Last week I posted about a scary new phishing email making the rounds. This phishing email is hard to detect because if appears as a reply to a previous email and it comes from someone you know. The email reads as follows:
Please see attached and confirm.
A Word document is attached to the email. If you open the email you get the following notification.
If you follow these instructions, you give Word permission to run the malicious macro embedded in the document and your machine is infected with malware. To make matters worse, it will then send out a similar email reply to select people on your contact list spreading the infection.
Several people in the Mount Royal community have already received this email and opened the attachment. Their machines were infected and are being re-imaged. We are unable to determine who will receive this phishing email next and it is too new for our anti-virus software to detect.
This is only one example of a whole family of malware that uses Word macros to infect your computer. The good news is, if you have macros disabled by default and you do not Enable Editing or Enable Content as instructed, you cannot be infected.
Some other examples of fake notifications to look out for are:
In each one of these instances, following the instructions will infect your machine with malware that could spread to friends, family and colleagues.
How to protect yourself from infection:
- Make sure Word Macros are disabled by default:
- Select File>options>Trust Center.
- Click the Trust Center Settings button.
- Select Macro Settings from the left menu.
- Select Disable all macros with notification.
- Click the OK button to exit the Trust Center Settings.
- Click the OK button to exit the Trust Center.
Note: Disabling macros in Word does not disable them in Excel and vice versa. You must change the settings in each application.
- Verify with the sender before opening any attachments.
- If you are prompted to Enable Editing or Enable Content, ignore the request. You do not need to Enable Editing or Content to view a document.
If you are unsure about the safety of an attachment, please contact the IT Service Desk. If you think you have received a phishing email, please forward the entire email to firstname.lastname@example.org.
The US Department of Homeland Security has issued an alert for the Bad Rabbit ransomware strain. It has crippled organizations in Russia and the Ukraine and has been found in the US. It is only a matter of time before it begins appearing here.
What does it do?
- It encrypts your files and extracts the login credentials for your computer.
How do I know I have been victimized?
- Your computer will start to run slowly.
- You are directed to a webpage that gives you 41 hours to pay the ransom to get access to your files or the ransom will go up.
How do you get infected?
- When visiting a legitimate website, a pop up appears asking you to install Adobe or the Adobe Flash Player.
- Downloading and installing either of these programs installs the ransomware.
What is IT Services doing to fight this attack?
- Our anti-virus is up to date.
- We are actively monitoring systems to detect any abnormal activity on the network.
What can I do to fight this attack?
- If you are prompted to download Adobe Flash Player or Adobe:
- Close the browser tab that contains the prompt.
- Open a new browser tab and visit www.adobe.com/ca.
- Search the Adobe website for the application and download it from there.
- If you are a victim, disconnect from the network immediately (pull the network cable or disconnect from WiFi) and contact the IT Service Desk at 403-440-6000.
If you have any questions or concerns, please contact the IT Service Desk.
In past posts I have talked about the importance of keeping your computer up to date by shutting it down each night. This week that is more important than ever. On Tuesday MIcrosoft released its latest updates for Windows, Office and other software which includes patches for 62 different vulnerabilities.
What is so important about patching these vulnerabilities? Hackers have known about some of these for a while and have already created malware that takes advantage of them. Keep your machine secure, shut down your machines this afternoon and get your updates.
Residence Services is reporting voice mail messages are being left on their phones threatening legal action if the call is not returned. The callers are requesting banking information and are calling from a 705 area code.
If you ever receive a threatening phone call requesting banking or personal information over the phone:
- Politely inform the caller you will call the organization or institution directly.
- Hang up.
- Call the organization or institution directly using a phone number that you know is legitimate. Do not use a phone number given to you by the caller.
Remember, if the call is legitimate you will be able to contact the caller through their organization/institution general contact number. If you cannot, you know the call is a scam and can ignore it. For more information on phone scams, check out the Crime Stoppers Telephone Scams page.
Mount Royal employees are being targeted in a new high impact email phishing campaign. What makes it so alarming?
- The email sender is David Docherty and it appears to be coming from his Mount Royal email address.
- It disguises its malicious intent by using a friendly tone and it doesn’t contain a link or attachment that usually accompanies a phishing email.
However, it should raise a red flag because normal payments are not requested this way. Take a look:
How do you protect yourself against this type of attack?
- Always pay attention when processing your emails. Do not multitask.
- Be familiar with your department’s procedures and processes. Anytime you receive an email that goes against those procedures or processes, you should contact the sender directly to confirm it’s legitimacy.
Remember, just because an email looks like it comes from someone you know, doesn’t mean it is. Just because an email doesn’t contain links or attachments, doesn’t mean it isn’t malicious.
Huge kudos to our people in Finance who identified this. You are our superheros!!
There are two new phishing emails that are making the rounds with fake invitations to view Google Docs. They are both very clever and they are both sent from someone that is in your contact list. The first one is a bit easier to spot as it looks something like this:
For those of you who have received an Invitation to View a Google Doc before, it is easy to pick up what is amiss with this email. However for those of you who haven’t, this is what a legitimate Invitation to View a Google Doc looks like. When you click the Open in Docs button, the document is opened for you.
The second phishing email is more sophisticated in that it looks a lot like a legitimate Invitation to View a Google Doc. The only thing missing from the email is the name of the document. However if you click on the Open in Docs button instead of viewing the document, a dialog box appears asking you for permission to access your email. This is the tip off that something is awry. Google Docs does not need access to your email to function.
If you see a dialog box instead of a document when you click the Open in Docs button, DO NOT CLICK on anything. Disconnect your computer from the Internet and call the IT Service Desk. If you want to learn more about this phishing campaign, check out the CBC article.
As these latest phishing campaigns show, criminals are getting more and more sophisticated in the development of their phishing emails. It is getting harder and harder to determine what is a legitimate email and what is a scam. To avoid becoming a victim of cyber crime, verify the legitimacy of all unexpected emails containing links or attachments regardless of who they come from.
Just a heads up for staff and faculty. If you take a look at your task bar in Windows and see a new icon, don’t worry it’s just McAfee’s updated logo. McAfee is the antivirus software that is loaded onto all Mount Royal workstations. Don’t have the new logo yet? Don’t worry the logo is updated in stages, it will eventually be your turn. If you have any questions or concerns, contact the ITS Service Desk.
A new phishing email is making the rounds at Mount Royal. The cyber criminals use an official sounding name and reference a fund transfer to entice people to open a password protected Word document.
As a password protected document adds a sense of legitimacy to a phishing email, ITS has decided to block all incoming emails that have password protected Office documents as attachments. If you have a legitimate need to receive a password protected Office document, please contact the ITS Service Desk.
On April 10, 2017 Google will start rolling out a new login screen. It will begin with limited release and then widen until all users are converted over. The new screen will no longer give you the option to Stay signed in. Instead all users will automatically be connected to Google/Gmail/Google Drive with this feature enabled.
Why is this a concern? Well, if you are using a public workstation in the library, a classroom or meeting room and you log out of the workstation you will not be logged out of Google/Gmail/Google Drive. The next user who starts up that workstation and opens Google Chrome will see all of your emails and files on display.
Starting today, we are asking that all faculty, staff and students logout of Google/Gmail/Google Drive before they logout of any computer or device that is not their own.
If you have any questions or concerns, please contact the ITS Service Desk.
A group of cyber criminals are having a lot of success with the latest spear phishing campaign. They are mining social media for information on where and when you may be traveling. Using this information they send out fake airline reservation confirmations or receipts that look just like the real thing using an email address that looks legit.
Many of these emails contain links to sites that look like the real thing, asking you to enter your username and password and encouraging you to open an attachment or click on a link that loads malware. The loaded malware allows the criminals to hack into the network.
These criminals are clever enough to vary the format of the email and the delivery method for the malware, making it more difficult to detect.
If you receive a confirmation for a flight or a receipt, do not click on any links or open any attachments. Instead, go to the website of the airline directly using a URL that you know is legit and check your account or reservation on the site itself.
If you do click on one of these links or open one of these attachments, please disconnect from the network and call the Service Desk at 403-440-6000 immediately.