Info Security Bulletins
[NEW] Blackboard reports phishing attempt to expose ID's and passwords
Blackboard has issued a security advisory to inform Blackboard users about a malicious Chrome browser extension being distributed via phishing emails. The One Class Chrome Extension attempts to collect users’ usernames and passwords and also attempts to gather course information and email the users’ classmates with additional links to the extension.
Content of the phishing e-mail message
Hey guys, I just found some really helpful notes for the upcoming exams for UHCL courses at “<link to the web site>”. I highly recommend signing up for an account now that way your first download is free!
What to do if you receive this e-mail
Delete these messages immediately
Do not visit the website included in the messages
Do not install this extension
Do not respond to the messages.
What to do if you have followed the link to the web site
If you have already installed the extension, please contact the OIT Support Center for assistance
Improved method of building web pages for document submission
There are times when University departments need to provide their constituents with a facility to send scanned images of completed, physical forms or other documents to departmental personnel. Occasionally, the mechanism used is to have the constituent to visit a web page, select one or more scanned forms or documents to submit and to click an submit button. The selected documents are then attached to an e-mail by a script embedded in the web page that is sent to the e-mail address used by departmental staff for this purpose.
However, without any additional security measures in place, an e-mail-based approach is not considered secure enough for submitting any scanned forms or documents that contain information of a sensitive nature. Additionally, submitting sensitive information via unencrypted e-mail is not consistent with University policy and may make us non-compliant with our legal and contractual obligations.
Help is now available
OIT has developed a mechanism for submitting sensitive documents from within a University web page that combines the simplicity of the e-mail-based solution, with the security of modern encryption techniques.
Tax time is prime phishing season
During tax season, there is usually a spike in the number of e-mail messages being sent out to the general public asking for personal information and documents. These "phishing" attempts are often crafted in a manner that is very official-looking, with official governmental agency or organizational logos, although there have been many cases where the victims have given away their private information to a site that wasn't well-crafted at all.
Phishing message content includes a description of some scenario that justifies why you "must" respond immediately with your personal information. Around tax time, the phishers, posing as the IRS, may ask you to send copies of your W-2s or even a copy of your tax return itself.
A new twist
Recent reports have describe a new phishing scheme where individuals in an organization's operating areas receive an e-mail from what appears to be from the organization's accounting department asking for the W-2s for either all or a subset of their employees.
The key thing to remember
No reputable organization will ask you to provide private information in an e-mail (or over the phone). And with the new technique that I have described, even internal e-mail messages requesting that you provide private documents in reply must be considered suspect.
Phishing - Still catching the unsuspecting
While much of the attention recently has been about ransomware, "phishing" is still going strong. Every day millions of people receive beautifully crafted (and sometimes not so beautifully crafted) e-mail messages from what is purported to be their banks, service providers, employers and even their universities claiming that the organization needs them to provide their user ID and password, or their bank or credit card numbers, or some other personal information to verify the data that the organization has on file, to confirm that they still need their accounts, or to address some other creative issue.
Note – Phishing is not limited to email. Many have been “phished” over the phone and via text as well.
Whenever you receive a message that asks you to reply with personal information, beware! The message is in all likelihood a phishing attempt to collect your private information and use it to steal your identity, to break into systems with your privileges, etc. If it is an e-mail or a text, delete it. If it is a phone call, hang up.
The key thing to remember is that no reputable organization will ever send you an e-mail message or text asking you to provide your private information in response. And they won't contact you over the phone asking for private information either.
What should you do if you become a phishing victim?
Visit the "You have responded to a phishing scam" page in the "What to do if ..." section of this web site.
Be diligent - Ransomware is still a significant threat
There have been a number of incidents where a member of the UHCL community has had his or her entire computer hard drive and in some cases other attached external drives encrypted by malicious software known as “ransomware”. This form of malicious software or “malware” is so named because the distributors of this software demand the payment of a ransom via credit card in amounts of hundreds or even thousands of dollars. They say that, once they receive the ransom, they will provide you with the key that will decrypt your files. If you do not have any recent backups of your files before they were encrypted by the ransomware, your position is far more desperate.
How can you get infected with ransomware or any malware?
The same way your system can become infected with any computer virus or piece of malware, such as:
Opening an infected e-mail attachment,
Visiting a web site by following a link in an e-mail without vetting the message’s authenticity,
Inserting a USB key into your computer from an unknown source.
What should you do if your system is infected?
The first thing to do is to contact the OIT Support Center at extension 2828 or firstname.lastname@example.org for assistance.
Unfortunately, anyone communicating with the perpetrators are dealing with criminals. Even if you pay the ransom, there is no guarantee that they will send you the key, that the key will work, or that they will not install additional malware that will re-encrypt at a later time. So, if this type of attack affects your personal, non-University-owned computer and files, we strongly discourage your from meeting their terms, or even responding at all.
If the device that is infected is a University computer, you must NOT under any circumstances interact with the perpetrators using that or any other University-owned device. Such action could put the University’s information and systems at significant risk, and could result in severe financial and reputational loss for the University.
For more information
Visit the "Information Security Basics" section of this web site for information about how you can keep your information and systems safe.
Defending against ransomware and spam is a team effort
Recently, some members of the UHCL community have had their hard drives, external hard drives and even shared network folders made unavailable through encryption by perpetrators who then demanded ransom to provide the decryption key that would restore the data. Anyone who falls victim to this type of attack and who does not have their information backed up could lose not only job-related information but also personal information, photos, etc.
UHCL has deployed a number of information security defenses over the years that are designed to detect and thwart such attacks. That being the case, it would be typical for one to ask: “Why did this happen?"
As we investigated the circumstances surrounding the attack, we found that in each case, the ransomware was assisted by actions taken by the victims that weakened their anti-spam defenses in place, allowing ransomware-laden e-mail messages to enter their e-mail inboxes unscathed. Then, all that needed to happen was for the victim to open an attachment or to click a link that the e-mail carried.
Why didn’t the spam filters stop the attack?
As you are probably aware, the University has had a spam filtering solution in place for some time. Every day, hundreds of thousands of incoming e-mail messages are evaluated by the spam filtering software for suspicious content ranging from annoying advertising to e-mail messages that potentially are carrying viruses, ransomware and other forms of malicious software.
When the spam filter detects e-mail content that is consistent with known spam patterns, the e-mail message is “quarantined” in the spam filtering system and is not forwarded to your e-mail inbox. Periodically, the spam filtering system sends you an e-mail message containing a list of your e-mail messages that it had quarantined. From that list, you can select e-mail messages that you believe are not spam and have them forwarded to your inbox.
The impact of spam filters
Spam filters are extremely helpful in reducing the amount of junk e-mail that we receive. It is estimated that over 60% of e-mail that is directed to us is spam. Unfortunately, no spam filter is perfect. Spam filters use a number of methods to compute a level of suspicion for each e-mail message, such as:
- Is the sender listed as a known purveyor of spam by well-known central tracking organizations?
- Has the sender been blacklisted within our own system due to previous activity?
- Is the e-mail address of the sender legitimate?
- Does the e-mail message contain words or word patterns that are commonly used in spam?
The first three methods are less likely to incorrectly quarantine legitimate e-mail messages, although sometimes entire organizations can erroneously end up on a spam tracking blacklist due to a single computer on their network generating spam as a result of a compromise. Unfortunately, the fourth method, relying on common spam words, is the least perfect, and can result in some “false positives”, i.e., legitimate messages being quarantined.
Whitelisting – the good and the bad
I'm sure most would agree that having legitimate e-mail messages quarantined on occasion is annoying, and can have some real consequences, e.g., delays in responding to critical e-mail requests. Realizing that, spam filtering solutions allow you to “whitelist” certain senders so that none of the e-mail messages sent by a whitelisted e-mail account is ever evaluated for spam.
In cases where a known sender consistently sends you e-mail messages loaded with spam words, aside from asking them to limit their e-mail creativity, you can use the spam filtering system’s user interface to “whitelist” the sender’s e-mail address, so that all messages originating from that address will immediately be sent to your e-mail inbox. Keep in mind, if that sender’s e-mail account is compromised and is sending out malicious software, it will reach your system.
The spam filtering system also allows you to whitelist all senders from a single organization (*@abc.edu) or e-mail service provider (*@gmail.com). While this may seem to be a good thing, using this feature can become a real problem - now any user of that organization or e-mail service can directly send you SPAM, and again the only defense at that point may be your diligence in visually inspecting each incoming e-mail from that source.
How whitelisting helped the ransomware attack
In the recent spate of ransomware attacks, only a small number of users were affected. Why? Because the victims either released their quarantined e-mail indiscriminately or they whitelisted all of an e-mail service provider’s e-mail accounts one of which initiated the attack. And then each victim opened an attachment or link without performing his or her own visual verification of the e-mail message beforehand.
Why didn't our anti-virus software stop the attack?
Regardless of the vendor hype, no anti-virus system detects all malware. Since anti-virus programs usually detect viruses by comparing the program or attachment against images of known virus images, there is a period of time when all systems are vulnerable, between the time the virus was unleashed and the time the anti-virus software was updated with the new virus image. This vulnerable time period can be a day or more, and during that time your only protection is your diligence in visually inspecting the message content.
What you can do to help fight ransomware and spam
When it comes to attachments and links arriving via e-mail, make sure that you:
- Know the sender (Note - The "From:" field in e-mail message can easily be forged, so check the e-mail content for any signs that the message may be counterfeit),
- Know what the attachment or link is, and
- Know why you are receiving the attachment or link.
- Use the spam whitelist feature sparingly, and remember that it is far safer to whitelist specific individuals than entire organizations or e-mail services.
Never whitelist all UHCL e-mail addresses, i.e., *@uhcl.edu. Internal e-mail does not pass through the spam filter, so any e-mail that comes through the spam filter with a “uhcl.edu” address is counterfeit.
And, always make sure the systems you use are up-to-date on their software patches. Systems that are behind on their updates can be exploited even without your participation.