ITS staff have received numerous reports of a recent email that is attempting to steal your username and password! If you receive an email with the subject line “HEALTH SECURITY ALERT” or “HEALTH ISSUE ANNOUNCEMENT ON CAMPUS”, which looks like the screenshot below, please delete it and do not click any links within.
If you have given your personal information to a phishing attack like this, please act quickly. Change your password at mypassword.umb.edu, and notify IT Staff by emailing abuse@umb.edu for more help.
As widely reported in the press over the weekend, a new ransomware threat named “WannaCry” has impacted Windows machines (workstations and servers) around the globe. Due to better Windows update compliance, systems in the US have been less impacted than international systems. This threat only impacts select Windows systems and does not impact Apple iOS systems.
“WannaCry” is initiated when a user responds to a phishing query by opening and executing an attachment to that email. Once it executes, it encrypts files on the affected local computer and shared drives. The user is then asked to pay a ransom to recover the files. To add salt to injury, “WannaCry” malware spreads aggressively by behaving like a worm and attempts to infect other vulnerable unpatched machines on the network. As far as we know, the format of the phishing email is not consistent but the underlying Windows vulnerability only impacts unpatched Windows XP, 7, and 8 systems, as well as Windows Server 2003 and 2008 Editions. Windows 10 PCs patched in March of this year are not affected by this attack.
UMass Boston Windows XP systems are rare and are believed to be offline as they do not show up on ITS Qualys scans. If you have an XP system and would like us to help you upgrade please send an email to ITSecurity@umb.edu and the ITS Security team will respond asap.
Windows 7 & 8 systems which are current in terms of patching updates are not vulnerable. This includes all workstations supported by the ITS KACE workstation management service and some departments which have similar services.
For those systems which are not current in terms of updates and where the user has fallen for the phishing attempt, several actions may occur.
The system’s hard drive and associated network shared drives may be encrypted by running the attachment. In this case, the user is presented with a message that, until a ‘ransom’ is paid, the user will not be able to access the data on the encrypted drive(s).
NOTE: UMass-wide IT Security Policies prohibit the payment of ransom. Should a user experience a ransom query, he or she should not respond to the query and should immediately contact IT Security by emailing ITSecurity@umb.edu or by calling Wil Khouri, UMass Boston Information Security Officer, at 617-287-6232.
Additional systems on the UMass Boston network may be scanned from the infected system for the underlying vulnerability and those vulnerable systems may be encrypted and the ransom notification presented to the user(s) of that vulnerable system.
UMass Boston’s best defense to this, and all malware, is an educated and vigilant user community recognizing these threats, reporting them to ITSecurity@umb.edu, and deleting the offending email.
ITS staff have received numerous reports of a recent email that is attempting to steal your username and password! If you receive an email with the subject line “[your name]@umb.edu Will be close”, which looks like the screenshot below, please delete it and do not click any links within.
If you have given your personal information to a phishing attack like this, please act quickly. Change your password at mypassword.umb.edu, and notify IT Staff by emailing abuse@umb.edu for more help.
By Wil Khouri
Assistant Vice Provost and Information Security Officer
Information Technology Services / Communications and Infrastructure Services
Spear phishing is phishing crafted to target specific individuals or groups within an organization. The hackers responsible for the spear phishing emails have essentially done their homework regarding who their victim will be, and researched carefully how to personalize and customize the message to make the message more appealing to increase the probability of getting a response from the target audience.
Spear phishing emails are tailored in such a way to include information targeted victims would think only another employee, friend, or family member would know. In this digital age, the Internet, and particularly social media, has made it easy for hackers to gather such pertinent information. For instance, a hacker needs only to visit a victim’s LinkedIn and Facebook pages or look through their web profiles to gather enough information to craft the perfect spear phishing message. In addition, Hackers craft the messages in such a way to grab one’s attention with alarming, shocking, or tempting information.
Recently, UMASS Boston students, faculty and staff received emails appearing to originate from UMASS legitimate addresses. These emails had a variety of subject lines designed to draw people in, including “Important message from UMB Faculty/Staff”, “Important Information”, “[IT Status Alert] Your Account will expire soon”, or “Your account has expired”.
One particular message targeting faculty and staff appeared to be from the address “IT News <psoft@umasscs.net>” with the subject line “[IT Status Alert] Your Account will expire soon” and presented in the following format:
Click the screenshot below to zoom in. Pay attention to the numbers (1-4) in Figure 1 as you read on.
Unfortunately, a handful of employees inadvertently provided Personal Identifiable Information (PII) including passwords, social security numbers, bank routing and personal account numbers, to the hackers. Information Technology Services Security and Systems staff, Human Resources staff, as well as the Information Security staff at the UMASS president’s office, acted swiftly and took the necessary steps to contain the damage. Upon further investigation, we found out that the hackers used the phished PII to access bank accounts, modify bank routing and account information to re-route the employee’s compensation to untraceable credit cards not attached to bank accounts (prepaid access cards), and used the data to file fraudulent tax returns especially when the university confirmed that their “W2” forms had been accessed Online.
Refer to Figure 1 above for the following paragraph.
What made this phishing scam so effective is (1) the spoofed “From” origin which appeared to originate from a functional UMASS president office email account, (2) the subject line format which mimicked our campus “status alert” format, and (3) the use of a legitimate “IT News” template that Information Technology Services (ITS) normally uses for its “alert” communications. As it is the case with many phishing scams, a sense of urgency was added to spice the message up.
That begs the question how would one differentiate legitimate emails from phishing scams?
Fortunately, you can often tell phishing links from safe links by dissecting their construct. The most effective step one may use so not to fall for these scams is to (4)hover the mouse over the link to reveal its Uniform Resource Locator (URL), commonly known as web address destination, and in this case, as it is shown in Figure 1, it shows two components; The first part is the one you see: “Sign in to proceed.” And then there is the second part of the link you don’t see which is revealed by hovering over. This is the actual address that controls where the link will actually go. In our case, it reveals an odd URL: “http://www.jjlemaire.mu/wp-admin/images/sm-prd11.ucollaborate.net.html”. Always be wary of URLs that contain numbers, subtle spelling mistakes, odd connotations, and unfamiliar endings and domain letters (e.g. mu).
What must raise your suspicion are attempts to get you to reveal private information, such as your social security number or bank account information. Phishing attacks may ask you to download files, fill out forms or reply with information. If you cannot determine whether a message is phishing or not, try to contact the sender directly to verify its authenticity but never use the communication means appended to the suspicious message to verify its contents. If still in doubt report it to abuse@umb.edu.
For those who proceeded to click the link, the landing page was engineered to look deceivingly similar to the “UMASS HR Direct” page with the familiar “Secure Access Login” fields with two crucial differences; First, the URL valid certification was missing and presented as follows:
As compared to the valid and secure (5) legitimate site URL:
The most important cue and skill, if you will, is to check for the URL’s valid certification (5). Remember GREEN IS GOOD. NEVER enter any information without first checking the valid certification of the site which always displays a green secure link with a green lock icon:
The second red flag in the phishing site was the .mu top-level domain which is the code for the “Republic of Mauritius”. Notice that the fraudulent landing page was “www.jjlemaire.mu” and not “sm-
prd11.ucollaborate.net” like it was supposed to be and it was crafted deceivingly with our legitimate domain name imbedded within the .html construct (6). While the public has become more savvy at spotting scams, and in desperation, those malicious actors are spending serious effort in honing their craft making it a challenge to recognize spear phishing messages. However, it is really simple to beat them: Be aware of the cues that raise your suspicion and if in doubt always ask. If you suspect you may have been phished, do act quickly; Change your password at mypassword.umb.edu, and notify ITS staff by emailing abuse@umb.edu.
As threats arise, our campus community will be trained to identify these types of targeted attacks. Information Security often runs simulated Self-Phishing campaigns for educational purposes. For those who fail the simulation we encourage you to take the assigned exercise modules provided post-
simulation or go to: http://iatraining.disa.mil/eta/phishing_v2/launchpage.htm The above link is courtesy of the US Department of Defense. And no, it is not a Phishing attempt nor a simulation if you’re wondering. You do not believe me? Go ahead and hover over the link. It will reveal a “.mil” domain belonging to the US Military.
One last thought… As a community of higher education, our weapon is knowledge. Do take the time to learn how to scrutinize between what is legitimate and what is not. We do not want to feed on fear and paranoia to the point of rendering our tools we use daily useless. Let’s all learn how to defeat the scammers. It is very simple. Really very simple.
Click on the Windows logo located on the lower left hand corner of your computer screen, a menu will appear, click on “Control Panel”.
Once in the Control Panel, type the words “windows update” in the Search Control Panel field located in the upper right hand corner. As you do, the following screen will immediately appear.
Now, in the upper left handle corner, click the words “check for update”. This screen will appear
Click the “Check for updates” button to begin the checking. The following screen will appear after the checking is completed. All Important Updates must be installed. Click the “Install updates” button to begin the installation. You will need to reboot your computer to finish the installation later.
Alternatively, if you are using Internet Explorer you can click on Tools > and select Windows Update to install the latest security patches.
[Update: All campus phone service has been restored.]
We have identified the root cause of the campus phone service disruption as an off-campus issue with one of our vendor services. This is the failure of physical cabling in Dorchester over which our incoming and outgoing calls are routed. The vendor is actively working to repair the problem but, at this point, we do not have a predicted resolution time from the vendor.
This service issue impacts all our inbound/outbound phone services, both the heritage analog service and the new and expanding VOIP service. Calls within campus are not impacted. The impact is for all calls coming into campus and campus calls dialing off campus.
We will provide the next update either when the service is restored or in approximately two hours should the issue persist. We are continuously working with our vendor to remedy this situation as soon as possible.
Scammers are willing to invest the time to trick you!
Phishing is a type of cyber scam designed to trick you into giving your personal information.
Today’s example was reported by a few users who could tell something smelled phishy!
In this example, there is no obvious request for money or personal info! The scammer went so far as using a real staff person’s name and title, and even referring to the correct section of the UMass Code of Conduct! That’s crafty! At first even we IT staff weren’t sure if maybe this was a real email…
How can you know when a legit looking email is a scam? Trust your gut, and verify!
★ Be suspicious of unexpected notifications
★ Call the real staff person and ask if the message is real
We got in touch with the real department referred to in the email and they told us it was not real! The scammer is weaving a story about “Academic Dishonesty” by a UMass Boston student. It’s a serious matter, but the message never makes an obvious request for money or personal info. In these “long-cons”, an email like this is the first step in building a relationship of trust between the scammer and the recipient. The scammer hopes you’ll bite and reply, and then the inevitable trap will spring!
If you are suspicious of a file, link, website, or email, you can contact the IT department to ask if it may be a scam. Forward a copy of a suspicious email to abuse@umb.edu.
Always remember…
Don’t take the bait! IT will NEVER ask you for your password. Phishing emails attempt to deceive you into giving up your private information by leading you to fraudulent websites. Learn more at: http://www.umb.edu/it/getting_services/security/phishing/
Click on the Windows logo located on the lower left hand corner of your computer screen, a menu will appear, click on “Control Panel”.
Once in the Control Panel, type the words “windows update” in the Search Control Panel field located in the upper right hand corner. As you do, the following screen will immediately appear.
Now, in the upper left handle corner, click the words “check for update”. This screen will appear
Click the “Check for updates” button to begin the checking. The following screen will appear after the checking is completed. All Important Updates must be installed. Click the “Install updates” button to begin the installation. You will need to reboot your computer to finish the installation later.
Alternatively, if you are using Internet Explorer you can click on Tools > and select Windows Update to install the latest security patches.
Click on the Windows logo located on the lower left hand corner of your computer screen, a menu will appear, click on “Control Panel”.
Once in the Control Panel, type the words “windows update” in the Search Control Panel field located in the upper right hand corner. As you do, the following screen will immediately appear.
Now, in the upper left handle corner, click the words “check for update”. This screen will appear
Click the “Check for updates” button to begin the checking. The following screen will appear after the checking is completed. All Important Updates must be installed. Click the “Install updates” button to begin the installation. You will need to reboot your computer to finish the installation later.
Alternatively, if you are using Internet Explorer you can click on Tools > and select Windows Update to install the latest security patches.