Well-constructed MyWashburn phishing e-mail

Overnight a number of people received a well-constructed phishing e-mail that went to an exact replica of MyWashburn (http://my.washburn.edu).  It would have looked something like the screenshot below.  If you clicked this link and entered your username and password on the following page, please contact support@washburn.edu so we can take actions to remediate the issue.


In order to discern this as phishing, there are a few indicators:

1) The FROM address is not a washburn.edu account:

2) If you hover your cursor over the link, you can see it does not go to a Washburn website:


3) The website that link directs you to does not have a washburn.edu address:


If you missed those indicators, it was very easy to miss the fact that this is not in fact a Washburn e-mail or website.

For more on identifying phishing e-mails, see these prior blog posts:Direct Deposit targeted via phishing emails:

Watch out for Phishing e-mails:

Anatomy of a Phish:

Multiple Reports of Czech Republic Phishing Messages

We started receiving reports of phishing attempts.  The first few reports came in on Saturday and Sunday the number has tripled.  The message has been the same in all of the reports and below is an example of the message.  Note, this was not sent out by Washburn ITS.  We will never send out such a message or ask for your password.  If you responded to this message, please change your password immediately to a new password you have not used previously.

Your Incident ID is: 130329-018715
This is an automated message to notify you that we detected a login attempt with a valid password to your Washburn! account from an unrecognized device on Sunday, June 14th, 2013 12:26 AM BST.
Location: Czech Republic IP=
Was this you? If so, you can disregard the rest of this email. If this wasn’t you kindly follow this link http://mywashburnportal.webs.com/ to review your Washburn account
The Washburn! Helpdesk

We are working to block this message from arriving on campus.  If you have any questions, please contact us at 785-670-3000 or send email to support@washburn.edu.

Rapidly spreading virus/malware on Android

There has been a recent surge in compromises of Android devices by what appears to be drive-by malware (similar to a computer virus) that is infecting Android smartphones and tablets. Little or no user action needed beyond simply clicking a link or visiting a compromised website, and there may be no clear indications that a device is compromised afterward. You need not fall for a scam or go to a site with a poor reputation to be a victim, some very high profile sites and advertising services have been compromised recently to spread this malware.

This is a particularly sophisticated piece of software that in theory could similarly be used to exploit iOS, MacOS, Windows, and other devices though at present it has only been confirmed on Android.

Prevention and Remediation:

Install antivirus software and scan your device

Since most information about this malware is still preliminary and incomplete, any precautions we recommend may not offer complete protection. Regardless, the best information at the present recommends the use of one of the following antivirus solutions – they are typically available free for personal use in the Google Play store (in alphabetical order, we’re not recommending any particular one of these solutions over another at this time):

• Avast! Mobile Security
• Lookout Mobile Security
• Sophos Security & Antivirus

The latest information at the time of this writing is that AVG and a number of other antivirus products do not yet have the ability to detect this malware, though we expect that to change soon.

In addition, go to Settings -> System Updates to check for any software updates for your device.

If an infection is found, we strongly urge you to change the passwords for any accounts that may be saved on the device. Other accounts using that same password may be compromised as well.


Since April 28th, a relatively small number of e-mail accounts have been compromised, but we were unable for quite some time to determine how those account credentials might have been exposed. In addition we’ve been consistently seeing one new compromised account every day or two. Compromised accounts are typically used to send a simple e-mail like the one below to between 40 and 50 recent contacts:


Washburn is not alone in seeing this. Washburn ITS staff have been working together with IT staff at other universities around the country who have been experiencing the same thing. Similar spam messages have been seen on commercial mail and chat services as well – Yahoo mail, Gmail, Hotmail/Outlook.com, Facebook, and Twitter to name a few.

While a full analysis of this malware is not yet available, we now know that these links were being used both to direct people to fake diet-pill websites and along the way Android devices were specifically targeted for compromise, infection, and exploitation.

We believe e-mail account credentials are being compromised as well if they have been saved in web browsers or applications on the compromised Android devices. There are also indications that if the same password is used on multiple accounts, other accounts using that same password may be compromised as well.

We’ll provide additional updates as they are available.

Washburn E-mail Quarantine Access and Purpose

Log on Window for E-mail Filter

Log on Window for WU E-mail Filter

The Washburn University email system has a spam filter in place to help protect from unwanted email, viruses, and other malicious messages.  We  have had this spam filter (WU E-mail Filter) for the past few years.  The system scans all incoming and outgoing email and assigns a numeric rating on whether the message being sent or received is a spam message.  The higher the rating the better chance that message has of going into the spam quarantine.

The WU E-mail Filter, or spam quarantine, is there to protect you from those malicious messages from the Internet.  To access your spam quarantine, visit the following web site:


Log on using your MyWashburn user ID and password.  This will display any messages waiting in your spam quarantine.  From here, it is possible to see a list of any messages that have been held and not delivered to your e-mail inbox due to the message being tagged as spam.

Click on the message in the quarantine to see a preview of the message.  This will allow you to see the contents of the message without it being delivered to your inbox and possibly infecting your computer.  When clicking on the email in the list, this opens a new window, which allows you to preview the message.  If the message should be delivered, click the deliver button.  However, if the message should not be delivered, close the window and either click delete next to the message, or check the box to delete a list of messages.

Occasionally, messages that should be delivered to your inbox end up in the quarantine.  In order to keep that from happening, there a few options.  The first option is to click the deliver button which would allow the message to deliver.  If the sender is someone you expect to hear from often, click the link for whitelist.  This will add the sender address to your whitelist so that those messages will not be held in the quarantine.  It is also possible to manually enter e-mail addresses into the whitelist through preferences.  This option also allows the adding of entire domains.  So, if you are working with a vendor and multiple people are contacting you, you could add their domain.com into your whitelist and anyone sending from that vendor would make it into your inbox.

The feature I use often is to go through and mark those messages in my spam quarantine that I know are spam. It is possible to mark multiple messages that based on the sender and subject I know I do not want to see.  Check each message and then click on Spam at the top of the list.  This does two things for you.  First, it adds them to your spam list and second it sends the sender information to the vendor who manages the product so they can possibly block it for other people too.

WU E-mail Filter Preferences

Preferences for changing settings within the WU E-mail Filter

The preferences menu is at the top of the window.  From the preferences, it is possible to see the Whitelist/Blacklist items that you have marked.  It is also possible to add/remove addresses from the list.  Click the Whitelist/Blacklist link to view this section.

The Quarantine Settings is the section where it is possible to specify how often the WU E-mail Filter notifies you when there are messages in your spam quarantine.  By default, the notice will be sent to your Washburn e-mail address.  I prefer to have mine set to daily as I get a lot of e-mail and many of the messages end up in my quarantine.  This is also the area where it is possible to disable your spam quarantine.  If the spam quarantine is disabled, messages that would normally be held for review would be delivered to your e-mail inbox and tagged with [SPAM] or [POSSIBLE SPAM].  This can be turned on or off as needed.  The recommendation is to leave this setting turned on to protect you and your computer from possible harmful e-mail messages.

The last tab is the Spam Settings.  This is the area where it is possible to change how messages are tagged.  The default is to use the system settings, but it is possible to change to your desired settings if needed.

If there are any questions or problems regarding the WU E-mail Filter, please contact ITS User Services at support@washburn.edu or by calling 785.670.3000.


Savin Toner Sales Scam

We’ve received reports of people receiving calls from a company that identifies itself as “Interstate” trying to convince people that they need to order new toner for Savin printers through them. This is a repeat of a very old scam, what’s interesting in this case the callers seem to know a great deal about the equipment we have in place and departmental billing contacts on campus. This information may make them more convincing. We do not know the source of this information but we don’t believe it comes from any Washburn systems or databases.

Purchasing is aware of these scams and should prevent any purchase orders from being processed. We have no need to purchase toner for the Savin copiers, that is included in our maintenance contract. If you are contacted, please get as much information as you can from the caller and e-mail that information to support@washburn.edu

It’s that time of year again – Time for Income Tax Scams

Every year at this time scammers come out of the woodwork with new scams and reusing old ones designed to obtain tax information for identify theft and financial fraud purposes.  Sometimes these scams are directed at individual taxpayers and at other times they are targeted at businesses and institutions like ours.

The IRS is has already noted a number of scams this year targeting individual recipients by name. Targeted requests are often harder to identify as fraudulent.  These often involve sending modified versions of legitimate IRS forms by fax or e-mail and requesting the recipient fill them out and return them.  These forms are modified so that the recipient to provides all the personal and financial information the scammer needs to perpetrate their fraud.

A recent example can be seen below:

First the real form W-8BEN used for foreign persons to designate their non-US tax status:  http://www.irs.gov/pub/irs-pdf/fw8ben.pdf

Then the fake W-8BEN notice and form some people have been receiving (click to enlarge):

Note in particular the use of a non-IRS e-mail address, the implied urgency: “return to us within 24 hours,” and the insistence on faxing the document rather than using US Mail.

Be especially cautious about any communication that claims to be from the IRS or your employer and that claims to urgently need personal or financial information for tax purposes.

If you receive anything that you believe to be a tax-related scam, you can report it to the IRS here: http://www.irs.gov/uac/Report-Phishing

The IRS also provides the additional information to help protect yourself from “The Dirty Dozen Tax Scams:” http://www.irs.gov/uac/Don%E2%80%99t-Fall-Prey-to-the-2011-Dirty-Dozen-Tax-Scams

And a guide to “Tax Refund Scams:” http://www.irs.gov/uac/IRS-Urges-Taxpayers-to-Avoid-Becoming-Victims-of-Tax-Scams


Cyber-Security Awareness – I Think I’ve Fallen for a Scam!

The people out there trying to get your sensitive and confidential information can be very good at what they do.  The really capable ones know how to push our psychological buttons, and how to make their malicious communications or websites look very legitimate.  Sometimes they’ll even take advantage of perfectly legitimate but vulnerable websites.

So let’s say you’ve responded to a message requesting information, or entered your information in a website that now doesn’t seem quite right.  What can you do to protect yourself after the fact?

The first thing is, don’t panic.  Washburn students, faculty, and staff can contact ITS support at 785-670-3000 or support@washburn.edu for assistance.  We’ll be happy to help talk you through this and determine the next actions to take.

One thing to keep in mind is that you’re not the first person this has happened to and there are a number of resources to help you recover, and I’ll be covering some of those below.  Before your memory starts to get foggy, write down what might have been revealed – was it a password, Social Security Number, credit card number, bank account number, etc.?  Did you put in security question information like the name of your first pet, favorite teacher, etc.?  Try to remember and write down as much as you can about the incident now.

Reporting the Crime

Sometimes people feel like they don’t want to cause a fuss or are too embarrassed to report something like this as a crime.  Scams that get you to reveal sensitive personal or financial information are crimes, however, and reporting it will offer you substantial protections from fraudulent activity and help law enforcement crack down on the scammers.

Because Internet crimes routinely cross state or national boundaries, the standard place to report them is to the FBI.  The FBI jointly with the National White Collar Crime Center runs the Internet Crime Complaint Center (IC3).  This site makes it very easy to report the crime on-line and helps ensure that report is directed properly to other government agencies if applicable.  You can report Internet scams and other crimes here:


Protecting Financial Information

Are you concerned that credit card, bank account, or other financial information might have been revealed?  Contacting your card provider, bank, credit union, etc. is a good place to start.  They can flag your account so it is watched more closely for suspicious activity and often will help you put a Fraud Alert on your credit reports.

Internet sites like eBay, Amazon.com, and others have websites and other resources dedicated to dealing with fraudulent activity on your account.  Typically an easy way to find these is to enter the name of the website and certain keywords like “security” or “fraud” into your favorite search engine.  Typically the first or one of the first hits will get you to the right place.

Personal Information / Identity Theft

If personal information may have been revealed, particularly information like a Social Security Number, one of the best things you can do to protect yourself is filling out this Identity Theft Victim’s Complaint and Affidavit available on the Federal Trade Commission website:


If you choose to file a report with law enforcement, this standardized form will help them respond more effectively to your complaint and can serve as evidence against future fraudulent charges.  Even if you do not file a report with law enforcement, this form is still accepted by many companies and provides you with a degree of protection against misuse of your personal information.

The FTC website has a great deal of additional information about how to protect yourself depending on the specifics of your situation.  Check the link below for more:


Reset Passwords

If you have inadvertently revealed a password, you should immediately come up with a new password, write it down and store it in a secure location in case you forget it, and go to any websites or other resources where the compromised password is used and go through the change password process.  If you use the same password on multiple websites, you should change that password on all sites where it is used.  It’s a good idea to write down a list of those sites first so you can check them off as you go, it will make it easier to ensure you’ve taken of all of them.

Cleaning Your Computer

If you follow a suspicious link or open a questionable file, you may be concerned your computer has been compromised.  Hopefully you’ve been keeping up to date on security updates and patches for your operating system and hardware and have up-to-date antivirus software.  These actions will do a great deal to protect you from multiple on-line threats.  If you haven’t been keeping up on these, that should be a goal for the future once you are sure your computer is clean again.


Malwarebytes Anti-Malware Free (http://www.malwarebytes.org/products/malwarebytes_free/) is an excellent tool for eliminating many types of viruses, trojans, and other malicious software.  It is free for home users and is good for getting your system cleaned up.

Spybot Search and Destroy (http://www.safer-networking.org/) is another excellent anti-malware product that is free for personal use, it has been around a long time and targets not just malicious software but ad-ware too.

Windows Defender (http://www.microsoft.com/en-us/download/details.aspx?id=17) is a free product from Microsoft, it’s not typically as aggressive as the previously mentioned anti-malware software, but has been effective at getting rid of some particularly hard to eradicate malware.

With all anti-malware software, it’s a good idea to run it multiple times until the reports come up clean.  Sometimes one run will clean up one piece of software that is hiding another, and the second one will only be picked up on a later run.

No product can get rid of all malicious software in all cases, there are some things that the only effective way to recover is to reinstall Windows from scratch.  For anything short of that, these products can typically take care of it. Nor do these programs eliminate the need to keep your system and software updated, but they can be a good way to get it cleaned up so that you can keep it updated down the road.

Anti-virus software is different from anti-malware on Windows, antivirus can help protect you from getting infected, but is not always as effective at cleaning up an existing infection as dedicated anti-malware software.

There are a number of free Windows anti-virus applications for personal use.  You need not pay a substantial amount of money for effective protection:

Microsoft Security Essentials is freely available from Microsoft.  It is remarkably good, relatively unintrusive and has little to no impact on system performance.  It is free for personal use or for small businesses up to 10 systems.


AVG Free is another highly effective free for personal use antivirus product for Windows.  You can download it here:


Avast! is a popular option for many Windows users as well:


Mac OS

Many people think that Macs don’t get viruses or other malware, and to a large degree that was true.  The Flashback Trojan that starting hitting Mac OS systems about a year ago changed all that however.  There is still less malware targeted at Macs, but what does target Macs is particularly nasty. Like for windows, some of the worst may be impossible to effectively remove without a reinstall of the operating system from scratch.

Sophos has released free Mac Antivirus software for personal use that is good at both protecting and cleaning Mac OS systems and work with Mac OS up to version 10.8.  It can be downloaded here:


ClamAV has a free Mac Antivirus as well.  Be aware that if you want continuous protection, you’ll need to download the version from the website.  The version in the App Store only does on-demand scans.


Avast also has a free for personal use antivirus application, that can be downloaded here:


Keep in mind you should only install one antivirus application, installing multiple antivirus programs will impair performance significantly.

Mobile Devices

Currently mobile devices aren’t a big target for malware.  There has been some malicious software developed but it generally hasn’t seen widespread distribution.  Nonetheless that can be expected to change.

Apple’s iOS (iPhone, iPad, iPod), unfortunately, does not offer any sort of antivirus or anti-malware software.  Apple has in fact actively kept Antivirus software out of their App Store.  They’re largely relying on the effectiveness of their screening mechanisms for App Store apps and limits of user rights on the system to keep malware out.  Time will tell if that is an effective strategy, however.  In the meantime, the only real option to clean an iOS device is to reset it to factory defaults.

Android has several antivirus applications available, both Avast! and Lookout Security have free versions available in the Google Play store and are well reputed.  Like Apple, Google screens software on their Google Play store and have the user run with limited rights on the system, both of which reduce the opportunities for malicious software in most cases.





Cyber-Security Awareness – Social Media Tips

Do you use Facebook, Twitter, Google+, Pintrest, Instagram, or other social media sites?  What about internationally-focus social media sites such as Orkut, QQ, and Badoo?  You or those you socialize with on this sites will be a target of a scammer sooner or later.

Many of the most effective scams are targeted to you personally from the information publicly available on your profile, typically you will get an unsolicited communication that matches your published interests or that is very effective at getting your attention by claiming some sort of emergency or a need for immediate action.

That scammer wants to make you to click that link before you have a chance to think and be skeptical.

Be very cautious when you get any of the following:

  • A message from someone, particularly a close friend or relative saying they’ve been robbed, they’re being held by foreign authorities, or otherwise have an immediate need for money to be wired to them.  This is particularly common when that individual is known to be out of the country.
  • A message that you have won something, particularly when it says you have to act immediately to claim your prize
  • A friend request from someone you’ve never seen before, especially some stranger with the looks of a model or someone who may have the same interests as you have posted
  • A message about an account cancellation
  • A message about a charge you didn’t authorize
  • Anything that looks like humorous content but that requires you to click a link to see it
  • Any request to install an app to get at desirable content

In many cases these are difficult to tell from legitimate messages, so you need to take a moment and think

  • Does this make sense?
  • Do I know this person and did I expect something like this from them?
  • Is this totally out of character for my friend – could their account have been hacked?
  • If it’s too good to be true, it probably is.

Remember, social media can place no obligations on you, you don’t have to respond to every message, friend request, alert, or notice.  You can always take the time you need to sort things out before making a snap decision to click that “Accept” button or that web link.

I’ll have additional postings over the course of this month, including what to do when you think you may have fallen for a scam or clicked that link that didn’t seem quite right.  I’ll also detail certain specific threats and scams to help you be more informed about them in the future.

In the meantime you may want to review these sites of interest on this topic:

11 Tips for Social Media Safety


Scams and Social Media


15 Social Media Scams