July News from Information Security

Well, 2020 has been a trip so far, wouldn’t you agree?

“Trip” might be an understatement. It’s as if our lives are as jumbled and chaotic as this pile of puzzle pieces. Nothing seems to make sense, or have any clarity whatsoever. Between the corona-virus, murder hornets, protests (and riots), cancel culture, and for extra flavor, all during an election year, I know many of you are weary and yearn for some good news.

This post is not that…I’m sorry.

We’ve been bombarded by all kinds of phishing emails. Thanks, again, to everyone who reports these and to those who simply delete them and move on. There’s no relief in sight for these. We will continue to be sent fake personal assistant jobs, fake upgrade notifications, fake meeting notifications, fake emails about ‘favors” and “urgent requests”, fake shared document notifications, and more. Please be vigilant, informed, and conscientious in handling your email.

One particular type of phishing email that has popped up recently (again) is one where a phisher uses old emails from a compromised account to attempt to get users to click on a link leading to a “report” or “project update” or other some important document. From your perspective, you see a familiar subject line in an email, potentially coming from a valid and known address, but in the body of the message, there is a sentence about an updated report or some other document that has nothing to do with the original email. It usually has a convenient link provided to view it. Don’t click the link! If you have any thought that it might be valid, contact the sender to confirm they sent it.

The other type of phishing email that was popular for a couple of days was the fake shared document notification. The email purported to be from a colleague, but the actual From address was not a Berry address. Also, the document was shared on some other cloud storage system other than OneDrive. Documents related to college business and activities should never be put on any other cloud storage service other than OneDrive. Be very careful with shared document notifications…always verify with the purported sender.

Email is also the subject of my next warning. During the early days of the corona-virus meltdown, many companies bought up vast amounts of protective gear, especially masks, gloves, and other disposable personal protective equipment (PPE). Some of these companies are now holding large quantities of PPE in stock and realizing they need to get rid of at least a portion of it. We have already seen some spam emails offering PPE and we will probably see more. You can either simply delete these emails or you can flag them as spam using the tools in Outlook. While I don’t mind them being reported via the “Report Email as Phishing” button, many technically aren’t phishing as much as simple spam. With that said, don’t hesitate to report any that you feel are more than just unsolicited commercial emails.

How to flag an email as spam? In Outlook, with the spam email open, there is a button on the left-hand side of the menu bar that lets you block the sender. It looks like a person with the red “circle-with-a-backslash” symbol (officially the “general prohibition sign”). The first option is “Block Sender” which will block the sender and send the email to the Junk folder.

One last thing. I’ve typed “Report Email as Phishing” more times that I want to count, and all the “cool colleges” have a nifty acronym for their phishing reporting tool, so I’ve decided we should also have one. Therefore, from now on, the “Report Email as Phishing” button will be referred to as the “REaP” button (capitalization/non-capitalization is intentional), which I think is fitting, as it allows us to “reap” phishing emails from our system. Yes, I know “reaping” generally means harvesting or gathering useful or good things, not dangerous emails, but the base action is fundamentally the same. Right? I’m glad you agree. Whew, that will save me twenty characters of typing per instance moving forward!

Be on the lookout for an announcement concerning the official opening of the Berry Information Security Phishbowl, or simply, the Phishbowl. I WILL NOT be using an acronym for that, thanks to the Urban Dictionary.

Here goes the usual reminders…

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (someday when the corona-virus crisis has passed…).

Photo Credit: Photo by Hans-Peter Gauster on Unsplash

Emails offering a personal assistant job opportunity are fraudulent

UPDATE: A new version of this fraud was sent from a compromised Berry account recently. The subject of the email was “P.A Job Offer”. It was offering $500 a week to be a personal assistant. As mentioned below, do not reply to this email, as it is an attempt to steal money from you.

An email has been sent to the majority of the Berry College students claiming to offer a work-from-home assistant job. This offer is fraudulent and is not a valid job offering. Do not send information to the address in the email or give out any personal information. The full text of the email is shown below for reference. The most obvious indicator of fraud is the fact that the sender in the “From” line ( not shown, but is in fact Jane.Lee@vikings.berry.edu) does not match the closing signature line (Jane Hickman). This type of email may show up again, slightly modified, with different names, wages or responsibilities, so be very careful with offers like this.

Hello and Good day,
Dr. Alex is currently looking out for an assistant who is self motivated, reliable, articulate and eager to learn with minimal supervision required to work-from-home part time as his Personal Assistant.

Job Scope:

> Manage diary and schedule meetings and appointments??
> Screen and direct phone calls and distribute correspondence
> Produce reports, presentations and briefs
> Make travel arrangements

Hours:  An Average of 12hrs weekly
Wages: $200.00 weekly

If interested, Submit your resume/cover letter directly to Dr. Alex via: alexwaton27@gmail.com

Sincerely,
Jane Hickman

Originally posted June 18, 2019. Updated June 22, 2020.

June News from Information Security

Welcome to the very late June newsletter!

A failure to plan and pre-write the June newsletter, plus a virtual conference during the first week of June, then a frenzy of activity at work, then a couple of vacation days has pushed this edition way past its normal publishing date.

But here we are, still stewing in the social distancing mire, but at least able to do more things, like eat AT restaurants instead of getting food delivered, or, gasp!, going out and picking it up curbside. I hope all of you are healthy and well and have been able to resume some sense of “old normalcy”.

As I mentioned in the last newsletter, phishers, scammers, and the like have been VERY busy trying to take advantage of this time of flux, if not outright chaos. I write this newsletter as cities around the country stagger under the effects of not just the coronavirus, but protests and riots. Both are happening, and many protests that start peacefully are stirred into riots by organized bad actors. I hope you or your loved ones have not been affected…and that’s all I’m going to say about that.

I’ve interacted with several of you about suspect emails over the last few weeks and I appreciate your caution and skepticism. Everything from fake voice mail notifications to fraudulent signature requests have arrived in our email inboxes. Companies continue to improperly care for the data they acquire from us. There are a couple of upcoming breach notifications that I need to finish and publish to the site.

With that said, I encourage everyone to go to Have I Been Pwned to see what data about you has been exposed. Notice I don’t say “IF” data has been exposed, but “what” data has been exposed. It’s easy. Go to the site, put in your email address(es), and be sure you are sitting down when you click “pwned?”. While you are there, sign up to be notified when information connected to your email addresses has been exposed. You’ll have to register each email individually.

As I mentioned in May’s newsletter, all email should be carefully examined. Actually, I said that “almost all emails should be considered suspect” and I stand by that statement. I also said that this was the number one safety tip I could offer during this time. Here are tips two and three.

Most Important Tip #2: Update your devices.

Your device, whether it is a Windows or macOS computer, or an Android or iOS device should be set to automatically update. If you have an undeniable fear of automatic updates, then at least make sure that update notifications are turned on. Then, when Windows or macOS notify you of an update, or your Android or iOS device chime to tell you an update is available, first confirm that it is a real update notification. Update notifications don’t come in your email, nor do they pop up inside your browser. These notifications come directly from the operating system of the device. Examples are shown below:

Windows 10 :

macOS:

Left iOS (iPhone and iPad) and Right Android phone (Motorola, others may vary)

Most Important Tip #3: Use a strong, unique password and multi-factor authentication for every login account you have.

What do I mean by a strong password?

  • At least 13 characters long, 20 is better…
  • Don’t worry about complexity unless the particular site or service requires it.
  • No dictionary words by themselves.
  • Do not use any part of your username or real name/nickname in the password.

What?! Thirteen characters? Twenty characters? Yes. Find a password manager you like and use it to both generate and store your passwords. That means you only need to remember one long password, to open the password manager. Longer passwords are better than short, complex passwords. If you insist on making long passwords that are non-random, don’t use long dictionary words. Use multiple, unrelated words, as explained in the Good Password Guidelines Quick Info article here on this site.

Get multi-factor authentication enabled on every account you can, especially accounts for banks and other financial sites, sites which handle your medical records, other confidential and sensitive sites, and your Berry account.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup takes only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!
If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo Credit: Photo by Max Kleinen on Unsplash

COVID-19 Job Offer Emails are Fraudulent

An email has been sent to campus inboxes about a COVID-19 “Work Online From Home Job” paying $500 a week. This email is fraudulent. Do NOT reply to the email with your information. The email did not have a warning banner because it came from a compromised Berry account. Below is a picture of the email.

Please report these emails using the “Report Email As Phishing” button in your client or forward them to infosec@berry.edu and then delete them from your computer/device.

May News from Information Security

Wait?

It’s May already?

Where did April go?

It passed by as we were stuck at home and no, you didn’t miss the the April newsletter, as it was lost in the work-from-home shuffle. There’s a hint of a light at the end of the coronavirus tunnel as some businesses are opening and some restrictions lifted, but that’s all I’m going to say about that…

While we may not have been as busy during this time, phishers, scammers, and other bad actors have gone into overdrive. Some sources have placed the increased fraudulent traffic as 300% higher this last quarter over the same quarter from 2019. The amount of emails attempting to leverage the coronavirus and associated fears has grown astronomically and the phishers have an edge in this environment – we’re already stressed and uncertain.

There are emails purporting to have a cure for the disease, others with great deals on PPE (who figured that acronym would ever become common?), some trying to steal CARES relief funds, and others trying to convince people they have come in contact with someone with the virus. That’s just a tiny sample. There are some new articles on this site covering social media surveys, Skype password phishing, and complaint scams. The COVID-19 article was updated multiple times with new information. If you haven’t read those yet, you should check them out after you’re done reading this.

Myriad opportunities abound to phish, scam, and deceive people who have severe cases of cabin fever, restlessness and real fears about jobs and finances. No stress point is neglected in the daily attacks from bad actors trying to compromise accounts, steal credentials, and wreak havoc in an already chaotic environment. Many people are learning new ways to work, communicate, shop, eat, and socialize. All of the “new” is irresistible to scammers and phishers. Here is what I consider the number one safety tip (with some examples) to safely navigate this new (hopefully temporary) normal.

  • Almost all email should be considered suspect at this point. Apply a much higher grade of scrutiny to any and all emails you receive.
    • Emails like the ones mentioned in the Skype phishing article will appear to come from a variety of services, all of them trying to get you to click on that link or button in the email to check your notifications. Don’t!!! Simply log in to the site or service like you normally would, and if you have notifications, they will be there.
    • Emails asking for banking information or other financial information should be VERY carefully scrutinized. Most will be fraudulent. If you or a family member need to supply banking information to receive CARES funds or are having to deal with unemployment, make sure you are going to the right resources. Numerous government sites are available including the Health and Human Services site  and the primary government site about coronavirus information. The Georgia Department of Labor site is where to get answers about the process of receiving unemployment benefits.
    • Phishers haven’t given up on old themes. We have received plenty of emails to campus inboxes purporting to be from college department heads, all the way to President Briggs, asking you to for a “favor” or with an “urgent request”. Don’t fall for these! Check the From address and look for the external email banner to determine the validity of emails like this. The fact that they should be EXTREMELY rare should immediately render them suspect.

On a somewhat different topic, check out the new voicemail notification Quick Tip here on the site. It explains how to tell if a voicemail notification received via email is valid or not.

Here’s hoping that things will get back to normal soon, even if normal is slightly different. As always, if you ever have a question about an email or other questions about information security, please don’t hesitate to contact me at infosec@berry.edu, extension 1750 or 706-236-1750. I’m still working at home, like many others.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (whenever we get to the point we can do that).
Photo Credit: Photo by Jose Antonio Gallego Vázquez on Unsplash

Watch Out for Social Media “Surveys”

With everyone spending more time at home, traffic on social media sites has grown tremendously. One particular item to avoid during this time of boredom meltdown, even though they may be fun, are so-called “surveys” on social media sites. You know, the ones that ask about favorite colors, pet’s names, mother’s maiden name, what schools you attended, favorite songs, movies, cars, or whatever? Do these questions sound familiar?

If you have ever set up backup “security questions” for a web site, you’ll notice the surveys ask for many of the same bits of information. A fair percentage of these surveys are simply intended to grab your username for the social network, then slyly ask you to hand over potential security question answers.

Don’t fill out these surveys. Yeah, they can be fun, maybe, but if the information you willingly hand over may allow someone to reset your password by knowing the answers to your security questions, then they are a really bad idea!

With that in mind, whenever you fill out these backup security questions, you should never put real information in as your answers. Make up answers for these questions, then record those answers somewhere safe, like in a password manager, along with your unique password for the site! This way, you can provide the answers to these questions, but no one else will be able to discover than information from the far reaches of the Internet, or from your answers to a social media site “survey”.

If you would like more information on password managers, check out the short password manager article here on this site.

 

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

 

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted.

 

Photo Credit: Photo by William Iven on Unsplash

Skype and Teams “Notification” Emails are Probably Fraudulent

Since so many people are now working from home, there have been persistent attempts to phish credentials from user of Skype (and other services, like Slack, Zoom, WebEx, or even just email) across the Internet. Since Berry uses Microsoft Office365, Skype for Business is part of our licensed portfolio of apps. If you use Skype, be wary of emails informing you of pending Skype notifications.

The email is well crafted and attempts to convince you to click on a “Review” button to see your notifications. With mostly accurate colors and fonts, it looks like any other notification you might receive from Microsoft. It may also even have the Berry logo at the bottom of the email.

If you click on the “Review” button, you will be presented with a login screen that appears to be secure, but it is not hosted on a Microsoft site. The last part of the domain it is hosted on is “.app”, which is a Google managed domain.

In general, do not click on links in notification messages (or any other email messages). Simply log in to the web site or service, and if you do have messages, they will be there.

UPDATE (5/4/2020): Since Skype for Business is being replaced by Teams, the phishing emails now purport to be notification from Teams.

If you haven’t signed up for multi-factor authentication (MFA), what are you waiting for? This adds an additional layer of protection to your Berry account and lets you keep the same password for a whole year! Setup take only a few minutes. Make your request by emailing computing@berry.edu to tell them you want MFA!

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. Remember you can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events like tables in Krannert and LunchITS will be posted (whenever we get to do that again!).