VM Notifications and Signature Requests are Fraudulent

Many of you have received (and some have reported – thanks!) two fairly new phishing emails to appear in our inboxes.

The first one is a (sometimes incorrectly) targeted voice mail notification. It appears to come from a Berry address if you don’t look closely. The subject line states “VM message from” and then has an area code and prefix, but the last four digits of the phone number are starred out. It also states that the VM was “received and processed” on a specific date. Opening the email shows an “Office365” logon and “Voicemail Service” in a large, plain type. It tries to get you to open an attachment which has an HTML link which most likely redirects to a fake Office365 login page.

Here is an image of the email:

The second type of phishing email is a fraudulent request for a signature on a document, ostensibly an auto proposal. These email also  purport to be from Berry, but actually come from another educational institution. The phishers have either compromised a mail server there or have simply rewritten the From address to look like “<your username>@<the other institution>.edu. The phishers also insert your username into the subject line, which is intended to grab your attention. The full subject line reads: Signature requested for “<your username> – Auto Proposal 20-21”

It gets weirder when you open the email to see the following in the body of the message:

Message Duration: 00:29 secs
Sent by berry.edu – Audlo Management Conferenclng System.

There is an attachment that is supposed to be a voice message, but is actually a document with a link in it, probably going to a fake login page, but you are not explicitly instructed to open it. Apparently, the phishers assume you will open it. Don’t do that…
If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

Photo Credit: Photo by Mael BALLAND on Unsplash

May News from Information Security

Wait?

It’s May already?

Where did April go?

It passed by as we were stuck at home and no, you didn’t miss the the April newsletter, as it was lost in the work-from-home shuffle. There’s a hint of a light at the end of the coronavirus tunnel as some businesses are opening and some restrictions lifted, but that’s all I’m going to say about that…

While we may not have been as busy during this time, phishers, scammers, and other bad actors have gone into overdrive. Some sources have placed the increased fraudulent traffic as 300% higher this last quarter over the same quarter from 2019. The amount of emails attempting to leverage the coronavirus and associated fears has grown astronomically and the phishers have an edge in this environment – we’re already stressed and uncertain.

There are emails purporting to have a cure for the disease, others with great deals on PPE (who figured that acronym would ever become common?), some trying to steal CARES relief funds, and others trying to convince people they have come in contact with someone with the virus. That’s just a tiny sample. There are some new articles on this site covering social media surveys, Skype password phishing, and complaint scams. The COVID-19 article was updated multiple times with new information. If you haven’t read those yet, you should check them out after you’re done reading this.

Myriad opportunities abound to phish, scam, and deceive people who have severe cases of cabin fever, restlessness and real fears about jobs and finances. No stress point is neglected in the daily attacks from bad actors trying to compromise accounts, steal credentials, and wreak havoc in an already chaotic environment. Many people are learning new ways to work, communicate, shop, eat, and socialize. All of the “new” is irresistible to scammers and phishers. Here is what I consider the number one safety tip (with some examples) to safely navigate this new (hopefully temporary) normal.

  • Almost all email should be considered suspect at this point. Apply a much higher grade of scrutiny to any and all emails you receive.
    • Emails like the ones mentioned in the Skype phishing article will appear to come from a variety of services, all of them trying to get you to click on that link or button in the email to check your notifications. Don’t!!! Simply log in to the site or service like you normally would, and if you have notifications, they will be there.
    • Emails asking for banking information or other financial information should be VERY carefully scrutinized. Most will be fraudulent. If you or a family member need to supply banking information to receive CARES funds or are having to deal with unemployment, make sure you are going to the right resources. Numerous government sites are available including the Health and Human Services site  and the primary government site about coronavirus information. The Georgia Department of Labor site is where to get answers about the process of receiving unemployment benefits.
    • Phishers haven’t given up on old themes. We have received plenty of emails to campus inboxes purporting to be from college department heads, all the way to President Briggs, asking you to for a “favor” or with an “urgent request”. Don’t fall for these! Check the From address and look for the external email banner to determine the validity of emails like this. The fact that they should be EXTREMELY rare should immediately render them suspect.

On a somewhat different topic, check out the new voicemail notification Quick Tip here on the site. It explains how to tell if a voicemail notification received via email is valid or not.

Here’s hoping that things will get back to normal soon, even if normal is slightly different. As always, if you ever have a question about an email or other questions about information security, please don’t hesitate to contact me at infosec@berry.edu, extension 1750 or 706-236-1750. I’m still working at home, like many others.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (whenever we get to the point we can do that).
Photo Credit: Photo by Jose Antonio Gallego Vázquez on Unsplash

“Complaint” Emails are Fraudulent

UPDATED (4/28/2020): A new variation on this phishing theme in these days of remote meetings is an email that invites you to a Zoom meeting with HR to discuss a matter important to your employment (first quarter review, personnel issue, contract termination, any job situation that would immediately raise your anxiety level). As usual, the grammar is poor and word choice is unusual for American English speakers.

The Zoom link in the email will bring you to a fake Zoom login page. It is so fake that it will explicitly ask you for your organization email username and email password. There’s no reason Zoom would ask for this information. A real Zoom login page would have a link to sign in with your organization’s credentials, but it does not call them “email username” and “email password”. 

Be very careful out there and think before you click. If you need to confirm a suspicious meeting with HR or anyone else, please call or email them directly. Don’t click on the link without confirming!

A common phishing email that recently has been increasing in frequency tries to convince you a complaint has been lodged against you, and that the police have been contacted. Other versions of this same phishing theme have mentioned docking your salary because of the complaint..

The emails seen here at Berry were simple, with poor grammar.

This is the text of the email

, good afternoon
We received a client complaint #2/691 on you in Berry College.
Complaint forwarded to local police department

Notice the comma at the front of the first line. This indicates that the phishers tried to mail merge these and failed or simply used a mail merge template, as there should be a name in front of the comma. Again, the grammar is terrible and the “#2/691” in the email is a link that might be tempting for you to click to see who complained about you. Don’t!!! The email came from an external email address, not from within the Berry email system as would be expected if this were real.

Other version of this phishing email purports to come from a “corporate lawyer” who “tried to reach you” but couldn’t. It asks for a time when can you be contacted and also provides a helpful and tempting link to review the complaint.

This is not how Berry does business, of course, and it should be obvious that this is a phishing email.

 

 

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo Credit: Photo by David Clode on Unsplash

Skype and Teams “Notification” Emails are Probably Fraudulent

Since so many people are now working from home, there have been persistent attempts to phish credentials from user of Skype (and other services, like Slack, Zoom, WebEx, or even just email) across the Internet. Since Berry uses Microsoft Office365, Skype for Business is part of our licensed portfolio of apps. If you use Skype, be wary of emails informing you of pending Skype notifications.

The email is well crafted and attempts to convince you to click on a “Review” button to see your notifications. With mostly accurate colors and fonts, it looks like any other notification you might receive from Microsoft. It may also even have the Berry logo at the bottom of the email.

If you click on the “Review” button, you will be presented with a login screen that appears to be secure, but it is not hosted on a Microsoft site. The last part of the domain it is hosted on is “.app”, which is a Google managed domain.

In general, do not click on links in notification messages (or any other email messages). Simply log in to the web site or service, and if you do have messages, they will be there.

UPDATE (5/4/2020): Since Skype for Business is being replaced by Teams, the phishing emails now purport to be notification from Teams.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (whenever we get to do that again!).

 

COVID-19/Novel Coronavirus Information Security Precautions

NOTICE! Further updates to this page will be announced on the Berry OIT social media platforms. We’re on Facebook (@BerryCollegeOIT), Twitter (@berryoit), and Instagram (@berrycollegeoit). Please check back here often, as tactics will change almost daily based on new events related to the virus. Updates will continue to be added to the bottom of this page and dated for easy following.

While we all should be washing our hands more frequently, using hand sanitizer, avoiding large gatherings, limiting our travel, and taking other physical precautions in response to the coronavirus. we also have to take into account information security precautions.

Criminals will use every ruse they can to try and take your money, steal your credentials or infect your computer with malware, including promising “coronavirus updates”, “miracle cures”, and other information and services. Many of these phishing emails will be believable, not just because the criminals may take care to craft them accurately, but because almost everyone has at least some small innate fear of this mostly unknown virus. There is urgency and “scariness” built right in, as the coronavirus will most likely affect all of us, at least indirectly, at some point.

Please be especially careful with any emails that attempt to manipulate you using fear of the coronavirus. Avoid and report emails that request donations, or claim to have “inside information” about the virus and the associated disease, COVID-19.

UPDATE (3/18) – also stay away from apps in the Apple Store and Google Play that are coronavirus related. The vast majority are designed to steal your data and credentials or take over your phone, or both.

If you want more information about it, your best bet is to stick to major news outlets like CNN, MSNBC and Fox News for more reader-friendly summaries, and the Center for Disease Control and Prevention, the World Health Organization, and the Georgia Department of Public Health for more detailed and localized information.

Please also consult the college’s update page for dealing with the coronavirus.

Links to other sources of information will be posted here as the situation develops, but your first stop should be the page above.

UPDATE (3/18): Here is the NCSA resources page mentioned in the March 18th email. https://staysafeonline.org/covid-19-security-resource-library/

UPDATE (3/23): Coronavirus-themed phishing emails are arriving in campus email inboxes now. They promise everything from where to find masks and other protective gear to the fact that you don’t need a vaccine to beat the coronavirus (true, but irrelevant). Some are attempting to impersonate the World Health Organization and the Centers for Disease Control and Prevention. Don’t be fooled! Report or delete these emails, don’t follow any links, and don’t open any attachments. Rest assured the WHO and the CDC will not email you directly with updates. You can visit these sites from the links above, or if you have them bookmarked now, as some do, use your bookmarks or Google to find the sites safely.

UPDATE (3/23b): Scammers are now using the promise of government stimulus checks to try and steal your credentials and financial information. They are also attempting to impersonate the IRS to achieve the same goals, with the same lure (stimulus checks). Don’t fall for these tricks! The government will not contact you via email and ask for private financial information.

UPDATE (4/1): For those of you using Zoom for classes or other duties – Due to a bug in how Zoom handles web and file addresses in the chat feature, OIT strongly recommends that you do NOT send links to resources for classes (or work) via chat, nor should you open any links in the chat window. Please put resource links for all classes in Canvas, and treat any link in the chat window as you would a link in an email, VERY SUSPICIOUSLY! Also, please make sure you are following ALL of the recommendations from OIT about securing Zoom sessions if you are using Zoom to conduct classes. These are found in a March 19th email from computing@berry.edu.

UPDATE (4/1b): Scammers have no shame. One of the newest phishing scams out there tries to convince you that they are contacting you from a hospital and that they know you have had contact with someone infected with the coronavirus. The scam attempts to have you download and open the attachment, then proceed to the nearest hospital. The attachment contains malware and will infect your computer. Even during a pandemic, don’t open attachments.

Also, scammers have registered hundred of new domains over the past few weeks with “zoom” in them somewhere and the websites associated with them are handing out malware to unsuspecting users who click on them. The real domain for Zoom is zoom.us. There is never any reason to go to the Zoom website to use Zoom. Download the Zoom app to your computer and do your work there. Be VERY cautious with emails that purport to be from Zoom.

Finally, a group of scammers are going “old school” to infect users. They are mailing (yep, snail-mail) USB drives to potential victims, sometimes accompanied by gift cards or other lures to get users to plug them into their computers. Don’t ever plug in a USB drive of unknown origin into your computer! The USB drives sent by these scammers will install malware that will allow them access to your computer. Don’t fall for it!

Photo Credit: Photo by Dimitri Karastelev on Unsplash

Microsoft Update via Email is Fake!

A new scam going around is an alleged Microsoft Windows update delivered via email. The email instructs the recipient to “Please install the latest critical update from Microsoft attached to this email.” The attachment is actually a malware file that will encrypt all the files on the disk and demand a ransom, AKA ransomware.

Microsoft will NEVER email you an update, much less a “critical” update.

Please report these emails using the “Report Email As Phishing” button or simply delete them if that is not available to you.

If you have any questions about these emails please contact Information Security at x1750 (706-236-1750) or at infosec@berry.edu.

If have received one of these emails already and opened the file, please contact the Technical Support Desk at x5838 (706-238-5838) or computing@berry.edu.

Phisher’s New Ploy – Keep Your Current Password!

The newest ploy by phishers circulating the Internet now is a “keep your current password” scam. The email (full text below) claims that your account expires today!!! and if you “kindly” use the button below, you can continue to use your current password. The reasons given for requiring this verification is to “shut down robot or malicious users”.

If you “kindly” click on the button, you will be asked to log in to your email account, at which point the phishers have your current password and proceed to use your account to send phishing and spam emails or try to access your other accounts where you might have reused that same password.

Here’s the full text (with example.com used as the domain):

Your account xxx@example.com password expires today 11/11/2019 6:26:44 a.m.

Please kindly use the button below to continue with the same password

Keep same password

NOTE : This is a one time user verification carried out in purpose to provide a more secured platform and shut down robot or malicious users created in purpose of spamming and other fraudulent activities .

Copyright © 2019 example.com security management

Notice the poor grammar and the use of “kindly” in the message, plus the very real fact that if your password is expired, that means it is time to CHANGE it, not reuse it.

If you receive an email like this, please simply report it using the “Report Email As Phishing” button or delete it.

If you have any questions, please email infosec@berry.edu or give me a call at x1750 (706-236-1750).

If you have already received an email like this and decided to “keep your password”, please immediately change your password, and email computing@berry.edu to report the incident.