New semester, new scams

We’ve investigated of a couple of aggressive new scams already this spring, and given that we’re going into tax season – a favorite time of year for scammers – we’re bound to see many more.  I wanted to provide some information on what seems to be popular this year.

E-mails and calls where the person at the other end seems to already have a lot of personal information about you are increasingly common.  The Target breach in December was a particularly high profile event where personal information of some 70 million customers was compromised, though it’s consistent with malicious hackers increasingly targeting personal information more broadly.

Phone scams

A Washburn student has already reported a fake tech-support call where the caller knew her personal cell phone number and e-mail address and addressed her by name when she answered the phone.  The caller claimed to be from “Premier Technical Support” and repeatedly told her that her Washburn.edu e-mail was compromised (it wasn’t) and that she needed to get on her computer so they could remotely connect and fix it.  Fortunately she didn’t do so and instead did the right thing and called ITS User Services at 785.670.3000 to inquire about this.   The scammers called back repeatedly to try to get her to give them access to her computer.  That’s unusually aggressive for such scams and we are working with Washburn Police on that case.

In most cases, such scams block caller ID, however if you get one of these calls where the phone number is available the Washburn Police Department is interested in collecting that information.  You can contact WUPD at 785.670.1153.

Similar fake tech support calls are increasingly common and regularly feature callers claiming to be from Microsoft and other well-known companies.

http://www.computerworld.com/s/article/9244207/Fake_Windows_tech_support_calls_continue_to_plague_consumers

http://www.thechipmerchant.com/it-blog/security-alerts/bogus-tech-support-phone-calls/

The IRS reports there are scam calls where the caller ID is forged appears and to be coming from the IRS.  Additionally the caller may have significant personal information, including the last 4 digits of your Social Security Number.

http://www.irs.gov/uac/Newsroom/IRS-Warns-of-Pervasive-Telephone-Scam

These sorts calls can be particularly disconcerting and/or convincing.  The FTC has advice and a means to report such scams if you’ve been taken advantage of  at the link below:

http://www.consumer.ftc.gov/articles/0346-tech-support-scams#If_You_Get_a_Call

 

E-mail Scams

We’ve also had a staff member report getting a suspicious e-mail from a company they had an existing working relationship with.  This company’s e-mail had been compromised and the hackers were sending realistic-looking e-mails to their customers with links purportedly to important files shared via Google Docs.  Instead the link was being used to harvest the user’s Gmail address and password as well as attempt to compromise their computer.

I’ve also previously posted about dangerous new malware delivered via e-mail called CryptoLocker.  This software encrypts your important data and holds it for ransom:

http://blog.washburn.edu/technology/2013/11/06/crytpolocker-trojan-warning/

If you have questions or concerns regarding suspicious e-mails or calls, feel free to contact ITS at 785.670.3000 or support@washburn.edu.  We’ll be happy to work with you.

CrytpoLocker Trojan Warning

Many businesses and even State of Kansas Agencies have been targeted by a new form of ransomware – software that takes away access to your files and demands payment to return access.  This software has been spread mostly by very official-looking and targeted e-mails.  These e-mails may be very difficult to differentiate from real e-mails.  An example message is below:

From: John Doe
Sent: Tuesday, October 15, 2013 10:34 AM
To: Jane Doe
Subject: Annual Form – Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

Opening the attached file in the e-mail immediately starts a process that encrypts important files – Word, Excel, PowerPoint, photos, music, video, and many other commonly used file types.  The encryption used is effectively unbreakable, once encrypted ITS staff cannot restore access to those files except by accessing backups.

Contact ITS staff at 785-670-3000 immediately if you receive any messages you think may be malicious and do not open e-mail attachments unless they are expected and from trusted individuals.

For more information on Cryptolocker, see these links:

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://www.kake.com/home/headlines/CryptoLocker-Virus-Strikes-Pratt-Police-Department-230602031.html

 

Watch out for Phishing E-mails

Phishing is a fraudulent process used by spammers to acquire sensitive information from users such as usernames, passwords, and credit card details. Email recipients are often deceived by phishing attempts since messages appear to be sent by legitimate and trustworthy sources.

Recent examples we’ve seen here or heard of elsewhere include:

  • Messages claiming to be from the university requiring urgent action
  • E-mails claiming to be from banks linking you to fake login portals
  • Claims that a friend or family member is in distress and needs cash urgently, commonly requesting a Western Union money transfer
  • Fake order verifications for electronic items, commonly claiming to be from Amazon.com or the Apple iStore, that direct you to login to a fake vendor website to steal credentials

Use caution and treat any e-mail that seems to demand an urgent response with suspicion.  Take a moment to look it over.  It’s a good idea not to click links in e-mails – especially links to login pages.  Rather type in known sites in web browsers yourself (e.g. my.washburn.edu, amazon.com, citibank.com, etc.) if you need to verify something about your account.

Also, keep in mind that Washburn ITS staff will never ask for your password via e-mail.  Anyone contacting you and asking for your password should be treated with suspicion.

Feel free to contact ITS User Service at 670-3000 or support@washburn.edu if you have any questions about this topic or suspicious messages you have received.

You can also review this earlier ITS blog post to help you learn how to identify phishing messages:

http://blog.washburn.edu/technology/2012/10/02/cyber-security-awareness-anatomy-of-a-phish/

Wireless Network changes on August 1st

On Thursday, August 1st, ITS will be renaming 2 campus wireless networks.  These changes will provide uniform naming and a seamless wireless experience as people move between the Washburn traditional campus, Washburn Institute of Technology campus, and the Washburn Tech Advanced Systems Training facility at Forbes.  This change will coincide with our annual reset of device registrations for personal and visitor equipment, personal devices will need to be re-registered on August 1st as well.  The wireless networks will appear as follows:

  • WashburnGuest will replace the recently implemented WUGuest network that provides short-term access for visitors
  • Washburn will replace WUPublic.  This is an unrestricted network that faculty, staff and students should use for registering their personal devices.   It also supports visitors who will be here longer than 3 consecutive days.
  • WUPrivate - We have deferred any rename of WUPrivate for at least a year.  There will be no change at this time.  This is a secured network primarily used for Washburn-owned equipment.

Aside from the name changes, there will be no functional changes in how these wireless networks operate.

We are working with Washburn Institute of Technology to upgrade network infrastructure to be able to support these wireless networks.  They will not be available in all Washburn Tech facilities right away.  For the fall semester, these networks will be available in Building C, Building K, and at Forbes.  Other buildings and locations will be added over time.

If you have any questions, please contact ITS at support@washburn.edu or 670-3000.

Washburn WiFi updates and plans

ITS has a number of WiFi enhancements underway across our campuses and we continue to work on improving coverage and capacity on our wireless networks.  I thought I’d highlight what we’ve done over the last year and what we’re working on for the coming year.

We recently deployed the WUGuest wireless network providing visitors to our campus WiFi service for up to 3 days without requiring any prior authorization on the part of ITS.  WUPublic remains unchanged for longer term visitors, students, faculty, and staff.  However, in order to reduce confusion between WUPublic and WUGuest, WUPublic will be renamed WUcampus as of August 1st, 2013.

You may also see ITS Networking staff wandering through rooms in your building this Summer and Fall with laptops and possibly other equipment.  We’ll be performing a whole-campus survey of wireless coverage so that we can more effectively identify and prioritize areas of poor coverage for improvement.

Work this summer and for the coming school year includes the following enhancements:

  • New equipment to provide wireless throughout Carnegie Hall (completed in the last week)
  • New equipment to provide wireless throughout Benton Hall (by start of fall semester 2013)
  • New wireless throughout much of Washburn Tech Building C as part of renovation of the Automotive Technology facility renovation  (exact dates not finalized)
  • Wireless coverage enhancements at the Bradbury Thompson Center, most notably in the convocation room (by start of fall semester 2013)
  • Upgrade and enhancement of Mabee Library wireless to meet increasing demand (date not finalized)
  • New wireless equipment at the Lee Arena gates to support online ticketing and validation (recently completed)
  • New wireless equipment at the Stadium to support online ticketing and validation (by end of August)
  • New wireless equipment on Henderson 3rd floor in the Mass Media area (recently completed)

In the last year we’ve performed the following new installations and upgrades:

  • Last summer we upgraded WiFi in residential living areas so that we had newer technology equipment, more access points, and access points placed closer to where students live and use their computers, mobile devices, and other wireless technologies on a daily basis.
  • Reallocated old equipment from Residential Living to improve wireless throughout the Memorial Union and Stauffer Commons
  • Reallocated old equipment from Residential Living to improve wireless in Student Recreation and Wellness Center
  • Reallocated old equipment from Residential Living to meet greater demand in the Whiting 358A/B classroom
  • Reallocated old equipment from Residential Living to address problems in the basement of Stoffer
  • Installed new wireless in the Student Health Center in Morgan
  • Installed wireless for the Washburn Tech Advanced Systems Training facility at Forbes Field.

If you have questions, problems, or suggestions feel free to contact us at support@washburn.edu, please put “WiFi” or “wireless” in your subject line.

Kevin

Rapidly spreading virus/malware on Android

There has been a recent surge in compromises of Android devices by what appears to be drive-by malware (similar to a computer virus) that is infecting Android smartphones and tablets. Little or no user action needed beyond simply clicking a link or visiting a compromised website, and there may be no clear indications that a device is compromised afterward. You need not fall for a scam or go to a site with a poor reputation to be a victim, some very high profile sites and advertising services have been compromised recently to spread this malware.

This is a particularly sophisticated piece of software that in theory could similarly be used to exploit iOS, MacOS, Windows, and other devices though at present it has only been confirmed on Android.

Prevention and Remediation:

Install antivirus software and scan your device

Since most information about this malware is still preliminary and incomplete, any precautions we recommend may not offer complete protection. Regardless, the best information at the present recommends the use of one of the following antivirus solutions – they are typically available free for personal use in the Google Play store (in alphabetical order, we’re not recommending any particular one of these solutions over another at this time):

• Avast! Mobile Security
• Lookout Mobile Security
• Sophos Security & Antivirus

The latest information at the time of this writing is that AVG and a number of other antivirus products do not yet have the ability to detect this malware, though we expect that to change soon.

In addition, go to Settings -> System Updates to check for any software updates for your device.

If an infection is found, we strongly urge you to change the passwords for any accounts that may be saved on the device. Other accounts using that same password may be compromised as well.

Background:

Since April 28th, a relatively small number of e-mail accounts have been compromised, but we were unable for quite some time to determine how those account credentials might have been exposed. In addition we’ve been consistently seeing one new compromised account every day or two. Compromised accounts are typically used to send a simple e-mail like the one below to between 40 and 50 recent contacts:

androidspam

Washburn is not alone in seeing this. Washburn ITS staff have been working together with IT staff at other universities around the country who have been experiencing the same thing. Similar spam messages have been seen on commercial mail and chat services as well – Yahoo mail, Gmail, Hotmail/Outlook.com, Facebook, and Twitter to name a few.

While a full analysis of this malware is not yet available, we now know that these links were being used both to direct people to fake diet-pill websites and along the way Android devices were specifically targeted for compromise, infection, and exploitation.

We believe e-mail account credentials are being compromised as well if they have been saved in web browsers or applications on the compromised Android devices. There are also indications that if the same password is used on multiple accounts, other accounts using that same password may be compromised as well.

We’ll provide additional updates as they are available.

New Guest Wireless Network

On Tuesday, May 14th ITS will begin activating a new wireless network for guest users.  The wireless network will show up as WUGuest and will be open to anyone for Internet access without requiring special provisioning by ITS staff.

This guest network will have some important limitations and is intended to provide access the most commonly used Internet services.  Because of its open nature we have taken measures to limit misuse and abuse.  If you are hosting guests who will need access that exceeds the limitations noted below contact ITS at support@washburn.edu or at 785.670.3000

  •  Visitors will have to provide their name, e-mail address, and phone number and accept our terms of service in order to use the network.  You can preview the sign-in page here:  https://netreg.nix.washburn.edu/wuguest.shtml (note that this link will not work off-campus)
  • Visitors will be able to use WUGuest for up to 3 days at a time, after 3 days they will be locked out of WUGuest for another 3 days before they can access the network again
  • Access to websites will have the same content restrictions in place at Washburn Institute of Technology.  Because of K-12 students there we are mandated to restrict access to certain types of content (e.g. pornography and other material considered harmful to minors), we will extend that content filtering to this guest network
  • While we are not currently a member of Eduroam, we will be following Eduroam access standards as listed here: https://www.eduroam.us/node/69

The following services can be expected to work normally:

  • Standard web browsing (HTTP and HTTPS)
    • Web-based e-mail like Gmail, Outlook.com/Office365, Yahoo, and most corporate webmail clients
    • Basic video services like YouTube
    • Any publicly-accessible Washburn web services
  • Dropbox or similar file storage services that use web-only protocols
  • IMAP, POP3, and Secure SMTP for e-mail
  • VPN connections
  • Windows remote desktop
  • SSH connections

Due to restrictions on the guest network, the following services will not work in most cases:

  • Insecure SMTP for sending e-mail (port 25)
  • Network printing
  • Many chat programs
  • Most videoconferencing applications
  • Enhanced video services such as Netflix
  • Most peer-to-peer file sharing applications
  • Most multiplayer online games
  • Anything determined by the content filter to be potentially harmful to minors

We will still register visitors sponsored by faculty or staff for unrestricted Internet access on WUPublic on request.  Current faculty, staff, and students will still be able to register their own devices for unrestricted access on WUPublic as well.  Note also that WUPublic will be renamed WUCampus on August 1st.

We invite your feedback on this and other issues as we continue to work on improving services to campus.

Name change to WUPublic wireless August 1st

ITS will be renaming the WUPublic wireless network to WUCampus at the same time as our annual purge of wireless device registrations on August 1st.

We’re doing this to reduce confusion between the new WUGuest wireless network and WUPublic.

No other changes to that network are planned at this time, nor will we be making any changes to WUPrivate.

Savin Toner Sales Scam

We’ve received reports of people receiving calls from a company that identifies itself as “Interstate” trying to convince people that they need to order new toner for Savin printers through them. This is a repeat of a very old scam, what’s interesting in this case the callers seem to know a great deal about the equipment we have in place and departmental billing contacts on campus. This information may make them more convincing. We do not know the source of this information but we don’t believe it comes from any Washburn systems or databases.

Purchasing is aware of these scams and should prevent any purchase orders from being processed. We have no need to purchase toner for the Savin copiers, that is included in our maintenance contract. If you are contacted, please get as much information as you can from the caller and e-mail that information to support@washburn.edu

It’s that time of year again – Time for Income Tax Scams

Every year at this time scammers come out of the woodwork with new scams and reusing old ones designed to obtain tax information for identify theft and financial fraud purposes.  Sometimes these scams are directed at individual taxpayers and at other times they are targeted at businesses and institutions like ours.

The IRS is has already noted a number of scams this year targeting individual recipients by name. Targeted requests are often harder to identify as fraudulent.  These often involve sending modified versions of legitimate IRS forms by fax or e-mail and requesting the recipient fill them out and return them.  These forms are modified so that the recipient to provides all the personal and financial information the scammer needs to perpetrate their fraud.

A recent example can be seen below:

First the real form W-8BEN used for foreign persons to designate their non-US tax status:  http://www.irs.gov/pub/irs-pdf/fw8ben.pdf

Then the fake W-8BEN notice and form some people have been receiving (click to enlarge):

Note in particular the use of a non-IRS e-mail address, the implied urgency: “return to us within 24 hours,” and the insistence on faxing the document rather than using US Mail.

Be especially cautious about any communication that claims to be from the IRS or your employer and that claims to urgently need personal or financial information for tax purposes.

If you receive anything that you believe to be a tax-related scam, you can report it to the IRS here: http://www.irs.gov/uac/Report-Phishing

The IRS also provides the additional information to help protect yourself from “The Dirty Dozen Tax Scams:” http://www.irs.gov/uac/Don%E2%80%99t-Fall-Prey-to-the-2011-Dirty-Dozen-Tax-Scams

And a guide to “Tax Refund Scams:” http://www.irs.gov/uac/IRS-Urges-Taxpayers-to-Avoid-Becoming-Victims-of-Tax-Scams