DATE:                 Thursday, November 11, 2021

TO:                      All Capital University Faculty, Staff and Students

FROM:               The Department of Information Technology

SUBJ:                  Spam/Phishing Attacks on Campus

Recently there has been a sharp increase in email phishing scams due to compromised Capital user accounts.  A compromised account is one that is accessed by a cybercriminal who is not authorized to use that account.  When student or employee accounts become compromised, those accounts are used to send spam and phishing emails to people on and off campus.

The latest phishing scam on campus involves the circulation of an email message for a “dog sitting” job opportunity.  This overpayment scam plays out roughly the same way as with the “nanny or caregiver scams,” but with some slight variation.

  • The scammer will reach out to you online or via text once you give them your personal contact information stating they want to hire you. Typically this is without them interviewing or seeing you in person
  • An upfront financial advance offer is made by the scammer for your services, typically in the form of a money order from some type of “business” the scammer claims to work for, or a government “embassy”.  They may also ask you to accept deliveries or make purchases on their behalf with promises of reimbursement
  • The amount of the money order will always be written for more than the amount needed, and the recipient will be asked to keep a portion of the funds and either send the extra funds to a third party, or if they have changed their mind, return all the money as soon as possible
  • If you were asked to accept deliveries or purchase items in preparation for the dog sitting position, you may be asked to forward an upfront payment to a third party (via check, wire transfer, gift cards, etc.) to cover the cost of the materials

Although the money orders from the scammer are all fake and fraudulent, many banks will still cash them and place the funds into the pet sitter’s account within a few days.  However, usually within a month, the money order is returned as fraudulent, and the bank will withdraw the money from the pet sitter’s account.  The bank may also charge extra fees, and may pursue the pet sitter with criminal charges for cashing a fake check.

Please be aware and cautious when reviewing and/or responding to email messages with job opportunities that require you to send money up front as a condition of employment or offer to pay you in advance.  Trust your instincts and remember if it sounds too good to be true, it probably is a scam.  Never offer your birth date, SSN, username, bank, or other private information to anyone online.  Especially if they are asking you to “confirm” something for security reasons which is a red flag of a spam.  Educate yourself and read through previous email scams to get a feel for how the spam messages work.

Key Points and Red Flags in Identifying Scams

  • Paying close attention to the “From” and “Reply-to” in the email address to see if it’s a valid address you recognize
  • Check the body of the message to see if the English wording is awkward  or if there are lots of misspellings in the sentence structure
  • Be cautious if someone wants to only communicate with you via email or text messaging. Scammers do not want to talk to you over the phone or video chat
  • Most job postings like this will state that they are “moving to your area”, however, they will not be able to tell you where your area is if you question them
  • If someone is very keen on sending you money before meeting you, this is likely a scam!  Never accept a pet-sitting assignment or payment until you’ve met a potential client in person at the initial consultation.  No legitimate employer will ask you for your banking information or give you money without meeting with you
  • If a potential client urges you to transfer money using a service like Western Union or MoneyGram, it’s probably a scam. Don’t send money to someone you don’t know, either in cash or through a money transfer service. Likewise, don’t deposit a check from someone you don’t know and then transfer the money

IT works diligently to help prevent and counteract spam and phishing scams through various security appliances such as Barracuda which scans every incoming email message for spam and phishing exploits. Barracuda will catch majority of exploits, however, nothing is fool-proof and it takes the cooperation from all of our campus users to help keep the infrastructure and user accounts safe at all times.

What Do I Do If I’ve Been Scammed

  • If you or someone you know was tricked into transferring money for any reason, the Federal Trade Commission (FTC) wants to know about it: https://www.ftccomplaintassistant.gov/#crnt&panel1-1 so please report it
  • Next you should report the incident to the money transfer company.  The two common companies are MoneyGram: 1-800-666-3947 (1-800-955-7777 for Spanish) or com and Western Union: 1-800-448-1492
  • Make a report and work with your bank
  • Notify and report it to the caregiver web site you were contacted through so they can stop the scammer from targeting anyone else on the site. The scammer is likely trying to prey on others who are looking for work
  • Finally, file a complaint with the Internet Crime Compliance Center (IC3) which is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center.

Visit the IT Status Page for detail information on other forms of email phishing scams:  https://inside.capital.edu/ITStatus/index.php/category/spam-phishing/.  Questions, inquiries and concerns can be directed to the IT Help Desk, helpdesk@capital.edu or 614-236-6508.  If you suspect that you have received a phishing scam, please report it abuse@capital.edu.

 

The following was a phishing email – please find some key warning signs below to look for in order to help you determine if the email is dangerous.

Phishing – is an unsolicited email message trying to get you to give up something. Typically they are trying to get your username and password. Sometimes they try and get you to click on a link or run an attachment that will infect your computer with a virus. To learn more about phishing attacks and tactics, visit phishing.org for more information.

The email above shows 5 things that tell us this is a fake email and should be deleted. It is important to note that not all bad emails will have all 5 things wrong in them, some may only have 1 or 2 of these things and/or may have a few more not listed in this article. These are the most grievous and common red flags that you can spot and use to determine if a message you received is safe or not.

Before we get into the 5 individual red flags you can also see that the overall message itself is a red flag… it is very short and does not say much of anything but is about an important topic that may be of a concern to you. However, the only option for you to learn more is by clicking on a link. A proper announcement should have more content in the email helping you to understand why the email is of importance to you.

1. The email’s friendly name displays Capital University but the email address is not of @capital.edu.
This is a big clue; if this email is “Regarding your Payroll” then why would someone at ccri.edu be emailing people at capital.edu? This by itself should tell you to just delete the email but you can also contact the appropriate person, in this case someone in Payroll, by phone or by forwarding this email to them (DO NOT reply to unknown/untrusted senders) and as ask if this is legitimate.

Sometimes, instead of Capital University,  you may see the name of someone that you know from Capital but still with a non-capital email address such as gmail.com or yahoo.com… that is still not from the person named. The spammer likely looked at our website and picked a name that would bolster your trust of their spam; but it is still not legitimate.

Important: You may get an email that is from a person from Capital and it has their capital.edu email address… That alone should not cause you to trust a message like this. These other red flags should still be checked as the named person’s account may have been compromised and the spammer is logged in to this person’s account and sending the emails from it.

2. The Barracuda Spam Appliance was suspicious of this email and has tagged the subject line with [POSSIBLE SPAM].
Emails are scored and the higher the score the more likely it is spam, there are four ranges of scores; not spam, possible spam, quarantine, and spam. This email did not score high enough to be outright blocked or quarantined but it was suspicious so it was tagged. That tag should alert you to treat the email with extra caution and examine it to see if you can trust it. Things you should ask yourself – Were you expecting this? Do you know the sender? Can you verify this email with the sender without replying to it?

3. The greeting does not contain your name.
The use of a form letter or generalized greetings can aid in determining the trustworthiness of an email. With the ease of mail merge, many of the key offices here at Capital work to personalize their emails to you. For example: the IT password expiration notices are automated but they use your first and last name as we have that in our system, the spammers do not know what your first and last names are so they cannot do that. Should an email use you email address in the greeting then that is a dead giveaway that it could be dangerous.

4. The enclosed link does not point to where it says it does.
Hover your mouse cursor over the link (do not click!) and a pop-up should appear showing the true destination of the link. You can see the link text said it was a www.capital.edu site but the pop-up is tiruleta.es (the ‘es’ is the country code for Spain). If you click on this link then you are taken to a server at tiruleta.es in Spain, not a server with Capital.

ALSO note: the end of the weblink listed that it was a pdf file… but the end of the pop-up shows that you are going to a PHP page.

5. The signature text does not tell you who from Capital sent the message.
Based on this message alone, you do not know who sent it nor do you know who to call to verify its validity or to ask questions. That is because the real sender, the spammer, does not want you to verify it. They only want you to click on the link, fill out a form, and give away your password and possibly many other personal pieces of information. If this was really from payroll you would have had a Capital person’s name and phone number on it so that you could contact them.

There are many other methods that can be used to identify suspicious emails not seen in this email and thus not listed in this article. For a good search with Google look at this link:
https://goo.gl/P50y4X (this is a google shortened URL much like tiny url).

 

The amount of news coverage and impact surrounding the coronavirus pandemic has continued to create an opportunity for cyber-criminals to take advantage of individuals in the form of phishing attacks, email scams and zoom video hijacking.

Looking to exploit the public’s fears and to take advantage of the increase in teleworking during the pandemic, cyber-criminals are sending email messages claiming to be from legitimate organizations with information about  COVID-19 and the Care Act.  Additionally, Zoom phishing emails and Zoom-bombing of video conferences have increased significantly over the last month.

We ask that all Capital University employees and students continue to maintain high awareness and to be very vigilance in not falling prey to these attacks.  Please review and educate yourself with the latest information below and report and/or forward any suspicious activity, spam, emails or phishing attacks to abuse@capital.edu. 

Covid-19 Phishing Awareness

Phishing messages will utilize tactics with a COVID-19 spin to them. Here are some things to be on the lookout for:

  1. An email asking you to open an attachment claiming to “provide the latest statistics on the virus”
  2. Encouraging you to click a link that will provide helpful information on “staying clear of the virus”
  3. Asking you to provide personal information to “see if your area is being affected by the virus”
  4. An email asking for information to receive government stimulus checks

Zoom Bombing Awareness

Across higher education, there is an increase in Zoom related phishing emails and Zoom-bombing incidents. Zoom-bombing is where Zoom video conferences used for online lessons and business meetings are hijacked and disrupted.

Zoom phishing emails may come in the form of a Zoom meeting request from an official-looking, branded, and registered Zoom domain.  They may include links such as zoom-us-zoom_##########.exe which likely contains malware.

Some best practices to apply when using Zoom include:

  1. When utilizing Zoom for official Capital University business and classes, utilize the capital.zoom.us domain
  2. Utilize private meeting rooms
  3. Do not share Zoom conference links on public social media
  4. Manage screen-sharing options (such as screen sharing to “Host Only”)
  5. Create a “waiting room” within your Zoom conference meeting so that all persons must be verified and admitted by you only
  6. When accepting a Zoom meeting request, verify it is from a known person and Zoom domain

Student Aid & The CARES Act Scam

The Coronavirus Aid, Relief, and Economic Security (CARES) Act includes funds intended to provide emergency assistance to university students. Many of our students will be eligible and will be receiving CARES Act grants.

Scammers are also aware of these grants and are already plotting ways to exploit the situation. Be vigilant for phishing scams related to the CARES Act student assistance that are likely to surface in the coming days and weeks.

Keep in mind the following tips for spotting scams:

  1. Federal, state, and local governments will not ask you to pay a “deposit” or any other fees to obtain CARES Act grants. Any attempt to collect money in exchange for grants is a scam
  2. Neither the government nor the University will request your Social Security number, bank account number or credit card number as a prerequisite for receiving a CARES Act grant
  3. Refer to Capital University’s official web page (https://www.capital.edu/cares-application/) for details about student aid being distributed through the CARES Act

What can you do?

  1. Be careful opening any web links or attachments, even if you know the sender, it may be a compromised sender.
  2. If you suspect that you have received a phishing email, delete it and do not open or click on any links.
  3. Look for “Red Flags” in emails you receive. Red Flags include abnormalities in the sender, topic, links, content, etc.
  4. Additional tips for spotting phishing scams is available on the following IT web page: https://members.eiia.org/wp-content/uploads/assets/SocialEngineeringRedFlags.pdf
  5. Please remember that emails with the words COVID-19 or Coronavirus coming from outside the University will be flagged with a header below: 
  6. Contact your IT department whenever you have any doubts or concerns at helpdesk@capital.edu or 614-236-6508.

 

 

The following is a Phishing Alert from EIIA – Educational & Institutional Insurance Administrators concerning recent sharp increases in phishing attacks occurring over the past week related to Coronavirus and COVID-19.

All emails from the outside with the words COVID-19 or Coronavirus will be flagged with a header:


Good afternoon,

I am sending this email to alert everyone about the recent sharp increase in phishing attacks occurring over the past week. Hackers and cybercriminals are using public apprehension over the coronavirus outbreak to advance their agendas. IBM recently warned consumers that ransomware has entered the mix of coronavirus-themed payloads hackers are unleashing. Emails purporting to contain information about the spread of the coronavirus will secretly download the Emotet malware that allows hackers to steal information and deliver malware.

The types of emails you may receive to get your attention to click a malicious link or open an attachment include:

  1. Fake school or CDC emails could make you think you or your child has been exposed to COVID-19. They could say your family may face quarantine.
  2. False claims that there’s a vaccine for sale or some form of remedy available.
  3. Misleading ads about masks that may not be effective or other helpful hints to combat the virus.
  4. Emails with “latest” updates to keep you informed as criminals are aware that everyone wants to know everything first.

What can you do?

  1. Be careful opening any web links or attachments, even if you know the sender, it may be a compromised sender.
  2. Look for “Red Flags” in emails you receive. Red Flags include abnormalities in the sender, topic, links, content, etc. To help everyone on this topic, please refer to the following link on our website for a helpful one page document: https://members.eiia.org/wp-content/uploads/assets/SocialEngineeringRedFlags.pdf
  3. Contact your IT department whenever you have any doubts or concerns.

Please let me know if you have any questions. I hope this information is helpful and everyone be careful out there.

Thank you.

Gerry Hamill, MBA, CISSP
Executive Director
IT Risk Management
888.260.7416
ghamill@eiia.org
www.eiia.org

The following is a Cyber Security Alert from Ohio Homeland Security a division of The Ohio Department of Public Safety. The document contains information related to active Cyber Incidents that are taking place throughout Ohio.

The document states that:

“During a 2018 ransomware attack, on a city government entity in Ohio, a contact list was stolen. This information is currently being used to spoof email addresses that send out malicious Microsoft (USBUS) Word Documents and conduct social engineering attempts.

The delivery of these attacks are very similar to our previous post this past September.

Warning: Email of an Encrypted document

Please see the full PDF from Ohio Homeland Security below.

OHS-SAIC Cyber Bulletin 54 11-6-19

There is a growing number of SPAM messages being received that have very little to say other than someone shared an encrypted document via Microsoft Sharepoint, OneDrive, or some other document sharing service. Unfortunately, there is not much in these messages to be able to create a custom block rule that will not also block legitimate email. I.T. would like to share some tips to help identify these (and other) suspicious emails. Please see a picture of the email at the bottom of this post.

  • Be wary of any email asking you to open any attachment from someone or a company you do not know.
  • If the document is important then you should either be expecting it or the sender will tell you more about it in the email.
  • Try to contact the sender directly by phone (not by email), if it is a legitimate sender then they would want you to contact them and should provide proper contact details. It is the spammers and hackers that do not want you to contact the people they impersonate.
  • Legit senders usually call you by your name, they do not use generic salutations such as “Dear valued member,” “Dear account holder,” “Dear customer” or nothing at all as seen in this example.
  • Don’t just check the sender’s first and last name but also look at their email address as you can learn a whole lot. If they list the email is from a company then it would stand to reason that they will use the company’s email system. Note: some devices, such as cell phones with limited screen space, may not show the email address and the name, so if in doubt, check from another device before opening attachments or clicking on any links that you are unsure of the sender. As you can see in the example below the signature text at the bottom of the email says:

    Kristen Hartle PhD
    Director Of Advancement Research
    Weber State University

    and the email address was:

    Kristen Hartle <info@eatio.pk>

    While the first and last names in the email address and the signature text match why is the email address info@eatio.pk? Also, the pk in the email address is the country code for Pakistan (most areas outside of the US use country codes and not .com on thier domain names).

  • Furthermore, the email signature text says the sender is from Weber State University which a quick Google check shows is in Utah and their website is weber.edu – that is not at all like the email address of info@eatio.pk. Also, if they are in Utah then why does the email list an address in Lawrence KS? BTW: Google lists that address as being part of Kansas University (ku.edu). The spammer did not cleanup the spam that he stole from another spammer :).
  • For any link to visit a webpage or to download a document, like the example shows, the best tip is to compare the link’s info with other info that we know. Hover your mouse over (do not click) the download/view button and a pop-up will list where the document exists. In this example you can see it is coming from https://docs.google.com when the message says it is from Microsoft Sharepoint.
  • If you suspect an email is not valid or is suspicious, please forward the email in question to abuse@capital.edu.

If you have any questions, feel free to contact the CapIT Help Desk at: helpdesk@capital.edu

Example of the suspicious email:

A recent trend in email phishing attacks is something called whaling. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, manager and supervisors. “In many whaling phishing attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker” (More info)  In our case we are getting many email attacks where someone is trying trick people into buying gift cards and sending the card numbers to them.

The basic way it works is the attacker creates an email from a free email service such as Gmail, Yahoo, and a couple of others. They usually choose names of people that are department leaders and have staff. They then send emails to members of that department hoping to trick an employee in to thinking it is from their manager. The initial email is extremely brief such as “Are you available?” and may have a subject hinting at urgency. Some have also have created a signature text that is quite convincing. Their hope is to trick the potential victim into replying.

Once they hook someone then their 2nd message says they that they are in a meeting with no idea when it will end (they commonly say they do not know when the meeting will “round up”). They go on to say that they cannot use their phone and can only communicate through email and that they need something very important done right away. Their next email says what they want… lately they have been asking for some amount in Amazon Gift cards (I have seen amounts of $100 to $500) and they reiterate that they will reimburse and that they need it right away and are still in the meeting. They may say in this message or a following one that once the victim has the cards they are to scratch off and send the numbers on the back of the card.

This gift card spoofing is the latest twist in Whaling attacks that we have received, many of you may remember that we have been seeing similar spoofed emails for over a year ago with the attackers using a variation of Dr. Paul’s name as part of the sender’s name and email address from Gmail or Yahoo. These were mostly trying to pass off some document for all employees to read and then sign into a web page to indicate they have read and agree. These were a phishing attack that were designed to capture the victim’s login name, password and possibly other personal information from that non capital.edu website.

As a tool to help you better identify these we have added and External Sender Disclaimer to Email received externally.

external header notice

This new disclaimer message will be a constant reminder to use caution when opening, sharing your personal information or responding to emails from unknown or external senders. Exclusions for emails from official university systems are being identified and created so that the disclaimer will not appear in the body of the messages.

Past helpful posts

How to Spot a Phish
https://inside.capital.edu/ITStatus/index.php/2018/10/11/how-to-spot-a-phish-101118/

Top 10 List for Cyber Security Awareness Month (October 2018)
http://inside.capital.edu/itstatus/index.php/2018/10/10/top-10-list-for-cyber-security-awareness-month-october-2018/

 

Spam Definitions

SPAM Spam is unsolicited or junk email that clogs up your email inbox trying to get you to buy something. The best way to deal with spam is not to open it or reply to it.
Spoofing Spoofing is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Email spoofing is the most popular tactic used by scammers because users are more likely to open an email when they think it has been sent by a legitimate or familiar source. The goal of spoofing is to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons.

If you suspect spoofing, check the email’s header to see if the email address generating the email is legitimate. Visit phishing.org for more information on phishing attacks.

Phishing Phishing is an unsolicited email message trying to get you to give up something. Typically they are trying to get your username and password. Sometimes they try and get you to click on a link or run an attachment that will infect your computer with a virus. To learn more about phishing attacks and tactics, visit phishing.org for more information.
Spear Phishing Spear phishing email customized for a particular organization or person. It will use the same graphics and language as an official email. The goal is the same as a phishing attack.

Many of you may remember the spoofed emails from scammers who were using their own Gmail and Yahoo accounts to send out email messages to the campus using a variation of Dr. Paul’s name as part of the sender’s name and email. The goal was to try to pass off a document to all employees asking them to read it by signing into a “non Capital.edu” website which would then capture the victim’s login name, password and possibly other personal information.

Always check the sender’s information closely for validation and legitimacy.

Whaling A recent escalating trend on campus is the whaling email phishing attack. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CFO, managers and supervisors. The cybercriminal’s goal is to manipulate the victim into authorizing high-value wire transfers to them or trick the victim into buying gift cards and send them the card numbers.

 

Users of Google’s Calendar app are being warned about a scam that takes advantage of the popularity of the free service and its ability to schedule meetings easily. The latest warning from researchers at Kaspersky indicates the bad guys are using unsolicited Google Calendar notifications to trick user into clicking phishing links.

This is how it works: Scammers send a Google user a calendar invite complete with meeting topic and location information. Inside the details of the appointment lies a malicious link that looks like it’s pointing you back to meet.google.com for more details. Once clicked, it’s back to the usual tactics of trying to infect the user with malware and so on. It is also hidden within a meeting invite and uses a seemingly valid URL for more information which can be confusing.

We continue to caution users about their interaction with email and the web. Now it’s important to add Calendar invites to the list. If you need any help, please feel free to contact the CapIT Help Desk at: helpdesk@capital.edu, or by calling: 614-236-6508.