All ITS Blogs

Anatomy of a PHISH and the use of Social Engineering

PHISH is defined as a method of getting you to provide credentials or otherwise profit the originator of the email independent of who is harmed. Social Engineering is roughly defined as manipulating you to do some one else’s bidding but having you think it is for your benefit. Once the dust settles you find yourself the victim and either poorer, having compromised credentials in the wild or both.

Let’s examine an example PHISHing email I received. With this I hope to show you how to identify and avoid falling for their trickery.

Subject—the subject of the email was designed to get your attention—“Blocked Mails”. No one wants to be missing email. This entices you to rad the actual email.

In the opening line it identifies me by name.  It gives some level of legitimacy from the start.  “Only someone like Wesleyan or Amazon know who I am.” This is not true.  They may have done a little research as to who is employed at Wesleyan and sent this to you (all personnel at Wesleyan).

Bad grammar—Who says “Mails” when referring to email? The first sentence has more grammar issues.  Now, yes, you can have a legitimate email from a person like me that just can’t spell for beans and occasionally, misses things Spell Check flags.  Or doesn’t have Spell Check enabled.  But aside from the incorrect or mangled words the grammar flows, correctly. In this example the grammar is incorrect—“Your new mails could not synced with your mailbox, they mails were blocked by your server due to new update”. There are additional examples but you get the idea.

Vocabulary in text selected to give it gravity and trigger your sense of urgency.  This will then cause you to make less-informed decisions clouded by confusion.  You don’t want to do anything wrong at work.  Your reputation is all you have to show you are a solid and reliable employee.  “If I’m missing email it could be something important.  I don’t want to miss anything important!”  This will help you bypass and ignore all of your tingly senses and little voices saying “This doesn’t look quite right”.

The Link—If you hover over a link on a web page or active email hyperlink it will show you (either at the bottom of your browser or next to the cursor) the actual path of the link. I can make a link display as anything.  I can say it is “Your new sweepstakes prize” and point it to iPhones.com.  It is the underlying path of “https://www.iphones.com” you are interested in.  The example below shows the actual link has nothing to do with Wesleyan or Wesleyan.edu.  It takes you to “This actually points to

https://tbkbi.website/cr/klou/  and appends your email address (?userid=vspiars@wesleyan.edu). This is to auto-fill the user ID field to “assist” you and get you to think this is still legitimate.  “How else would the bad guys know my email address?”

The Signature—“Mail Client”. Who signs it “Mail Client”?  Even the automated system it purports to be would have something a little more identifiable. If the signature is generic then question it.  It is by no means a guarantee it is a fraudulent email but it is another piece of information that, cumulatively, can indicate fake/PHISH/SPAM email.

They only need to be lucky, once.  We need to be careful and error-free, every day.

There is an article about this very item and how to better identify

PHISHing scams. The article is located at……

From: Kyle Richard <kylerichy001@gmail.com<mailto:kylerichy001@gmail.com>> <–NOT a legitimate email address for this link of business. Expect a Business email address.
Date: Wed, Nov 21, 2018 at 11:17 AM
Subject: Pt switf
To:

Hello,

I work as a clinical counselor for the department of Disability Resources and Educational Services (DRES). I provide individual and group therapy, coaching, assessment and academic screenings to support students with disabilities (physical, chronic, psychiatric, and invisible)registered with DRES. A large percentage of the students served by the mental health unit have psychiatric disabilities or co-morbid psychiatric disabilities and need mental health support to be successful at the university. In addition, many University of students with academic difficulties and no prior diagnosis are seen and assessed through the academic screening and assessment process. I also am the director of supervision, training and coordination of counseling psychology and clinical psychology graduate students of the United States who have practicums at DRES and APA-accredited school psychology pre-doctoral interns.

This is a very simple employment. You will only help me Mail letters, Make payments at Walmart and purchase some Items when needed. This employment only takes 1-2 hour a day and 4 times a week for $250 in a week.  <–Too good to be true.

I am currently away and helping the disabled students in Australia. You will be paid in advance for all tasks and purchased to be done on my behalf . Upon my arrival we will discuss the possibility of making this a long-term employment if I am impressed with your services while I am away.  <–Suspicious.  Money in advance??

Kindly reply with your Full Name, Mailing address and Zip Code, Alternate Email and mobile Number to this email.

I have created a Knowledge article in ServiceNow to assist with this issue.

KB0010918

https://wesleyanedu.service-now.com/kb_view.do?sysparm_article=KB0010918

Students Beware of Email Scams

We have seen a recent uptick in email scams targeting students. There have been emails sent to advertise Personal Assistant jobs or Internship possibilities. Typically these emails are not sent from a Wesleyan email address. Resumes and replies asked for in the emails are not sent to a Wesleyan email address. In most cases the grammar in the emails is poor and words are misspelled- something that should alert you to it being a fraud. The titles used or departments named are typically not a real title or department on your campus.

When students reply to the requests they are usually contacted in a very short period of time and asked for personal information ranging from their cell phone number to what bank they use or a bank account number. The fraudster will say they are forwarding a check to you that will have your first weeks pay and you will be asked to deposit it and send the balance left to the scammer. The check will bounce in your account leaving you with a fee from the bank and you will be out the money sent to the scammer. Even worse, at this point they will try to use your personal information and bank account information to take money from your account.

These scams are happening on most campuses. The scammers are preying upon students by offering jobs that sound too good to be true- because they are!

ITS posts information on these incidents on their security announcements page which can be accessed in your Wes Portal. If you receive an email like the ones described please reach out to ITS- either Vince Spiars @vspiars@wesleyan.edu or Antonio Crespo @acrespo@wesleyan.edu so the incidents can be posted on the security page for others to see. You can also contact Public Safety Lt. Paul Verrillo @pverrillo@wesleyan.edu to have the incident documented and be provided with information on how to protect yourself. These scams typically originate out of the country and are extremely difficult for law enforcement to find and hold someone accountable. That is why we need you to be vigilant, not fall victim to this scam and report it promptly. ITS has more tips on their website on what to be aware of and how to protect yourself.

Please remember, A Safe Campus is Everyone’s Responsibility

Lt. Paul Verrillo

Wesleyan University

Office of Public Safety

208 High Street

Middletown CT 06457

860-685-2818

What is the IoT, why do I care and what do I need to know/do? 

The Internet of Things (IoT) is simply a way of saying “devices that require little to no configuration to connect to the internet but provide information to your phone or computer. Or things you can program from afar”. Some examples are refrigerators, thermostats, home web/security cameras, your car, toothbrushes and ovens.  

Why do you or should you care about these devices?  

1) IoT devices do not inherently, have the security built-in that computers possess or offer.  

2) Or the devices do have security of some level but the initial security settings are at a simple level and easily broken in to by criminals. Examples are–easy or no passwords set, default access is set to high and does not require new owners to setup security before enabling the devices for access. Meaning, you can quickly put the devices on your home network that will then make them available to the broader internet but in and insecure configuration 

3) In an insecure state, if hijacked by criminals, an IoT device can be remotely controlled.  Your devices can be turned on/off, temperatures changed, home security cameras can be used to watch you, devices rendered useless/non-functional or even used as part of other cyber-criminal activities.  

What can I do about securing IoT devices I have or want to purchase? 

1) Read the owner’s manual.  Yes, it can be boring but the few minutes you take to get familiar with your equipment can help to protect you and those in your home from outside criminal activity.

2) Change the default password to a strong password. As it is not likely a criminal will have physical access to your device(s) you can keep a paper log and put the device passwords in it.  Then put that notebook in a place accessible to you but not readily available for anyone to stumble across. Or use an online password manager and save the information in the “Secure notes” tool.

3) Keep up with hardware patches to the devices.  Many manufacturers put software updates on their sites to help keep the devices more secure. Take advantage of this. So many cyber attacks can be halted by simply, removing opportunity from a criminal’s hands. 

Social engineering and what it means 

Social engineering. THE BEST DEFINITIONS I’VE FOUND FOR IT ARE—”Any act that influences a person to make decisions that may or may not be in their best interests”.  Followed by—”The practical application of social principals to particular social problems”.  In the case of criminals email and people encourage you to perform a task that will benefit someone else with no concern of harm to you.  

Methodologies   

Examples of Social engineering are  

1) A Phishing email asking you to click a link and put in your credentials on a web site that may or may not look like a Wesleyan page or tool.  

2) A website that has a pop-up warning you that your computer has been compromised and to call some provided phone number.  The “support” personnel are criminals looking for your credit card info and access to your computer.  They will ask to install software. It may be remote-control software they will leave on your system to access your computer, silently and without your knowledge.  It may be a package of software that will execute and make security holes on your system granting remote access and create an account to allow the criminals free and unfettered access to your computer. They are hunting for passwords to banking or credit card sites or online purchasing sites like amazon.com or walmart.com. They are looking for things like Tax returns and SSNs to impersonate you. With this information they can take out loans in your name or get credit issued to them. 

3) You might be called by the “IRS” and told police are on the way to arrest you. You may be asked to transfer funds by authorizing payment from your bank or via some payment cards from a convenience store or make a payment by credit card.  

4) You might receive a call from “The authorities” that they have a family member in custody and require bail money to be transferred immediately to gain the family member’s release.  

Criminals are clever and thoughtful about how they want to take advantage of you.  They are very good at psychology. They understand people react to certain words like “because” when being asked why the criminal on the phone needs something. They know how to gain your trust via phrasing. This is both in speech and in text.  The more strongly worded and urgent an email or call sounds the recipient will react, accordingly with a raised sense of urgency to resolve the issue.  This reduces clarity of thinking, puts you in a more vulnerable position and more likely to be taken advantage of.

Compromised Passwords Being Used in Porn Scam

There is a new and prevalent scam going around leveraging compromised passwords and threats to publish porn watching habits unless you pay hush money in Bitcoin.

How it often works is that users receive an email with one of their old passwords in the subject line in a format similar to what is shown in the article below by Brian Krebs:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/  

New variations reference smartphone hacking but follow a similar pattern.

What should you do?  Mark the message as spam/junk or delete the message.

Wondering how the scammer knows one of your passwords?  Go to https://haveibeenpwned.com  and enter your email address(es).  This site will let you know about website compromises that may have contained your username and password.  Then, change your passwords on all of those sites.  You can also sign up for alerts so that you are notified if one of your passwords becomes compromised in the future.  Also, please use different passwords for your Wesleyan, personal, and financial accounts so that if one password gets breached, it doesn’t give access to everything.

If you are worried about tracking all of those passwords, we are piloting the use of a tool called LastPass for staff and faculty, which helps users manage their passwords.  You can find more information about the tool at https://lastpass.com.  If you want to join our pilot and use the tool, please email security(at)Wesleyan.edu.

Stay Safe Online.

Antonio Crespo

Chief Information Security Officer

Compromised Passwords Being Used in Porn Scam

There is a new and prevalent scam going around leveraging compromised passwords and threats to publish porn watching habits unless you pay hush money in Bitcoin.

How it often works is that users receive an email with one of their old passwords in the subject line in a format similar to what is shown in the article below by Brian Krebs:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/  

New variations reference smartphone hacking but follow a similar pattern.

What should you do?  Mark the message as spam/junk or delete the message.

Wondering how the scammer knows one of your passwords?  Go to https://haveibeenpwned.com  and enter your email address(es).  This site will let you know about website compromises that may have contained your username and password.  Then, change your passwords on all of those sites.  You can also sign up for alerts so that you are notified if one of your passwords becomes compromised in the future.  Also, please use different passwords for your Wesleyan, personal, and financial accounts so that if one password gets breached, it doesn’t give access to everything.

If you are worried about tracking all of those passwords, we are piloting the use of a tool called LastPass for staff and faculty, which helps users manage their passwords.  You can find more information about the tool at https://lastpass.com.  If you want to join our pilot and use the tool, please email security(at)Wesleyan.edu.

Stay Safe Online.

Antonio Crespo

Chief Information Security Officer