited enough about the possibility of getting free money to give up their personal information.  Once they have it, they can use to to steal their identity and wreak havoc on their life.

This is definitely a case of, if it seems too good to be true then it probably is. No bank will email you out of the blue to ask you for passport information. If you refuse to accept reality and want to cling onto hope, then contact the bank directly to ask them if they are trying to transfer you some money.  Don’t ever send personal information like passport, driver’s license or credit card information in an email.

 

Cyber criminals try bomb threats, fail and turn to threats of acid attacks – 12/14/18

 

 

Last week inboxes across North America received phishing emails that threatened to blow up their place of business if they did not immediately pay $20 000 in bitcoin. The good news is there was no bomb.  The bad news is not everyone understood that.

Police departments across the continent were flooded with calls from panicked citizens reporting the bomb threats.  The bomb threats were so disruptive that police forces in the US and Canada issued reports and held press conferences assuring citizens that the threats were part of a phishing scam.

Unfortunately for the criminals, no one is paying the extortion fee. So while they get an A for getting everyone’s attention, they get an F for not making any money.

Having bombed with their bomb scare (sorry, I couldn’t resist), this week the criminals are threatening an acid attack if they aren’t paid. Apparently they are trying to repeat the success of their sextortion scam which netted them $146 380 in three days. So if you receive an email in broken English threatening to throw acid in your face if you don’t pay up, delete it.

Sextortion attacks become more sinister – 12/10/18

 

 

By now most of you will have received or at least heard of the sextortion email scam which threatens to out you for being naughty if you don’t pay up.  This scam was relatively harmless as it was all a bluff and no malicious links were included in the email.

However, the creative criminals have now upped the ante and are using phishing emails containing  a link to a video they claim is evidence of your naughtiness. Clicking on that link loads a zip file containing malware onto your machine.  You are okay as long as you don’t run the files. If you do, you are rewarded with ransomware being installed onto your machine.  Ouch!

Although this scam now includes phishing emails, you can still avoid a surprise even nastier than the video they claim to have of you. When an email makes you panic, someone might be baiting you, stop and think before you click.

 

Academic institutions targeted with malicious Chrome extension – 12/06/18

 

 

A phishing campaign has been targeting academic institutions. The phishing emails appear to come from a post secondary institution and contain a link to a web page that hosts a harmless PDF. When the link is clicked, the user is asked to download the Font Manager extension in the Chrome Web Store.

Users that checked the reviews for the extension found lots of good reviews as well as a few bad ones. It turns out, the clever criminals copied reviews from other extensions to make the Font Manager look more legit and increase the chances people would download it.  The funny thing is they copied the bad reviews as well as the good ones.  For the most part the ruse worked with the extension being downloaded hundreds of times. Once downloaded the malicious extension logged keystrokes and allowed hackers to gain access to the network and desktops remotely.  Several universities have been compromised as a result.

The malicious extension was only discovered because the criminals blew it. University employees arrived in the morning to find their computers’ browsers opened to English-Korean translators and their Keyboard switched to Korean. As the employees weren’t conducting research on Korean websites, they knew something was up.  Had the hackers been more on the ball, who knows how long they would have retained network access.

The Font Manager has been removed from the Chrome Store.  However, this a gentle reminder to only download extensions that you know are safe and you absolutely must have.