April News from Information Security

Welcome to April and all that it means to this community! April is the month before the end of the semester in May. April means it is getting warmer and it’s time, if you haven’t already, to cycle in a new wardrobe of clothes for the fast-moving weeks at the end of the school year. I want to apologize for the tardiness of this newsletter. I was unavoidably out of work for a week due to problems caused by the massive amount rain we received back on March 25th. I know so many of you wait with bated breath for the first day of the month just to read my newsletter, so I apologize for the delay. </sarcasm>

With that small celebration of April and limited explanation for why this newsletter is so delayed out of the way, I want to introduce you to our topics for the month. Last month’s newsletter was a bit longer than most and if you haven’t read it, I highly recommend it. This newsletter may be somewhat lengthy as well. First, I have more information about those crazy emails that claim you have purchased some expensive item or renewed a “security” or “support” subscription that you don’t actually have. Next, I’ll shed some light on what phishing threats are most prevalent now and how to spot them. Next, I want to explain some recent cybersecurity incidents and how they might affect you. Finally, I have a new “food for thought” item, along with another announcement and some reminders.

Many of you have received emails claiming you have “renewed” a subscription, usually to some tech support service like GeekSquad or an anti-virus/anti-malware or firewall subscription. the price is high, usually close to $500. As you look over the email, you realize that no web link to cancel the order has been supplied and the only way to “cancel” the order is to call a phone number. Don’t do it. STOP. Take your finger off the phone screen keypad!

In some cases, if you call the number, you will be routed to a helpful phone operator who will have a thick foreign accent, but a very “American” name, like “Bob”, or “Kevin”. Let’s go with “Bob”. Bob will try to convince you that you need this subscription so he can help you remove the viruses he detected on your computer. Bob will try to convince you to allow him remote access to your computer. Don’t let Bob on your computer! If you insist on “cancelling” the subscription, Bob may again try to gain remote access to your computer to “remove their software”, since you are cancelling the subscription. If you allow Bob on your computer, he will then “remove” the software and begin the process of refunding your money.

If you tell Bob that you can remove it, he will insist you install a small program so he can “quickly refund your money”. If you do this, congratulations, Bob now has control of your computer and will walk you through a refund process that will go terribly wrong. Instead of refunding just the $500 that you “paid” for the subscription, Bob will “refund” you $5000 or even $50,000 by “accidentally” adding zeros to the refund amount. Since he has access to your computer now, he will convince you that the money is in your bank account by asking you to log into your online bank account portal. He will then deceptively edit your online bank statement. Bob will then insist you MUST return that money or he will lose his job! Not only must you return it, you must return it immediately and quickly. You must go and buy gift cards to give him or go withdraw the amount in cash and overnight it to him.

And people believe this!!!!

And they will do exactly what Bob tells them to because he insists on staying on the phone with the victim until the money has been mailed or the gift cards bought and the numbers sent to him. If you don’ believe people will fall for this, check out Mark Rober’s excellent video about this scam. Mark is a SUPER smart guy who builds glitter bomb traps for porch pirates who steal packages. He’s turned his attention to this very scam and with help from his friends, is attempting to stop the scammers. If you watch the video you will learn that this will not be easy and most likely will be impossible, but even one person saved from this scam is a good thing.

What’s new in the phishing world, you asked? Thanks, I’m glad you did! First, the most commonly reported “phishing email” was not actually a phishing email. Many members of the community reported the notice send by the Dean of Students office via a company called Everfi concerning training about sexual assault prevention. This was a real notice and if you disregarded it, you still have until Friday to complete the training.

The second most reported “phishing email” was the second notice about this same training. Please complete your training. You can do so clicking the big “Log In” button in the email. Yes, I know I tell you not to, but this is an exception to the rule as there is no other way to access the training.

Many community members are still receiving fake notices about faxes, files, and payments for subscriptions and items as mentioned above. There have also been several emails received about password expiration and keeping your existing password. As mentioned in last month’s newsletter, we do not (ever) allow you to keep the same password. If you receive a valid notice that your password is expiring, or has been reset because of an account compromise, you MUST pick a new password. Always. Every time. Absolutely.

Moving on to another topic, but still sort of about email, some of you have received emails telling you that a company you do business with has been breached and your data has been exposed. This has happened to the gas retailer RaceTrac and to other companies. The email you received didn’t come from the compromised company, but from the hackers who breached them. The hacker is attempting to leverage you to convince the company to pay a ransom. Most of the time, the web link they put in the email is malicious and will attempt to install malware if you visit it.

How did RaceTrac and other companies get breached? In this case, RaceTrac was using a product to securely transfer files. This product, made by a company called Accellion, had a severe flaw that was easily exploited and over fifty companies, schools and other institutions lost data due to the flaw in this one piece of software. In this case, RaceTrac claims that the data stolen did not contain customer data, but they are still investigating and may find that this is not true. If you buy gas at RaceTrac or are part of their Rewards program, you might want to pay attention to any communication you get from them and pay attention to your credit card and bank statements.

Please understand that this breach was not a result of RaceTrac failing to secure their systems, but was due to a bug in the software they used. The fault lies with Accellion, even though they released a patch for the flaw within seventy-two hours of knowing about it. Unfortunately, that was too late for some of the victims.

Some of you may have heard of a company called Solarwinds. This company provides excellent security and network software for thousands of companies, schools, and even the U.S government. Sometime in 2020, attackers were able to insert malicious code into this company’s update server. This code allowed the attackers, with help from some other hacking tools, to completely compromise hundreds of companies through the software they purchased to help them stay safe. The Solarwinds breach was devastating not just because of the number of companies and institutions exploited, but because they were exploited by the very software used to secure them from attackers. This is called a supply chain attack when malicious code is inserted, not into protected production systems, but into the updates for those systems.

The people who ran those systems were betrayed by a process that is “best practice” – keeping systems up-to-date. We’ve mentioned this many times before in newsletters, but keeping a device or system secure requires that updates be applied as soon as possible. When the system that provides the updates for a device or piece of software is compromised, everything goes “pear-shaped” or “sideways”, as some might say. The impact of the Solarwinds breach was massive, not just in time, resources, and money, but in the reputation of Solarwinds AND the companies and institutions who depended on them to be secure.

How does that impact you? I would guess none of you are Solarwinds customers. However, many of you are probably customers of companies who use Solarwinds software. Once a company realizes they were affected by the Solarwinds breach, they should notify their customers. Some of you may have received communication from companies you do business with informing you that they were affected by the Solarwinds breach. Once again, this is not the fault of the company. the responsibility lies with Solarwinds to make sure their processes are secure.

In this case, you are affected by a company you have never heard of, because the company you do know and patronize, trusted them to be secure. Even when we make good choices about who to do business with, it may not matter. It doesn’t mean we are safe. All we can do is attempt to minimize our risk. There is no chance to completely eliminate it. The Solarwinds incident proves this.

So what do you do? Exactly what I have mentioned in past newsletter. Use good, strong, unique passwords for each and every account you have. If this means using a password manager, then find one you like and fits in your budget and use it. Turn on multi-factor or two-factor authentication an every account you can. Don’t access sensitive, private, or financial information on unsecure/unknown wireless network connections or multi-user devices like lab computers or shared computers. Treat ALL emails as potentially dangerous. Treat unexpected emails and emails with links and attachments doubly dangerous. Even if you know the sender, make sure the email “sounds like” them.

Finally, due to my lost week of work, I will not be holding another virtual scavenger hunt this semester. We will have more in the future, but not until the after fall semester starts in August. I hope to have a “welcome back” virtual scavenger hunt and another one during Cybersecurity Awareness Month in October. Keep checking back here for more details.

If I’m not covering a topic of information security you are interested in or concerned about, please let me know. I want to be your first and best resource on information security, so let me know how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email by clicking the link available on the right side of the blog posts page on the InfoSec News and Alerts site.

You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the Q&A section, where you can ask a question and get an answer directly from me, and the events calendar where events will be posted.

Food for Thought

Permanent Link on XKCD – https://xkcd.com/1348/

Drop those phones and computers (gently!!) and go enjoy April!

Featured Image: Green Grass at Ford (G2538)

Author

(Visited 99 times, 1 visits today)