Phishing

by Jonathan Ashton.

The Higher Education sector is a lucrative hunting ground for fraudsters – using phishing tactics to steal username and passwords, unlocking systems and enabling access to the University’s and the user’s own data.

Earlier this year, Lancaster University reported a breach that involved the loss of a significant amount of student personal data that can be monetised or used for further fraud against those students affected.

Fraudsters have been reported to

  • target students with false invoices, demanding direct payment to the fraudsters
  • launch phishing campaigns against students, staff, and other universities
  • redirect salary and expense payments from staff members to their own accounts

For Hallam, attacks have increased in severity over the last few months and we’ve seen increasingly sophisticated phishing campaigns since early 2019. These attacks are often successful because they direct users to sophisticated log-in portals that look like our own Office 365.

DTS monitors these attempts and aims to intervene as early as possible to reduce the opportunity that fraudsters have. The new email ‘caution’ banner (usually in yellow) at the top of all external mail is one of several measures put in place to highlight the risks in online activity. DTS also supply a CyberAware online training module which aims to help staff identify risks, and how to combat these. We encourage all staff to complete this for the safety of themselves, and the University.

Ultimately, it’s down to individual users to be wary of unexpected emails that require documents to be opened or to log-in to a website. Please remember to

  • Check the sender (the new external email caution banner should help to identify external senders, treat these more cautiously).
  • Check the address of any email links (always hover the mouse over them before clicking – this can sometimes be a giveaway).
  • Check the website address if you have clicked a link (don’t just assume it’s a University website because it uses our branding – fraudsters are good at copying).
  • Stop and think before logging-in, if anything at all feels ‘off’ then don’t go any further, contact IT Help before proceeding.

If you find something suspicious, or think you might have already been compromised, contact IT Help on 0114 225 3333 immediately.

Phishing attacks and online fraud – protective steps

by Jennifer Kennedy.

Digital Technology Services is increasing the visibility of potentially fraudulent email by marking all email from outside the University to remind users to treat links or attachments with caution. This is an increasingly common tactic across the HE sector to help users to better identify fraudulent email, reducing the risk to them and the University.
Over the past month the University has seen a big increase in phishing, with over 3000 fake emails being delivered to University users’ mailboxes. While many recipients identify them as fake and report them so DTS can take action, the emails and web pages linked to are often convincing enough for some people to be taken in, providing usernames and passwords or other personal data to the attackers. Where we can trace that a user is at risk from an attack, DTS can take action and have reset over 100 hundred users’ passwords where suspicious activity is observed.
Once a user’s username and password are compromised like this they are exposed to a number of risks which have recently included use of their mailbox to launch further phishing or fraud attacks against other University users and changing staff bank details in Core to redirect salary payments to an attackers account.
The CyberAware online training shows users the key risks in online activity, such as mail and web browsing, and how to deal with them. We recommend all undertake this regularly. While DTS can identify accounts at risk and support users in recovering control of their account, we cannot help where data or money has already been lost. For this reason it is important for the protection of University staff and students that we help people identify suspicious activity and take appropriate action.
If you ever accidentally click on a suspicious link, contact IT Help on 0114 225 3333 immediately.

Passwords and Credential Stuffing

by Jonathan Ashton.

Recently the UK National Cyber Security Centre published an analysis of passwords available online from existing breaches at various organisations (including LinkedIn).

Worldwide, weak passwords like “123456”, “qwerty”, “password” (along with football team names like “liverpool” and “chelsea”) are being used to secure millions of user accounts on social media, shopping sites and even banks (https://www.bbc.co.uk/news/technology-47974583).  These passwords provide little protection both due to their reduced number of characters (no variation in upper/lowercase or special characters).  This means they can be cracked relatively quickly even by complete novices using freely available automated tools.  In addition to this, such passwords have been made widely available in common password lists for use in random attacks on services, this is known as ‘credential stuffing ‘.

 

Credential Stuffing

This is a simple attack using:

  • an email address that is already part of a breach (e.g. the LinkedIn breach of 2016 which involved 117 million email addresses and passwords being made available online)
  • a list of common passwords (referred to as a dictionary)
  • repeatedly trying the email address and dictionary password combinations against online services (e.g. Amazon, Gmail, Facebook, Spotify, Halifax, AirBNB, etc)

As hackers are dealing with millions of email addresses, combined with the fact that millions of people are using insecure passwords, it’s not surprising that a significant number of accounts are breached and then used for further fraudulent activity.

 

Check your Email Addresses and Password Security

You can check if your email address (and/or other details) have been involved in breaches and subsequently made available online by using sites such as https://haveibeenpwned.com/.  Once an email address is in the public domain like this, it will be used in credential stuffing attacks.

You can check to see if your password has been used in a previous breach and therefore if it is likely to be available for hackers at https://haveibeenpwned.com/Passwords.

Another online resource, available at https://password.kaspersky.com/, shows you how strong your password is.

 

Password Advice

The password advice is still:

  • Don’t re-use passwords between services
  • Passwords should be a mix of upper and lower case along with numbers and one or more special characters (like !#@*^, etc)
  • Passwords should be a minimum of 12 characters

Beware of Phishing Emails with a Green Display Message Button

by Jonathan Ashton.

An ongoing phishing campaign targeting educational institutions in the US and the UK has now been seen by some SHU staff members.

Messages often appear to be from a known contact of the recipient and contain a subject line that has been used previously in communications between the sender and recipient e.g. “Re: Sheffield Hallam Open Day- Saturday 18th August 2018”.

The message may contain very little text and what looks to be a green button labelled “Display Message”, “Click here to view message” or similar text.  Below is an example:

This button should NOT be clicked. If you do accidently click it, do not enter your username and password on the webpage that you are taken to.

If you have already entered your credentials, then the you must change your password immediately, using the “Changing your password” link on the Staff homepage or by visiting http://go.shu.ac.uk/password.

Instructions for dealing with phishing emails can be found here: https://portal.shu.ac.uk/departments/is/ithelp/helpme/pages/suspicious_emails_phishing.aspx

There have so far been relatively few of these emails seen at SHU but the experience of other educational institutions suggest this situation may change

A cyber-awareness course is available at http://go.shu.ac.uk/cyberaware – completing it will help protect yourself and the university.

GDPR Privacy Phishing Scams

by Jonathan Ashton.

GDPR is coming into effect on 25th May and will herald a big change in the way organisations hold and manage personal data.

As such many organisations will need to seek consent from existing and new users, you may have noticed an increased number of emails asking you to either review privacy policies or grant explicit consent to continue receiving emails, etc.

We’ve become aware of a number of phishing campaigns purporting to be from a well-know organisation/brand with the sole intent of getting login details from recipients who respond.  Further details are in this article:

https://www.zdnet.com/article/phishing-alert-gdpr-themed-scam-wants-you-to-hand-over-passwords-credit-card-details/

As always, take care when dealing with emails inviting you to click on external links

  • Check the sender’s email address carefully (phishers often use slight misspellings to dupe the unwitting into clicking)
  • Check any link in the email by hovering over it, if it doesn’t look quite right it likely isn’t

There’s no indication that the SHU community is being targeted so there’s no need to be unduly worried but do be careful when dealing with these types of emails – both at work and at home

CPU Vulnerabilities – Meltdown and Spectre

by Jennifer Kennedy.

The University is currently reviewing the impact of vulnerabilities branded Meltdown and Spectre by the cyber security industry and is assessing the patches which are becoming available to remediate them. There is no evidence that the flaws have been exploited anywhere yet but, as always, it’s important to use IT safely. Please take particular care when clicking on links, don’t open any suspicious attachments and avoid visiting unsecured websites.

For personal devices or home computers we advise, as always, to install patches and updates as soon as they are available. Bear in mind that this potentially affects all computer devices worldwide – phones, tablets, PCs and laptops, including Microsoft, Linux and Apple products.

 

Reports on High Sierra insecurities

by Jennifer Kennedy.

You may have heard news about issues with the latest Mac OS operating system, High Sierra.  At Sheffield Hallam, Digital Technology Services has been recommending that staff do not update University Macs to the new operating system and no University owned Macs that students use have the new operating system installed.  If you own an Apple Mac yourself, you should take advice from Apple about how to handle this.

Key Reinstallation Attack (KRACK)

by Jonathan Ashton.

KRACK is a newly published attack on wireless communications between a device (smartphone, laptop, Wi-Fi cameras, etc) and the wireless access point

The attack works by interfering with the handshake process that the device and the access point undertake to secure communication between the two.  It enables the attacker to:

  • Listen in on wireless traffic between the device and access point
  • Inject it’s own data to the traffic
  • Apply additional attacks to further reduce security

This means that an attacker can listen into all unsecured communications you’re having over Wi-Fi (e.g. instant messaging, websites, logins, emails, etc).  They can also modify unsecured data you send/receive or insert new data (e.g. implanting a piece of malware in a website page) although this is a worst case scenario.

On the bright side vendors and manufacturers were warned months ago about this and have been working on security patches for a while.  Some manufacturers have already released the patches via automated updates whilst others will be rolling them out shortly.

At this point in time (18/10/2017), and assuming you have automatic updates turned on, the status of the major vendors are:

  • macOS 10.11.1 – Patch Pending
  • Windows 7, 8, 8.1, 10 – Patched
  • Linux Ubuntu 14.04+, Arch, OpenBSD, Debian, Gentoo, Linux upstream – Patched
  • iOS – Fixed in iOS 11.1 due out in a few weeks
  • Google Devices (Android) – Patch Pending for Google Pixel and Google Nexus (although not clear if older Nexus devices will receive this patch)
  • Samsung (Android) – Newer devices receive Google security fixes (Patch Pending), older devices do not
  • Other Android – Refer to your manufacturers support site

Android devices tend not to get newer versions of the OS (let alone security patches) as they get older but vendors may have no option but to release a fix for this (especially if pressure is applied via social media, etc).

This blogger is keeping track of the status of patches for the most popular vendors (it’s about halfway down the page).  Note that although patching home routers helps with some other issues presented by this attack, patching your router alone will do nothing to stop it if your device hasn’t been patched.

The University is currently advising the following (which should be considered normal practice to help keep yourself and your data safe.)

  • Make sure the software on your device is up to date.  Manufacturers regularly release security patches to fix issues and vulnerabilities in operating systems and it is important that these are promptly installed. For University equipment, Digital Technology Services (DTS) will provide advice about what you need to do when these are available. Users of SHU-owned Macs have been advised NOT to accept an update to High Sierra until DTS has confirmed that it is okay to do so but they should continue to install any security patches which are offered.  On your personally-owned devices, use the latest operating system and install patches when they are offered to you.
  • Wherever possible, use websites that are encrypted – these normally display a padlock next to the address.
  • University staff should use the VPN (Virtual Private Network) service when using laptops and other portable devices to ensure any University data is encrypted while using Wi-Fi networks. This includes while in public areas on campus such as University cafes and other open areas.  More information on the VPN service.

 

Watch Out For Social Engineering Attacks

by Jonathan Ashton.

To ensure success hackers often use multiple approaches to the same problem. These may be technological in the hacking tools they bring to bear or in the knowledge of vulnerabilities that can be exploited, but they also make use of Social Engineering.

Social Engineering is the use of psychological tricks against people to get them to do something against their interest or to the benefit of the attacker. Social Engineering has been around for a lot longer than the phrase, Con Men and Scam Artists have made use of the same techniques for centuries in order to get what they want.

One of the best examples of Social Engineering is the Greek’s leaving behind a large wooden horse after pretending to give up on the decade long siege of Troy (https://en.wikipedia.org/wiki/Trojan_Horse). Even the term Trojan is used in cyber security to indicate a malicious program that pretends to be something it’s not (e.g. an innocuous program or browser plugin that contains a key logger).

Hackers make use of Social Engineering as it’s often quicker to convince someone to perform an action or give up some information than it is to find and exploit a technological vulnerability.

 

They make use of multiple strategies to help achieve their goals:

  • Phishing and Spear Phishing – Spammed or targeted emails that aim at getting the victim to hand over information, take an action or to activate a malicious attachment/website. Fun Fact: scammers often deliberately include spelling mistakes to single out more credulous people.
  • Pretexting – Where scammers need to operate in-person (either via a phone or face-to-face) they’ll spend time crafting a plausible reason as to why they need what they’re asking for.  Unlike phishing attacks which use urgency coupled with fear (either of missing out or of some repercussion), pretexting relies on building trust with the victim in order to make use of them.

  • Baiting – Relies on people receiving “something for nothing”. For example usb sticks can be put in a reception area or organisation’s car park, often with a juicy label like “Redundancies 2017” in the hope that people will be curious enough to pick up the device and plug it into a machine. Once that’s done the machine can be compromised in seconds, often installing back doors and “phoning home” to the attacker for exploitation at their leisure.
  • Quid Pro Quo – In order to instil a sense of obligation an attacker will offer help in some form with the expectation that the user will respond in kind to a request from the attacker.
  • Tailgating – Our final example is tailgating where someone who lacks authority to enter a particular area follows behind someone who has access. This can be as simple as impersonating a delivery driver with a package or being in a common smoking area and following other smokers back into the building.

 

In order to reduce the risk to yourself and the university be aware of red flags when dealing with people. Some red flags include unsolicited urgent communications with implied threat/benefit and strangers looking for the benefit of the doubt.

But also take into account the sensitivity of information you’re being asked for or the impact of an action you’re being asked to do. Hackers and scammers can do very little without your help!

Protecting yourself in a high threat environment

by Jennifer Kennedy.

Western Intelligence services have lost control of a number of ‘cyber weapons’. These are essentially toolkits built around one or more vulnerabilities that the intelligence services have discovered but not disclosed to vendors.

The recent WannaCry ransomware which had such devastating effect on the NHS and around the world made use of one such undisclosed vulnerability.

These ‘cyber weapons’  are crafted exploits available across multiple operating systems (Windows, Apple, Linux) and devices (Android, iPhones, Windows phones).

As a result, the threat environment at the moment is very high and system vendors and security companies are working hard to understand the vulnerabilities and provide fixes or protection. Users need to ensure systems are patched or security products installed in order to benefit from this protection and reduce their risk.

Additionally two further attacks have shown disturbing developments.

  • UCL was suffered a ransomware attack on 15th June this year that investigation showed was initiated by users browsing a site that was running malicious advertising. The attack itself was initiated via an advert that not only made use of a ‘zero-day exploit’ (a vulnerability not known to vendors and therefore not fixed or protected against) but didn’t require the user to click on anything. Around a dozen computers were infected which resulted in the IT department shutting down all network drives in order to contain and eradicate the infection.
  • A further ransomware attack called NotPetya appeared on the 27th June. It made use of the same WannaCry vulnerability in addition to several others. This attack is remarkable because it appears the hackers had no intention of decrypting any of the machines that had been infected. Even those users who dutifully paid $300 received nothing in return.

In this environment it becomes incredibly important that organisations and users take time to ensure their systems are properly protected:

  • Always ensure your machines and devices are upgraded regularly. All major Operating System manufacturers offer automatic updates and this feature should be turned on.
  • Computers and devices should have some form of anti-virus/anti-malware or internet security suite installed.
  • Install ad blockers where possible on all browsers (for more advanced users, look into script blocking add-ons)
  • Don’t use an administrator login as your normal login, create a separate user with normal rights and use that for your day to day use. The more rights your account has, the more damage can be done if it is compromised.
  • Be vigilant and don’t fall for unsolicited attempts to get you to click links, open attachments or perform some other action (especially where there’s an implied or explicit threat or reward)
  • Ensure backups are taken of your most important files. This should be either on a separate system or, preferably, on removable storage.