Cybersecurity Blog

Coronavirus based attacks are rampant – 03/19/20

 

As employees all over the world are working from home,  criminals are ramping things up hoping to take advantage of the less secure networks that people tend to have at home. We have surges in phishing emails on campus and across the world related to working from home as well as an increase in malicious websites.  It has gotten so bad the US Secret Service has issued a warning. Here are some things to watch out for.

The fake VPN

As employees struggle to setup a home office, they are signing up and downloading VPN services at record rates. While all of our employees have the advantage of using SRAS, many smaller organizations do not have their own VPN tool and are asking employees to install one on their home computer. If your spouse or roommate are in this situation, warn them to be very careful about what VPN they download. Cyberattackers are offering fake VPN services that download malware onto your machine in record numbers. Make sure they check reviews of the service to ensure it is reputable before they install it on their machine.

Fake COVID-19 trackers

As people attempt to live their lives and stay safe, many are turning to maps that track the location and incidence of infections. Criminals are getting wise and creating their own versions of these tracking websites that infect your computer with malware.

Some enterprising scammers have also created phone apps that supposedly track the infection rate  but load your device with ransomware instead. Stick to well known and reputable websites such as Alberta Health Services and the World Health Organization to get your information about the virus and stay away from any apps related to it including ones that tell you how to get rid of it.

Phishing emails about working from home and COVID-19

Phishing email attacks are off the scale. Everything from fake emails from your organization about working from home, to offers of vaccines and cures.  One of their favorites is fake GoFundMe pages with coronavirus victims pleading for medical help.   Another is pretending to be a colleague who is quarantined and needs help.

You name it, the depraved are going to try it. During this time it is especially important to be vigilant. If you receive an email that doesn’t come from a Mount Royal email address, question its validity. While you are working at home, make sure you use your Mount Royal email address to send business correspondence. DO NOT use your personal email address. This will make it easier for your colleagues to stay safe.

 

Sources:

https://www.securityweek.com/researchers-track-coronavirus-themed-cyberattacks
https://www.securityweek.com/other-virus-threat-surge-covid-themed-cyberattacks

Our president isn’t announcing a new Responsible Use of Technology policy – 02/16/20

 

The attackers are at it again, this time they have tried to hide behind threats of disciplinary action.  Check out the latest phishing email to hit the campus:

This nasty thing mostly landed in spam folders. However, there are some of you that would have found this in your inbox. The premise is plausible and the pdf attachment looks harmless. If you were to open this email on your phone, the odds are very good that you would assume the email is legitimate. However if you open the attachment a nasty surprise awaits. This is a gentle reminder to double check the sender’s email address before you make a decision to act on an email.

 

Fake UPS email showing up in campus inboxes – 02/13/20

 

Another day, another fake UPS email. Take a look at this sad excuse of a phishing email.

I really do expect more from an attacker.  At least paste an out of focus logo into the email. If you want to steal my money, you should put in a bit more effort than this.

 

How cybersecurity experts become victims – 11/26/19

 

 

Every month I send out a nice little phishing training email to give our wonderful users across campus some practice identifying them. Those people that click and are repeat clickers, work in IT or are a Cybersecurity Champion all tell me the same thing. They were trying to determine whether to click or not while they were in a hurry or while they were on their phones.

The dangers of doing this were highlighted in the Our Community article, I knew I’d been scammed which details how one of Mount Royal’s community members became a victim of a gift card scam. Now KnowBe4 has written its own article describing how one of their cybersecurity professionals clicked in three phishing training emails in two months.  In both cases the individuals were well educated in how to identify a phishing email but were in a hurry and using their phones. The message that keeps getting repeated is to SLOW down.

Before you decide what to do with an email, STOP. If you are on your phone, deal with it later at your workstation. If you are in the midst of doing 100 things, deal with it when you have time to evaluate it properly.

Taking theses simple steps will help keep you from becoming a victim.

 

Watch for payroll related phishing emails – 11/05/19

 

Tuesday morning was an exciting one for the security team. Over 900 inboxes received the following email.

 

 

I am delighted to report that a huge number of you were superheros and forwarded the email to abuse@mtroyal.ca. Thanks to you we were able to block the target page and limit any damage. Even though so many of you spotted the email as a phish right away, with the high number of recipients Marketing and Communications made the unusual decision to issue a campus wide alert.

While we were investigating the incident, we discovered that the attacker spent a lot of time viewing our Payroll webpage. There is an excellent chance that the attacker will use this information in the near future to create another phishing email.

We are asking everyone across campus to keep an eye out for payroll or HR related phishing emails in the next little while. If you receive an email that appears to come from HR or Payroll, please check the email address for accuracy. If it is correct, please call the sender to confirm that they actually sent the email.

Should you find the email to be malicious, do what your colleagues did this morning and forward the email to abuse@mtroyal.ca. You too can be a superhero!

 

Fake login pages mimic the real thing giving you no clue you have just been compromised – 10/25/19

 

 

For a while now, I have been warning about clicking on links in emails from organizations that you know. Instead, I have encouraged all of you to visit the organizations website directly using a bookmark. A report of a new phishing campaign targeting Stripe users shows why this advice is so important to take.

This campaign involves an email that tells the intended victim that there is something wrong with their account details. They are asked to login to their Stripe account to update them and given a handy button that appears to take them to the Strip login page. The page is of course a spoof and although it looks exactly like the real one, all credentials entered are collected by the thieves.

The fraudulent page is set up so that once you have entered your credentials in the fake login page, they use them to log you into your actual account. From your point of view, nothing is amiss. They now have your login credentials, you are non the wiser and they have hours if not days to withdraw funds before you even notice.

Although this campaign is targeting Stripe users at the moment, the same tactic is used to target all sorts of users. This is a gentle reminder to not click on links in emails from organizations that you know, but to use a bookmark instead. If you don’t have the site bookmarked you can use a search results, however proceed with caution as more and more fraudulent sites are appearing there.

 

SIN number scammers calling MRU employees – 10/25/19

 

 

Mount Royal employees are receiving fraudulent calls from individuals pretending to be from the Canadian government. The caller explains there is an issue with your SIN number and as a result you are subject to legal action. You are asked to contact them immediately.  Upon contacting them, you are told you must pay thousands in bitcoin to avoid being charged with fraud. This scam is similar to one currently making the rounds in Regina.

What makes this scam so concerning is the fraudsters are spoofing government agencies so the call looks like it is official.  As well they are often robocalls which makes them sound even more legitimate. In response, the Canadian Anti-Fraud Centre has issued an alert asking people to be vigilant.

No government of Canada agency will call you over the phone and threaten you or ask for payment. Neither will the RCMP or police. If you receive a call of this nature, hang up the phone. If you are concerned there may be an issue with your SIN you can contact the government directly by visiting their website. You can also check with Equifax and Transunion to see if your SIN has been used to obtain additional credit without your knowledge.

 

New phishing email tactic, the found student pass – 10/17/19

Those clever cybercriminals have come up with another tactic to get you to click on something you shouldn’t. Introducing the “I found an ID pass”, phishing email.

 

 

What makes this email so diabolical, is it has no sense of urgency. In fact it asks nothing of you at all. It simply lets you know that a pass was found and it is being mailed. It’s calm, indifferent manner lull’s you into thinking the email is harmless. It counts on the reader being so curious that they throw caution to the wind and click on the link to see whose ID was found. Quite ingenious really.

If you receive an email of this sort, delete it and wait for the mail to arrive.

 

MRU employee checks for email legitimacy and talks to the hacker – 10/17/19

One sure fire way to avoid becoming a victim of a cyberattack is to call the email sender to verify that they in fact sent the email.  That is a message that I preach over and over again all over campus. I am happy to report that my message is being heard and acted upon…sort of.

Here is the email that one of our staff received in their inbox.

 

 

The staff member knows the sender and aside from the poor grammar, the email is spot on. The  attachment was indeed a Sharepoint document, so she opened it. However when she found nothing but a greeting link to another document she paused.  She knew that email addresses could be spoofed and realized she should confirm the legitimacy of the email. So she sent this email.

 

 

She correctly did not reply to the original email.  But created a new one and sent it using an email address in her contact list. This is the reply that she received.

 

 

 

Before she could check the invoice, she received this email.

 

 

The sender’s email account had been hacked!  It didn’t occur to our staff member that if someone else was using her colleague’s email address, it wouldn’t be her colleague who responded .  She gets an A for verifying the legitimacy of the email.  But she gets a F for talking to the hacker.

The lesson has been learned. When confirming email legitimacy, use the darn phone.  A 30 second phone call can save you from a world of hurt.

 

Malicious links can hide in legitimate documents – 10/09/19

The tools that cybersecurity professionals use are getting more and more sophisticated. They can now identify a known malicious link or attachment and strip it from the email so it never arrives in your inbox.  To get around that limitation, hackers are hiding their malicious links and attachments in legitimate documents.  This latest attack is a perfect example of that tactic.

This one is scary in it’s precision.  It was sent to only two email addresses. Both recipients have higher level network and financial access. The email looks like this

 

 

It looks innocent enough. In fact, if you check the link it goes to a Microsoft site. Clicking the link takes you here.

 

 

This is a legitimate OneNote notebook.  The icons however are just pictures, not clickable links and the links below them are flagged as malicious.  Had the user clicked on the link,  their login credentials would have been quietly harvested.

In this type of attack, the hacker often shares or pretends to share  a document with you.  The email usually asks for your input and is purposely vague and low key. Should you open one of these documents and find only links to another document, close the document and contact the IT Service desk. Your quick action could save your data.