A social engineering tactic dubbed Bazacall is making a resurgence. This attack method first appeared in March, 2021. It starts with an email that arrives in your inbox. They use a variety of scenarios, however all encourage you to phone a number to resolve an issue. Their favorites appear to be notifying you that a subscription is going to be renewed or that a free trial is over. Details on the nature of that subscription are often left out, making it more likely that you will call to clear things up.
When you call, the “customer service rep” on the phone directs you to a very realistic website. Sometimes these websites are spoofed sites of real businesses, other times the businesses are completely fictitious. Once you are at the website they walk you through the steps to cancel the subscription, telling you what to click. Everything seems perfectly legitimate until you reach the final step. The last click on the website opens an Excel file that asks you to enable Macros. If you continue to follow the instructions of the “rep”, the malware is downloaded and installed on your computer. The type of malware varies but typically they give remote access to your machine, allowing the attackers to gain access to to other devices on the network.
This phishing attack method is particularly dangerous as the email doesn’t contain any attachments or links which allows it to pass through inbox filters. In addition when you open it, it looks official and innocent. After all what can happen if you just call to cancel a subscription that you don’t want? However once you call, the “rep” is very good at social engineering. He or she develops trust and insists that this is the only way to ensure the charge doesn’t appear on your credit card.
The best way to defend yourself against this type of attack is to recognize that emails with vague information about a subscription being renewed are malicious. Thankfully with this attack you have a second chance to defend yourself. You can refuse to enable Macros when asked. Remember to use your common sense and don’t let yourself be bullied. There is no justification for enabling Excel Macros to cancel a subscription. If it doesn’t make sense, hang up.
The lowly Gmail Spam folder. It appears to collect nothing but garbage and is routinely ignored. It does however, have a function. It’s purpose is to keep spam and malicious emails out of your inbox while still allowing you to review them. These suspicious emails aren’t automatically deleted as Google recognizes it isn’t perfect and may wrongly identify an email as spam or malicious.
How should you manage your Spam folder? For the most part, it can be ignored. If you find that you are missing an email, you can go looking for it. However, I don’t recommend checking your Spam folder daily. If you are worried about missing emails, then a weekly check should be sufficient.
If you find an email in your Spam folder that you don’t think should be there, don’t move it immediately to your inbox. Open it first and check the banner at the beginning of the message. Google lets you know why the message was put there. If it is because it was marked Spam previously, then it is safe to move to your inbox. If however, it indicates that it contains a malicious link or attachment then leave the email where you found it as Google doesn’t make mistakes identifying malicious emails.
Fortunately, malicious emails found in your Spam folder don’t need to be reported to the IT Security Team. Google is already filtering them from inboxes so we don’t need to alert your colleagues. This saves us from replying to 57.3 million emails. You can simply delete them and get on with your day. Even better, let Google delete them for you. Messages in Spam that are 30 days old are automatically deleted.
This past year, Student Fees began issuing refunds through Interac e-transfers. Although students are notified in advance that a refund is coming, there is still some confusion about the legitimacy of these emails.
A sure fire way to ensure the refund is legitimate is to login to MyMRU and check your account balance. If you have been issued a refund, the amount will be posted there. If it matches the amount in the notification email then you know the e-transfer is legitimate.
If you are still not sure, you can email Student Fees at email@example.com and ask them if they sent you an e-transfer.
This week the phishing training program resumed. This gave everyone a chance to use the new PhishAlarm button to report the suspicious emails. For most of you, it worked great!. For some of you, not so much.
As the PhishAlarm button is a browser based tool (it works through your web browser), it can act up when your browser acts up. This is true for all browser based tools. When this happens it can usually be remedied by clearing your cache.
Your cache is where images and content are downloaded and stored. Your browser does this to save time loading a web page. The first time you visit it, it will load some key information into your cache. The next time you visit that page, instead of downloading it from the internet again, it goes to the cache and loads it from there. This makes the webpage load much faster. This is true whether the page is a just a boring website or a web based application.
So the next time the PhishAlarm button gives you an error message or any other web based application gives you trouble, clear your cache. It will empty all the information stored there and download it from the Internet again. This basically resets the application and it usually starts working. For details on how to clear your cache, check your browser’s help files.
There is a new phishing attack that is taking advantage of the widely acknowledged technology issues facing students, families, and educators. It is targeting educators, using infected attachments that masquerade as student assignments. The attachments contain ransomware that encrypts your files and locks you out of your devices until the ransom is paid.
In this type of attack, the hackers pose as a parent or guardian submitting a student’s assignment on their behalf. They claim that the student was unable to upload the document due to technical issues. The emails are very emotional and are designed to tug on the heart strings of the educator.
The subject lines the attackers have been using are:
• Son’s Assignment Upload
• Assignment Upload Failure for [Name]
• [Name]’s Assignment Upload Failed
Here is an example of the types of emails being used.
Often the attachment is a Word document . Once you open it, you are asked to “enable editing” and “enable content”. If you do, the ransomware is loaded onto your device.
This attack is very targeted, using contact lists available on the school’s websites to determine who to send emails to. Although the attackers are currently focusing on K through 12 schools, it is expected it will move to post secondary institutions next.
To avoid these types of attacks:
- Only accept assignments submitted through regular channels.
- Do not open an attachment unless you check the sender’s email address and know who the email is coming from.
- Verify the sender actually sent the message whenever possible.
- Do not enable content or editing on Word documents unless you are 100% certain of the sender’s identity.
- Do not enable macros on Word or Excel documents unless you have talked to the sender of the email to verify it is safe to do so.
If you are unable to contact the sender and aren’t sure of the legitimacy of an email, report is using the PhishAlarm button or by forwarding it to firstname.lastname@example.org.
Who would have thought that 2020 would have everyone who can, working and taking classes from home? In a few short weeks we had to find a workspace, navigate chaos at home and learn a whole new set of skills. In the shuffle, it is easy to have work/school seep into our home life and vice versa. While it is normal to have this happen occasionally, as a general rule you should make sure you are using your email accounts appropriately. Here are a couple of tips that will help you sort through the work/school/home mess.
Use your MRU email only for work/school purposes
While this was a good idea before the pandemic, it is even more important now. Criminals know our home networks don’t have all the security bells and whistles that are on our corporate networks. Attacks are on the rise as they look for vulnerabilities. One of those is using your MRU email for personal purposes.
The more places you use your MRU email address the greater the chances you are going to reuse passwords and expose yourself to credential stuffing. As we are notified when your MRU email address has been used for a login credential of a breached account provider, we sometimes find out more about your personal life than we would like. Save us both the risk and embarrassment. If an account is for personal use, use your personal email address for your username.
Don’t use your personal email address for work/school
Since we have begun working at home, it feels like I have responded to 55.1 requests to view Google documents. The requests have come for quick reference guides, user manuals, registration forms, you name it. Every time I have had to reply with…
This document is only viewable by those with a Mount Royal email address. Please login to your Mount Royal email to access the document.
It gets mighty tiresome. I don’t know who the requester is unless they use their Mount Royal email address. For that reason, I do not grant non MRU email addresses access to documents. Everyone on campus should be following this protocol.
As important as it is to use your work email address to access documents, it is even more important for attending Google Meetings. Don’t make your meeting host guess who you are or whether you should be attending. Make it clear you are supposed to be participating by using your Mount Royal email address.
When you must use your MRU email address
To access some accounts, you must use your Mount Royal email address as a username. In these instances it is especially important to use a unique password. It prevents criminals from gaining access to your email by using a password that they have stolen from another account provider.
By following these simple rules you will decrease your vulnerability to cyberattacks, protect your privacy and make your colleagues, instructors and students lives easier. Happy days for everyone!
All malware is not created equal. This week a particularly devious piece landed in an MRU inbox. It was wrapped up in a zip file attachment. Here is what the malicious email looked like:
This malicious email is hard to identify as it contains a previously sent email thread. Interestingly enough, there is no human behind this email. It was sent by malware. When it gets on your machine it picks an email in your inbox and replies to it. Sending a copy of itself to an unsuspecting recipient.
The email is generic enough to work with pretty much any email. However it is the vagueness that flags it as suspicious. The other tell is the sender’s email address. Because this is malware and not a person sending out the email, the sender’s email address is incorrect.
If you decide to click and open the attachment, you see an Excel spreadsheet with this in the first cell.
If you missed the other two red flags, this one is your last chance to dodge the bullet. This very official looking graphic is asking you to enable editing and content to be able to “decrypt” the document It is also telling you what type of device to use to view it. Anytime you have this kind of instruction given to you to view a document, close it immediately and report it.
The instructions are not there to enable you to view the document. They are there to ensure the malware can be installed and will function. By asking you to enable editing and content, it is bypassing the safety controls we have in place to prevent the running of macros. It is not “decrypting” anything. If you can’t open a document just by clicking on it, consider it a threat.
This is another reminder how important it is to check the sender’s email address before you open an attachment or click on a link. If you recognize it, contact the sender using another method and confirm that they sent the email. If you don’t recognize it, don’t click. You wouldn’t take candy from a stranger, you shouldn’t take attachments from them either; no matter how enticing they are.
IT Services is proud to announce the launch of a new reporting process for phishing emails. If you are an employee, you will be able to use our new PhishAlarm button. If you are not, you can forward emails to email@example.com, our new email address for everything cybersecurity related.
Reporting a malicious email as an employee
If you have taken a look at your Gmail side panel, you may have noticed this .
If you don’t see your side panel, click the arrow in the bottom right hand of your screen.
Previously if you found an email that you thought was dangerous to your colleagues or you weren’t sure if it was legitimate, you had to click the Forward button and then type in firstname.lastname@example.org in the To field. Now we have a handy button.
To report a malicious email using the PhishAlarm button
- Open the email
- Click the PhishAlarm button in the side panel.
- Click Report Phish. A confirmation pane appears.
- Click the X to close the confirmation pane.
Not only is the PhishAlarm button super easy to use, it sends the cybersecurity team more information about the email making it easier to investigate. It’s a win for everyone!
While we won’t be ignoring emails sent to email@example.com, we are encouraging employees with phishing email concerns to use the PhishAlarm button. If you click the button and see a popup displaying something that looks like this:
You are not registered as an authorized user. If you are an employee, completing a registration form will rectify the problem. If you are not, you are unable to use the PhishAlarm button and will have to forward suspicious emails the old fashioned way.
Reporting a malicious email if you are not an employee
Unfortunately, we are unable to offer the functionality of the PhishAlarm button to those who aren’t employees. You will still see the PhishAlarm button, but if you try to use it you will get an unauthorized user notification.
The good news is, we have created a new email for reporting cybersecurity incidents, firstname.lastname@example.org. This new email will make it easier for the cybersecurity team to identify which reported emails are a priority and to respond quickly. While we won’t be ignoring emails sent to email@example.com, we are encouraging people to use firstname.lastname@example.org going forward.
Criminals are sending phishing emails that look surprisingly legitimate. They appear to come from apparently trustworthy senders, like “cisco@webex[.]com” and “meetings@webex[.]com.” They emails urge recipients to take an immediate action in order to fix a security vulnerability in their WebEx software. The emails look like this:
If you click on the Join button, it will take you to a page that asks for your login credentials. Of course the login page belongs to the criminals and will only steal your credentials.
If you receive an email asking you to update software, do not click the links in the email. Instead, start up the software and check for updates by selecting Help from its menu and selecting About. You can also visit the official website for the software and load updates from there.
We have been notified that cybercriminals have registered and are using the domain www.mroyalu.ca as well as several other look-a-like domains. They are attempting to fool people into visiting their malicious websites.
While working from home, it is very important that you double check all links that you receive in emails and the sender’s email address.
If the link does not have mtroyal.ca, mru.ca, mrucougars.com or mymru.ca before the first single / in the URL, it is malicious.
Examples of legitimate URLs are:
Examples of fraudulent URLs are:
Please do not let curiosity get the better of you, and attempt to visit any of these fraudulent websites. They will harm your machine and/or steal your data.
If the sender’s email address ends in anything other than @mtroyal.ca, then it is malicious.
Examples of legitimate email addresses are:
Examples of fraudulent email addresses are:
Please be extra cautious at this time.