IT Security Blog

Must Read – Hard to detect MailChimp phish hits MRU 01/15/19

The latest phishing attack to hit inboxes on campus is absolutely diabolical.  It looks 100% legitimate and contains legitimate looking links. In addition, the technique the clever criminals are using  by-passes our protective measures preventing us from keeping it out of inboxes. If we block it, we block all MailChimp emails.

Lets take a closer look at this bad boy.

 

 

Pretty impressive isn’t it? What is even more impressive is hovering over the links displays Mandrill.com which is MailChimps legitimate tool for tracking clicks, dealing with payments and account settings etc.  However, if you click the link you get sent to:

 

 

While us14-mailchimp kinda looks legit, it is the wrong URL for MailChimp. However, the page looks like a MailChimp login page.  We didn’t follow along further to see what happens after you enter your username and password. However, we are pretty sure the next page would be asking for credit card information.  The crooks are pretty darn smart. If you login and then get wise and not enter your credit card information, they still get access to your MailChimp account which they can use to send out more phishing emails to other unsuspecting users.  It’s brilliantly done.

As smart as the hackers are, Mount Royal employees are smarter. This email was forwarded to abuse@mtroyal.ca by one of our own.  That’s right, one of our own employees tagged this bit of nastiness.  I couldn’t be prouder! They didn’t recall having a paid MailChimp account and recognized that the sent email address was off.

So how do you protect yourself from an attack this well executed? Do what your colleague did, don’t click the links in the email. If you have a MailChimp account, login to it directly using a bookmark or search result. If there is a problem with your account, the information will be available there. If everything turns out to be in order, you know the email is a phish. Forward it in it’s entirety to abuse@mtroyal.ca and your work as a cyber security superhero is done!

 

Hackers thwart two step verification with phishing emails – 01/02/19

Those clever hackers are at it again. They have figured out a way to get around two step verification on Gmail and Yahoo accounts.  They are using fake alerts to lure their victims into giving up verification codes.

The scam works like this.  First you receive an email saying your account may have been compromised. The email includes a button to take you to your account to check its activity.  However, when you click the button you are sent to the hackers web page which looks like an official login page. When you enter your password another fake web page appears asking for a verification code.  All of this seems perfectly normal as the pages look just like the real thing.

Unfortunately, the hacker has recorded your login credentials. They then use those credentials to login to the actual account website which generates a verification code that is sent to your phone. You receive the code seconds after entering your credentials, so you think nothing of it. You enter the verification code into the fake website. The code is recorded by the hackers and they enter it on the real two step verification page. To keep you from getting suspicious, you are sent to another fake web page asking you to change your password.  Once you “change your password” you are redirected to a real account web page. They now have access to your account and you are unaware something is amiss.

How do you protect against this type of attack? Don’t use links in emails to verify possible account compromises. Instead use a bookmark or search result to visit the account website and check the security status or change your password that way.

 

Brazen phishing email asks for passport information – 12/17/18

 

 

This week a new phishing email is popping up in Mount Royal inboxes. The cheeky criminals are coming right out and asking for passport details as well as other personal information. They don’t even bother with links or fancy look a like web pages.  They just ask for your information so they can send you money.  The email looks like this:

 

 

Because this is a low tech scam, people tend to let their guard down and be more receptive to getting hooked. The scammers count on this and hope the victim gets excited enough about the possibility of getting free money to give up their personal information.  Once they have it, they can use to to steal their identity and wreak havoc on their life.

This is definitely a case of, if it seems too good to be true then it probably is. No bank will email you out of the blue to ask you for passport information. If you refuse to accept reality and want to cling onto hope, then contact the bank directly to ask them if they are trying to transfer you some money.  Don’t ever send personal information like passport, driver’s license or credit card information in an email.

 

Cyber criminals try bomb threats, fail and turn to threats of acid attacks – 12/14/18

 

 

Last week inboxes across North America received phishing emails that threatened to blow up their place of business if they did not immediately pay $20 000 in bitcoin. The good news is there was no bomb.  The bad news is not everyone understood that.

Police departments across the continent were flooded with calls from panicked citizens reporting the bomb threats.  The bomb threats were so disruptive that police forces in the US and Canada issued reports and held press conferences assuring citizens that the threats were part of a phishing scam.

Unfortunately for the criminals, no one is paying the extortion fee. So while they get an A for getting everyone’s attention, they get an F for not making any money.

Having bombed with their bomb scare (sorry, I couldn’t resist), this week the criminals are threatening an acid attack if they aren’t paid. Apparently they are trying to repeat the success of their sextortion scam which netted them $146 380 in three days. So if you receive an email in broken English threatening to throw acid in your face if you don’t pay up, delete it.

Sextortion attacks become more sinister – 12/10/18

 

 

By now most of you will have received or at least heard of the sextortion email scam which threatens to out you for being naughty if you don’t pay up.  This scam was relatively harmless as it was all a bluff and no malicious links were included in the email.

However, the creative criminals have now upped the ante and are using phishing emails containing  a link to a video they claim is evidence of your naughtiness. Clicking on that link loads a zip file containing malware onto your machine.  You are okay as long as you don’t run the files. If you do, you are rewarded with ransomware being installed onto your machine.  Ouch!

Although this scam now includes phishing emails, you can still avoid a surprise even nastier than the video they claim to have of you. When an email makes you panic, someone might be baiting you, stop and think before you click.

 

Academic institutions targeted with malicious Chrome extension – 12/06/18

 

 

A phishing campaign has been targeting academic institutions. The phishing emails appear to come from a post secondary institution and contain a link to a web page that hosts a harmless PDF. When the link is clicked, the user is asked to download the Font Manager extension in the Chrome Web Store.

Users that checked the reviews for the extension found lots of good reviews as well as a few bad ones. It turns out, the clever criminals copied reviews from other extensions to make the Font Manager look more legit and increase the chances people would download it.  The funny thing is they copied the bad reviews as well as the good ones.  For the most part the ruse worked with the extension being downloaded hundreds of times. Once downloaded the malicious extension logged keystrokes and allowed hackers to gain access to the network and desktops remotely.  Several universities have been compromised as a result.

The malicious extension was only discovered because the criminals blew it. University employees arrived in the morning to find their computers’ browsers opened to English-Korean translators and their Keyboard switched to Korean. As the employees weren’t conducting research on Korean websites, they knew something was up.  Had the hackers been more on the ball, who knows how long they would have retained network access.

The Font Manager has been removed from the Chrome Store.  However, this a gentle reminder to only download extensions that you know are safe and you absolutely must have.

 

 

Watch for fake Black Friday offers – 11/19/18

 

It’s that time of year again. Retailers are sending out emails teasing you with their upcoming Black Friday deals that are too incredible to believe. Criminals love to take advantage of this flurry of email activity by sending out their own offers, mimicking legitimate retailers and luring consumers into giving up their login credentials or downloading malware onto their device.

If you receive an email with one of these truly fabulous offers, visit the retailers website directly rather than click links in the email.  The retailer’s offers will be on their website if they are legitimate.  Happy shopping!!

 

Must Read – MRU impersonators are back – 11/16/18

 

They’re baaack!

 

A few weeks back I warned the Mount Royal Community that emails were making the rounds that appeared to be from Mount Royal Employees.  Typically the impersonated employees  were supervisors of some sort and the emails were sent to their reports. The criminals were taking advantage or our natural tendency pay attention and take action when we are contacted by our supervisor.

Unfortunately the scam is back.  Thankfully abuse@mtroyal.ca has been flooded with reports and no one has yet taken the bait. However just to be on the safe side, I thought I would give everyone a friendly reminder to check the sender’s email address before responding to an email.

 

Look for these phishing emails showing up in MRU inboxes – 11/08/18

There are two phishing emails that are making the rounds through the Mount Royal community.  The first is a notification that we are migrating to Staff Outlook 2018.

 

 

Of course, no such thing is happening. The second appears to be from payroll:

 

 

The majority of you will look at the addressing information for both of these emails and immediately recognize they are fake.  However, there is a small number of you who neglect to check the addressing information of an email before you decide to click.  Out of that group, there is an even smaller number of you who process emails when you are distracted and will quickly scan the email,  fail to notice the grammatical errors but pick up on its urgency and click in a panic.  It is that small group that I am hoping will read this article and realize:

  1. Checking the email address of the email sender will save you time. If the email address is wrong, you don’t even have to read the email you can just forward it to abuse@mtroyal.ca or delete it.
  2. If you have an emotional reaction to an email, there is a good chance you are being baited to click on something you shouldn’t. Stop what you are doing and take a closer look a the email.
  3. It takes a lot more of your  time to have your machine re imaged than it does to slow down and look carefully at emails with links or attachments.

All it takes is one click  and a whole day is lost re imaging your machine, apologizing to colleagues, apologizing to students and feeling like an idiot. All it takes is one click and the whole network can be shut down.  Join the rest of us who slow down, check the sender’s email address  and giggle “Nice try”.

 

Must Read – Phishing emails are targeting educational organizations – 10/26/18

 

A new type of phishing email is making the rounds.  This one targets the employees of a specific educational institution and appears to come from the president. It includes the right signature line and logo to enforce the deception.  Subject lines of the emails include:

  • Codes of conduct
  • Ethical standards
  • Proper workplace behavior
  • Rules governing conflicts of interest

The emails tends to announce new policies around employee conduct or discusses the renewed focus on ethical professional behavior. They look something like this:

They include an attachment that when opened, takes the employee to a web page that look like a legitimate login page.  What makes this one truly diabolical is once the login credentials are entered, the employee is taken to a legitimate website so they think nothing is amiss.

This is a great time to remind everyone to confirm the legitimacy of emails containing links or attachments that they are not expecting. As criminals can now make it look like an email is coming from someone our know, right down to the correct email address, there is no way to tell if an email is a phish or not unless you contact the person who appears to have sent it.