Direct deposit information targeted in online theft schemes

The Department of Homeland Security (DHS) and the National Cybersecurity and Communications Integration Center (NCCIC) has recently posted an alert to higher education institutions to be on the lookout for attempts to steal user credentials with the intention of altering direct deposit information.

Washburn does not provide a self-service interface for payroll direct deposit, the primary target of these scams so far.  However student refunds do have a self-service direct deposit interface and may be at risk if your MyWashburn credentials are compromised.

Typically credentials are being compromised by targeted phishing e-mails, these would either direct you to provide your username and password in an e-mailed reply or they may direct you to a fake MyWashburn web page linked in the e-mail.

Washburn will never ask you to provide your username and password in an e-mail, any requests to do so should be considered fraudulent and reported to support@washburn.edu.  If you receive an e-mail directing you to a link to the MyWashburn web page, do not click that link, instead manually type in my.washburn.edu in your web browser.

If your direct deposit information is changed, you will receive a confirmation e-mail like the one below.  If  receive such a message but have not made the change yourself, contact the business office at 785.670.1156 immediately.

This is an automated message to inform you that your refund account has been changed.  If you did not authorize this change, please contact the business office. 
 
========== NEW PAYMENT METHOD DETAILS ==========
Payment Method Name — [ MyVisa ]
Account Number — [ xxxxxxxxx ]
================================================
 
Complete information about your student account is available in WU-View (formerly IBOD), which can be accessed through the Financial Services Tab on MyWashburn. Information on tuition and fees, as well as Business Office deadlines and policies is available on the Business Office website: www.washburn.edu/business-office.

Fake honor society and other scam and phishing e-mails

It’s a new school year, and as usual the scammers are coming out in full force to try to find ways to take advantage of students.

This year we’re seeing a lot of a couple of different types of scams.  One of the more successful ones over the past year have been bogus honor societies that have had invitations hitting inboxes at universities nationwide.

The Association of College Honor Societies, the only accrediting body for honor societies nationwide, has warnings listed for the claimed organizations below.  These organizations notably lack transparency, bylaws, university chapters, and ultimately any scholastic benefit for students:

  • HonorSociety.org
  • Phi Sigma Theta
  • National Society of Leadership & Success / Sigma Alpha Phi
  • Bloomsbury Honor Society
  • Honors Society (with no more specific name)

More information can be found here:
http://www.achsnatl.org/informational_alert.asp#hsorg

Additionally we’ve been seeing a lot of messages that at first glance may appear very legitimate:

  • Offers of $2,500 cash scholarships
  • Offers of $100 reward cards for amazon.com, jcpenney.com, Best Buy, WalMart, and other retailers
  • Notifications about (non-existent) background checks performed against you
  • Provide information about miracle cures, skin treatments, etc.
  • Notifications about non-existent overdrafts or overcharges
  • Notifications claiming to be from Washburn ITS or other Washburn departments

These have been successful at getting through spam and malicious content filters nationwide.  The details of these messages vary: some take you to sites that host malicious software, some present fake login pages to try to get you to enter your username and password for retailer websites, some try to get you to enter credit card information, and some try to get you to provide your e-mail account credentials to them.

Instead of hitting large numbers of inboxes with the same message, the message often varies slightly from person to person and are usually only sent to a small number of people at a time to avoid triggering automatic responses to mass e-mails.

  • Be wary of any message that wants you to take urgent action, they often want you to act before you can think about the message
  • Check the FROM: e-mail address and any reply e-mail addresses in the message. These will often be different, sometimes subtly, sometimes radically from what the organization it claims to be from uses
  • Never respond to an e-mail that instructs you to send your username and password.  Washburn ITS and other legitimate websites will never ask you to do so
  • Don’t respond to e-mails requesting personal information
  • Don’t click the links in e-mails, if one claims to be directing you to Amazon.com or Washburn.edu, enter that website in your web browser yourself.  They’ll often make the links look similar to real ones, though close examination may reveal minor variations
  • If something is too good to be true, it probably is.  Feel free to contact Washburn ITS is you have a question about such a message.  You may contact us at 785.670.3000, support@washburn.edu, or by coming by the support window in Bennett 104

More information about identifying and dealing with such messages can be found at the links below:

http://www.onguardonline.gov/phishing
http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
http://www.fbi.gov/scams-safety/e-scams

 

 

New semester, new scams

We’ve investigated of a couple of aggressive new scams already this spring, and given that we’re going into tax season – a favorite time of year for scammers – we’re bound to see many more.  I wanted to provide some information on what seems to be popular this year.

E-mails and calls where the person at the other end seems to already have a lot of personal information about you are increasingly common.  The Target breach in December was a particularly high profile event where personal information of some 70 million customers was compromised, though it’s consistent with malicious hackers increasingly targeting personal information more broadly.

Phone scams

A Washburn student has already reported a fake tech-support call where the caller knew her personal cell phone number and e-mail address and addressed her by name when she answered the phone.  The caller claimed to be from “Premier Technical Support” and repeatedly told her that her Washburn.edu e-mail was compromised (it wasn’t) and that she needed to get on her computer so they could remotely connect and fix it.  Fortunately she didn’t do so and instead did the right thing and called ITS User Services at 785.670.3000 to inquire about this.   The scammers called back repeatedly to try to get her to give them access to her computer.  That’s unusually aggressive for such scams and we are working with Washburn Police on that case.

In most cases, such scams block caller ID, however if you get one of these calls where the phone number is available the Washburn Police Department is interested in collecting that information.  You can contact WUPD at 785.670.1153.

Similar fake tech support calls are increasingly common and regularly feature callers claiming to be from Microsoft and other well-known companies.

http://www.computerworld.com/s/article/9244207/Fake_Windows_tech_support_calls_continue_to_plague_consumers

http://www.thechipmerchant.com/it-blog/security-alerts/bogus-tech-support-phone-calls/

The IRS reports there are scam calls where the caller ID is forged appears and to be coming from the IRS.  Additionally the caller may have significant personal information, including the last 4 digits of your Social Security Number.

http://www.irs.gov/uac/Newsroom/IRS-Warns-of-Pervasive-Telephone-Scam

These sorts calls can be particularly disconcerting and/or convincing.  The FTC has advice and a means to report such scams if you’ve been taken advantage of  at the link below:

http://www.consumer.ftc.gov/articles/0346-tech-support-scams#If_You_Get_a_Call

 

E-mail Scams

We’ve also had a staff member report getting a suspicious e-mail from a company they had an existing working relationship with.  This company’s e-mail had been compromised and the hackers were sending realistic-looking e-mails to their customers with links purportedly to important files shared via Google Docs.  Instead the link was being used to harvest the user’s Gmail address and password as well as attempt to compromise their computer.

I’ve also previously posted about dangerous new malware delivered via e-mail called CryptoLocker.  This software encrypts your important data and holds it for ransom:

http://blog.washburn.edu/technology/2013/11/06/crytpolocker-trojan-warning/

If you have questions or concerns regarding suspicious e-mails or calls, feel free to contact ITS at 785.670.3000 or support@washburn.edu.  We’ll be happy to work with you.

CrytpoLocker Trojan Warning

Many businesses and even State of Kansas Agencies have been targeted by a new form of ransomware – software that takes away access to your files and demands payment to return access.  This software has been spread mostly by very official-looking and targeted e-mails.  These e-mails may be very difficult to differentiate from real e-mails.  An example message is below:

From: John Doe
Sent: Tuesday, October 15, 2013 10:34 AM
To: Jane Doe
Subject: Annual Form – Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached). The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file. Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

Opening the attached file in the e-mail immediately starts a process that encrypts important files – Word, Excel, PowerPoint, photos, music, video, and many other commonly used file types.  The encryption used is effectively unbreakable, once encrypted ITS staff cannot restore access to those files except by accessing backups.

Contact ITS staff at 785-670-3000 immediately if you receive any messages you think may be malicious and do not open e-mail attachments unless they are expected and from trusted individuals.

For more information on Cryptolocker, see these links:

http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

http://www.kake.com/home/headlines/CryptoLocker-Virus-Strikes-Pratt-Police-Department-230602031.html

 

Watch out for Phishing E-mails

Phishing is a fraudulent process used by spammers to acquire sensitive information from users such as usernames, passwords, and credit card details. Email recipients are often deceived by phishing attempts since messages appear to be sent by legitimate and trustworthy sources.

Recent examples we’ve seen here or heard of elsewhere include:

  • Messages claiming to be from the university requiring urgent action
  • E-mails claiming to be from banks linking you to fake login portals
  • Claims that a friend or family member is in distress and needs cash urgently, commonly requesting a Western Union money transfer
  • Fake order verifications for electronic items, commonly claiming to be from Amazon.com or the Apple iStore, that direct you to login to a fake vendor website to steal credentials

Use caution and treat any e-mail that seems to demand an urgent response with suspicion.  Take a moment to look it over.  It’s a good idea not to click links in e-mails – especially links to login pages.  Rather type in known sites in web browsers yourself (e.g. my.washburn.edu, amazon.com, citibank.com, etc.) if you need to verify something about your account.

Also, keep in mind that Washburn ITS staff will never ask for your password via e-mail.  Anyone contacting you and asking for your password should be treated with suspicion.

Feel free to contact ITS User Service at 670-3000 or support@washburn.edu if you have any questions about this topic or suspicious messages you have received.

You can also review this earlier ITS blog post to help you learn how to identify phishing messages:

http://blog.washburn.edu/technology/2012/10/02/cyber-security-awareness-anatomy-of-a-phish/

Wireless Network changes on August 1st

On Thursday, August 1st, ITS will be renaming 2 campus wireless networks.  These changes will provide uniform naming and a seamless wireless experience as people move between the Washburn traditional campus, Washburn Institute of Technology campus, and the Washburn Tech Advanced Systems Training facility at Forbes.  This change will coincide with our annual reset of device registrations for personal and visitor equipment, personal devices will need to be re-registered on August 1st as well.  The wireless networks will appear as follows:

  • WashburnGuest will replace the recently implemented WUGuest network that provides short-term access for visitors
  • Washburn will replace WUPublic.  This is an unrestricted network that faculty, staff and students should use for registering their personal devices.   It also supports visitors who will be here longer than 3 consecutive days.
  • WUPrivate - We have deferred any rename of WUPrivate for at least a year.  There will be no change at this time.  This is a secured network primarily used for Washburn-owned equipment.

Aside from the name changes, there will be no functional changes in how these wireless networks operate.

We are working with Washburn Institute of Technology to upgrade network infrastructure to be able to support these wireless networks.  They will not be available in all Washburn Tech facilities right away.  For the fall semester, these networks will be available in Building C, Building K, and at Forbes.  Other buildings and locations will be added over time.

If you have any questions, please contact ITS at support@washburn.edu or 670-3000.

Washburn WiFi updates and plans

ITS has a number of WiFi enhancements underway across our campuses and we continue to work on improving coverage and capacity on our wireless networks.  I thought I’d highlight what we’ve done over the last year and what we’re working on for the coming year.

We recently deployed the WUGuest wireless network providing visitors to our campus WiFi service for up to 3 days without requiring any prior authorization on the part of ITS.  WUPublic remains unchanged for longer term visitors, students, faculty, and staff.  However, in order to reduce confusion between WUPublic and WUGuest, WUPublic will be renamed WUcampus as of August 1st, 2013.

You may also see ITS Networking staff wandering through rooms in your building this Summer and Fall with laptops and possibly other equipment.  We’ll be performing a whole-campus survey of wireless coverage so that we can more effectively identify and prioritize areas of poor coverage for improvement.

Work this summer and for the coming school year includes the following enhancements:

  • New equipment to provide wireless throughout Carnegie Hall (completed in the last week)
  • New equipment to provide wireless throughout Benton Hall (by start of fall semester 2013)
  • New wireless throughout much of Washburn Tech Building C as part of renovation of the Automotive Technology facility renovation  (exact dates not finalized)
  • Wireless coverage enhancements at the Bradbury Thompson Center, most notably in the convocation room (by start of fall semester 2013)
  • Upgrade and enhancement of Mabee Library wireless to meet increasing demand (date not finalized)
  • New wireless equipment at the Lee Arena gates to support online ticketing and validation (recently completed)
  • New wireless equipment at the Stadium to support online ticketing and validation (by end of August)
  • New wireless equipment on Henderson 3rd floor in the Mass Media area (recently completed)

In the last year we’ve performed the following new installations and upgrades:

  • Last summer we upgraded WiFi in residential living areas so that we had newer technology equipment, more access points, and access points placed closer to where students live and use their computers, mobile devices, and other wireless technologies on a daily basis.
  • Reallocated old equipment from Residential Living to improve wireless throughout the Memorial Union and Stauffer Commons
  • Reallocated old equipment from Residential Living to improve wireless in Student Recreation and Wellness Center
  • Reallocated old equipment from Residential Living to meet greater demand in the Whiting 358A/B classroom
  • Reallocated old equipment from Residential Living to address problems in the basement of Stoffer
  • Installed new wireless in the Student Health Center in Morgan
  • Installed wireless for the Washburn Tech Advanced Systems Training facility at Forbes Field.

If you have questions, problems, or suggestions feel free to contact us at support@washburn.edu, please put “WiFi” or “wireless” in your subject line.

Kevin

Rapidly spreading virus/malware on Android

There has been a recent surge in compromises of Android devices by what appears to be drive-by malware (similar to a computer virus) that is infecting Android smartphones and tablets. Little or no user action needed beyond simply clicking a link or visiting a compromised website, and there may be no clear indications that a device is compromised afterward. You need not fall for a scam or go to a site with a poor reputation to be a victim, some very high profile sites and advertising services have been compromised recently to spread this malware.

This is a particularly sophisticated piece of software that in theory could similarly be used to exploit iOS, MacOS, Windows, and other devices though at present it has only been confirmed on Android.

Prevention and Remediation:

Install antivirus software and scan your device

Since most information about this malware is still preliminary and incomplete, any precautions we recommend may not offer complete protection. Regardless, the best information at the present recommends the use of one of the following antivirus solutions – they are typically available free for personal use in the Google Play store (in alphabetical order, we’re not recommending any particular one of these solutions over another at this time):

• Avast! Mobile Security
• Lookout Mobile Security
• Sophos Security & Antivirus

The latest information at the time of this writing is that AVG and a number of other antivirus products do not yet have the ability to detect this malware, though we expect that to change soon.

In addition, go to Settings -> System Updates to check for any software updates for your device.

If an infection is found, we strongly urge you to change the passwords for any accounts that may be saved on the device. Other accounts using that same password may be compromised as well.

Background:

Since April 28th, a relatively small number of e-mail accounts have been compromised, but we were unable for quite some time to determine how those account credentials might have been exposed. In addition we’ve been consistently seeing one new compromised account every day or two. Compromised accounts are typically used to send a simple e-mail like the one below to between 40 and 50 recent contacts:

androidspam

Washburn is not alone in seeing this. Washburn ITS staff have been working together with IT staff at other universities around the country who have been experiencing the same thing. Similar spam messages have been seen on commercial mail and chat services as well – Yahoo mail, Gmail, Hotmail/Outlook.com, Facebook, and Twitter to name a few.

While a full analysis of this malware is not yet available, we now know that these links were being used both to direct people to fake diet-pill websites and along the way Android devices were specifically targeted for compromise, infection, and exploitation.

We believe e-mail account credentials are being compromised as well if they have been saved in web browsers or applications on the compromised Android devices. There are also indications that if the same password is used on multiple accounts, other accounts using that same password may be compromised as well.

We’ll provide additional updates as they are available.

New Guest Wireless Network

On Tuesday, May 14th ITS will begin activating a new wireless network for guest users.  The wireless network will show up as WUGuest and will be open to anyone for Internet access without requiring special provisioning by ITS staff.

This guest network will have some important limitations and is intended to provide access the most commonly used Internet services.  Because of its open nature we have taken measures to limit misuse and abuse.  If you are hosting guests who will need access that exceeds the limitations noted below contact ITS at support@washburn.edu or at 785.670.3000

  •  Visitors will have to provide their name, e-mail address, and phone number and accept our terms of service in order to use the network.  You can preview the sign-in page here:  https://netreg.nix.washburn.edu/wuguest.shtml (note that this link will not work off-campus)
  • Visitors will be able to use WUGuest for up to 3 days at a time, after 3 days they will be locked out of WUGuest for another 3 days before they can access the network again
  • Access to websites will have the same content restrictions in place at Washburn Institute of Technology.  Because of K-12 students there we are mandated to restrict access to certain types of content (e.g. pornography and other material considered harmful to minors), we will extend that content filtering to this guest network
  • While we are not currently a member of Eduroam, we will be following Eduroam access standards as listed here: https://www.eduroam.us/node/69

The following services can be expected to work normally:

  • Standard web browsing (HTTP and HTTPS)
    • Web-based e-mail like Gmail, Outlook.com/Office365, Yahoo, and most corporate webmail clients
    • Basic video services like YouTube
    • Any publicly-accessible Washburn web services
  • Dropbox or similar file storage services that use web-only protocols
  • IMAP, POP3, and Secure SMTP for e-mail
  • VPN connections
  • Windows remote desktop
  • SSH connections

Due to restrictions on the guest network, the following services will not work in most cases:

  • Insecure SMTP for sending e-mail (port 25)
  • Network printing
  • Many chat programs
  • Most videoconferencing applications
  • Enhanced video services such as Netflix
  • Most peer-to-peer file sharing applications
  • Most multiplayer online games
  • Anything determined by the content filter to be potentially harmful to minors

We will still register visitors sponsored by faculty or staff for unrestricted Internet access on WUPublic on request.  Current faculty, staff, and students will still be able to register their own devices for unrestricted access on WUPublic as well.  Note also that WUPublic will be renamed WUCampus on August 1st.

We invite your feedback on this and other issues as we continue to work on improving services to campus.

Name change to WUPublic wireless August 1st

ITS will be renaming the WUPublic wireless network to WUCampus at the same time as our annual purge of wireless device registrations on August 1st.

We’re doing this to reduce confusion between the new WUGuest wireless network and WUPublic.

No other changes to that network are planned at this time, nor will we be making any changes to WUPrivate.