Cyber-Security Awareness – I Think I’ve Fallen for a Scam!

The people out there trying to get your sensitive and confidential information can be very good at what they do.  The really capable ones know how to push our psychological buttons, and how to make their malicious communications or websites look very legitimate.  Sometimes they’ll even take advantage of perfectly legitimate but vulnerable websites.

So let’s say you’ve responded to a message requesting information, or entered your information in a website that now doesn’t seem quite right.  What can you do to protect yourself after the fact?

The first thing is, don’t panic.  Washburn students, faculty, and staff can contact ITS support at 785-670-3000 or support@washburn.edu for assistance.  We’ll be happy to help talk you through this and determine the next actions to take.

One thing to keep in mind is that you’re not the first person this has happened to and there are a number of resources to help you recover, and I’ll be covering some of those below.  Before your memory starts to get foggy, write down what might have been revealed – was it a password, Social Security Number, credit card number, bank account number, etc.?  Did you put in security question information like the name of your first pet, favorite teacher, etc.?  Try to remember and write down as much as you can about the incident now.

Reporting the Crime

Sometimes people feel like they don’t want to cause a fuss or are too embarrassed to report something like this as a crime.  Scams that get you to reveal sensitive personal or financial information are crimes, however, and reporting it will offer you substantial protections from fraudulent activity and help law enforcement crack down on the scammers.

Because Internet crimes routinely cross state or national boundaries, the standard place to report them is to the FBI.  The FBI jointly with the National White Collar Crime Center runs the Internet Crime Complaint Center (IC3).  This site makes it very easy to report the crime on-line and helps ensure that report is directed properly to other government agencies if applicable.  You can report Internet scams and other crimes here:

http://www.ic3.gov/complaint/default.aspx

Protecting Financial Information

Are you concerned that credit card, bank account, or other financial information might have been revealed?  Contacting your card provider, bank, credit union, etc. is a good place to start.  They can flag your account so it is watched more closely for suspicious activity and often will help you put a Fraud Alert on your credit reports.

Internet sites like eBay, Amazon.com, and others have websites and other resources dedicated to dealing with fraudulent activity on your account.  Typically an easy way to find these is to enter the name of the website and certain keywords like “security” or “fraud” into your favorite search engine.  Typically the first or one of the first hits will get you to the right place.

Personal Information / Identity Theft

If personal information may have been revealed, particularly information like a Social Security Number, one of the best things you can do to protect yourself is filling out this Identity Theft Victim’s Complaint and Affidavit available on the Federal Trade Commission website:

http://www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf

If you choose to file a report with law enforcement, this standardized form will help them respond more effectively to your complaint and can serve as evidence against future fraudulent charges.  Even if you do not file a report with law enforcement, this form is still accepted by many companies and provides you with a degree of protection against misuse of your personal information.

The FTC website has a great deal of additional information about how to protect yourself depending on the specifics of your situation.  Check the link below for more:

http://www.ftc.gov/bcp/edu/microsites/idtheft/

Reset Passwords

If you have inadvertently revealed a password, you should immediately come up with a new password, write it down and store it in a secure location in case you forget it, and go to any websites or other resources where the compromised password is used and go through the change password process.  If you use the same password on multiple websites, you should change that password on all sites where it is used.  It’s a good idea to write down a list of those sites first so you can check them off as you go, it will make it easier to ensure you’ve taken of all of them.

Cleaning Your Computer

If you follow a suspicious link or open a questionable file, you may be concerned your computer has been compromised.  Hopefully you’ve been keeping up to date on security updates and patches for your operating system and hardware and have up-to-date antivirus software.  These actions will do a great deal to protect you from multiple on-line threats.  If you haven’t been keeping up on these, that should be a goal for the future once you are sure your computer is clean again.

Windows

Malwarebytes Anti-Malware Free (http://www.malwarebytes.org/products/malwarebytes_free/) is an excellent tool for eliminating many types of viruses, trojans, and other malicious software.  It is free for home users and is good for getting your system cleaned up.

Spybot Search and Destroy (http://www.safer-networking.org/) is another excellent anti-malware product that is free for personal use, it has been around a long time and targets not just malicious software but ad-ware too.

Windows Defender (http://www.microsoft.com/en-us/download/details.aspx?id=17) is a free product from Microsoft, it’s not typically as aggressive as the previously mentioned anti-malware software, but has been effective at getting rid of some particularly hard to eradicate malware.

With all anti-malware software, it’s a good idea to run it multiple times until the reports come up clean.  Sometimes one run will clean up one piece of software that is hiding another, and the second one will only be picked up on a later run.

No product can get rid of all malicious software in all cases, there are some things that the only effective way to recover is to reinstall Windows from scratch.  For anything short of that, these products can typically take care of it. Nor do these programs eliminate the need to keep your system and software updated, but they can be a good way to get it cleaned up so that you can keep it updated down the road.

Anti-virus software is different from anti-malware on Windows, antivirus can help protect you from getting infected, but is not always as effective at cleaning up an existing infection as dedicated anti-malware software.

There are a number of free Windows anti-virus applications for personal use.  You need not pay a substantial amount of money for effective protection:

Microsoft Security Essentials is freely available from Microsoft.  It is remarkably good, relatively unintrusive and has little to no impact on system performance.  It is free for personal use or for small businesses up to 10 systems.

http://windows.microsoft.com/en-US/windows/products/security-essentials

AVG Free is another highly effective free for personal use antivirus product for Windows.  You can download it here:

http://free.avg.com/us-en/homepage

Avast! is a popular option for many Windows users as well:

http://www.avast.com/free-antivirus-download

Mac OS

Many people think that Macs don’t get viruses or other malware, and to a large degree that was true.  The Flashback Trojan that starting hitting Mac OS systems about a year ago changed all that however.  There is still less malware targeted at Macs, but what does target Macs is particularly nasty. Like for windows, some of the worst may be impossible to effectively remove without a reinstall of the operating system from scratch.

Sophos has released free Mac Antivirus software for personal use that is good at both protecting and cleaning Mac OS systems and work with Mac OS up to version 10.8.  It can be downloaded here:

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

ClamAV has a free Mac Antivirus as well.  Be aware that if you want continuous protection, you’ll need to download the version from the website.  The version in the App Store only does on-demand scans.

http://www.clamxav.com/download.php

Avast also has a free for personal use antivirus application, that can be downloaded here:

http://www.avast.com/free-antivirus-download

Keep in mind you should only install one antivirus application, installing multiple antivirus programs will impair performance significantly.

Mobile Devices

Currently mobile devices aren’t a big target for malware.  There has been some malicious software developed but it generally hasn’t seen widespread distribution.  Nonetheless that can be expected to change.

Apple’s iOS (iPhone, iPad, iPod), unfortunately, does not offer any sort of antivirus or anti-malware software.  Apple has in fact actively kept Antivirus software out of their App Store.  They’re largely relying on the effectiveness of their screening mechanisms for App Store apps and limits of user rights on the system to keep malware out.  Time will tell if that is an effective strategy, however.  In the meantime, the only real option to clean an iOS device is to reset it to factory defaults.

Android has several antivirus applications available, both Avast! and Lookout Security have free versions available in the Google Play store and are well reputed.  Like Apple, Google screens software on their Google Play store and have the user run with limited rights on the system, both of which reduce the opportunities for malicious software in most cases.

 

 

 

 

Cyber-Security Awareness – Anatomy of a Phish

The term “Phishing” refers to communications that, like regular fishing, use a type of “bait” to compel the reader “bite” in a way that ends up revealing sensitive or privileged information or which allows their system to be compromised.

These are one of the most common types of e-mail scams out there at present.  Below I’ve taken a couple of Phishing e-mails that have been brought to my attention lately to point out the sorts of things that should make you pause and consider if a message that seems legitimate at first glance is in fact malicious.

The first one is designed to make is look like someone has hacked your Amazon.com account and ordered a High-Definition TV to some out-of-state address.  The fake order is just the bait, however.  It never existed, the account was never compromised.  Instead, it’s supposed to make you want to react urgently to stop it, and the quickest apparent way to do so is to click a link in the e-mail to the Amazon website.

The indicators are subtle, I’ve pointed out the sort of things to look for below.

Even so, e-mail content is easily forged.  To be safe, don’t click links in e-mails, instead type them in the web browser or go to the company site yourself.  I didn’t follow the links in this e-mail, but it likely went to one of two types of sites:

1) A fake Amazon.com login page to capture your username and password

2) A web page with software designed to compromise your computer and give unrestricted access to your system and data to the person in control of that malicious website

Fake Amazon.com order e-mail, designed to compel the reader to click links to a malicious websites

Below is another example, this one is a bit more subtle.  The e-mail below didn’t trigger the [POSSIBLE SPAM] tag from our spam firewall.  One of the challenges is that with the money that can be made from these scams, they’re often under the control of sophisticated criminal enterprises.  These criminals can purchase the same tools we use to protect ourselves to test their malicious messages before sending them out.  When that’s the case, it’s a matter of how fast information about e-mails like this makes it to the vendors of the security systems and how quickly they can program a signature to detect this message, but not block something similar that is in fact legitimate.  They really do a pretty good job all things considered, but it’s a fundamentally hard problem and higher education in particular is a big target.

Like the previous e-mail, this one shares the following indicators:

  • “From:” address does not match the purported company sending the e-mail
  • Web links in the e-mail (hover, don’t click! ) don’t go to websites one would associated with the purported company.  These can’t be viewed in the graphics below, I didn’t want to actually provide a link to a malicious website – but you can do this in any e-mail with a link in it for practice.
  • All web links in the e-mail go to the same site, even if they seem to direct you different areas or even different companies
  • Once again, it’s designed to prompt an urgent, unthinking response, that response being to click one of the malicious links
  • Ship-To address is wrong

E-mail claiming to be from Intuit, designed to compel the reader to click malicious links in the message

We can expect these messages to continue to be refined to make it even harder to tell what is and is not legitimate.  For example, the From address can be forged, errors in the e-mail content like the delivery address lines can be corrected, or a mix of legitimate and malicious web links can be used.

So how can we reliably tell if an e-mail is legitimate?  Frankly, there is no easy answer.  The best bet is to remain skeptical of any e-mails you receive and weren’t expecting and most of all don’t click web links in e-mail.  Typing them into a web browser yourself is much safer.

Links to malicious websites that don’t match the purported sender are likely to remain an indicator, although if someone were able to register a DNS name something like wwwamazon.com (note the dot after www is missing) and point it to the malicious site, it could be harder tell.

An implied sense of urgency is also likey to remain, they really don’t want you taking the time to think about these messages.  The more you think about it, the more likely you are to get suspicious and not take the bait.

If you are a Washburn student, faculty, or staff member and receive something you aren’t sure of, don’t hesitate to call Washburn ITS at 785-670-3000 or support@washburn.edu.  We can help determine if the e-mail is likely to be malicious and can report compromised e-mail accounts and websites used in those messages to the proper authorities to get them taken off-line and cleaned up.

If you think you may have fallen for one of these, don’t panic!  Again, call ITS and we’ll help take corrective action to limit any damage.

I’ll address what else to do if you think your system or your information have been compromised in a later post.

Cyber-Security Awareness – Social Media Tips

Do you use Facebook, Twitter, Google+, Pintrest, Instagram, or other social media sites?  What about internationally-focus social media sites such as Orkut, QQ, and Badoo?  You or those you socialize with on this sites will be a target of a scammer sooner or later.

Many of the most effective scams are targeted to you personally from the information publicly available on your profile, typically you will get an unsolicited communication that matches your published interests or that is very effective at getting your attention by claiming some sort of emergency or a need for immediate action.

That scammer wants to make you to click that link before you have a chance to think and be skeptical.

Be very cautious when you get any of the following:

  • A message from someone, particularly a close friend or relative saying they’ve been robbed, they’re being held by foreign authorities, or otherwise have an immediate need for money to be wired to them.  This is particularly common when that individual is known to be out of the country.
  • A message that you have won something, particularly when it says you have to act immediately to claim your prize
  • A friend request from someone you’ve never seen before, especially some stranger with the looks of a model or someone who may have the same interests as you have posted
  • A message about an account cancellation
  • A message about a charge you didn’t authorize
  • Anything that looks like humorous content but that requires you to click a link to see it
  • Any request to install an app to get at desirable content

In many cases these are difficult to tell from legitimate messages, so you need to take a moment and think

  • Does this make sense?
  • Do I know this person and did I expect something like this from them?
  • Is this totally out of character for my friend – could their account have been hacked?
  • If it’s too good to be true, it probably is.

Remember, social media can place no obligations on you, you don’t have to respond to every message, friend request, alert, or notice.  You can always take the time you need to sort things out before making a snap decision to click that “Accept” button or that web link.

I’ll have additional postings over the course of this month, including what to do when you think you may have fallen for a scam or clicked that link that didn’t seem quite right.  I’ll also detail certain specific threats and scams to help you be more informed about them in the future.

In the meantime you may want to review these sites of interest on this topic:

11 Tips for Social Media Safety

http://www.microsoft.com/security/online-privacy/social-networking.aspx

Scams and Social Media

http://www.educause.edu/blogs/lspitzner/security-awareness-social-media

15 Social Media Scams

http://www.networkworld.com/slideshow/53106

 

 

 

Washburn will NEVER ask for your password in e-mail

Just a quick security reminder as we all start a new semester:

  •     Washburn staff will NEVER ask for your password in an e-mail.
  •     No other organization you do business with should ever ask you for your password via e-mail either.
  •     Never send anyone your password via e-mail.

While our security filters successfully block most e-mails of this type, some will inevitably get through.  Malicious e-mails may look very official and may threaten significant consequences, these are just attempts to scare you into revealing privileged information.  When you receive messages like this, you can forward them to reportspam@washburn.edu.  This will put them in our system for automatic review and action.

If you ever have a question about the legitimacy of an e-mail, you can call User Services at 670-3000 or e-mail support@washburn.edu.  We’ll be happy to help.

New WiFi in Residential Living

Washburn Information Technology Services is completing the installation of new wireless equipment in Residential Living facilities to better meet the needs and expectations our students living on campus. We expect this will provide substantially better service than our old system as we see more students, more equipment, and a wider variety of devices communicate on our campus wireless network.

The new wireless system replaces an older system that was designed around centralized, high-power equipment.  The new equipment is smaller, faster, and operates at lower power levels to reduce interference and work better with newer mobile devices.

We are installing many more access points (113 APs with the new system vs. 24 with with the old) and are placing them closer to the where the students live – in every suite in Kuehne, West, and Washburn Village and in student living spaces in the LLC. This allows us to improve placement of equipment to ensure good service and will substantially increase the total number of client devices we can support.

The new system is designed to optimize the sharing of available bandwidth while providing a high level of overall throughput in order to support, among other things the high definition internet video and other anticipated bandwidth-intensive technologies in the future.

We are very excited about the improvements this will bring and look forward to expanded use of this system as demand grows elsewhere on campus as well.

Additionally, we won’t be abandoning the older equipment we are removing from Residential Living. We will instead be reallocating it to areas where the design of that equipment can provide service more optimally. All of the equipment we remove from Residential Living will go to providing service for the direct benefit of our students elsewhere on campus.