Update on RansomWare

Friday, October 7th, 2016 | Mark Borrie | Comments Off on Update on RansomWare

In March this year I wrote about the upswing in ransomware attacks. Well since then we have seen even more attacks. Unfortunately some people have been caught out by the attackers and have had files encrypted.

Luckily everyone so far has been able to restore their data from backups and other sources.

The criminal gangs running these attacks are constantly looking for new ways to get results. Recently they used a flaw in certain types of Word docs. These were Word files with macros in them. Once we worked out what they were up to we started using our spam management system PureMessage to quarantine all these Word files with macros (these have a docm suffix). Only a few genuine files were quarantined and they were still available to the user.

During August we quarantined about 150 000 docm files.

Since then we have seen a decline in the use of docm files but a large increase in zip files. Zip files are a convenient way to bundle together a number of files in a compressed format that makes them easier to distribute.

During the first 12 days of September we quarantined about 1.5 million zip files. Almost all of these had some sort of malicious content.

Dealing with these ongoing attacks is a team effort and we all have a part to play. Remember if something looks suspicious then get someone to check it out.

User awareness videos

Tuesday, July 12th, 2016 | Mark Borrie | Comments Off on User awareness videos

Here are a couple of videos to help people become a bit more aware of social engineering risks. It would be interesting to hear from you as to which one you think is more effective.



Here is another good one from a bank


What is Ransomware?

Monday, March 7th, 2016 | Mark Borrie | Comments Off on What is Ransomware?

In recent years another new term has emerged to describe yet more malicious software that attacks users. This one is called ransomware.

So what does ransomware do?

When a computer become infected with this software, all the files on the computer get encrypted. The user is then notified and offered an option of paying a ransom to get the secret decryption key in order to recover the files. If the user refuses to pay up all the encrypted files are lost.

There has been a large increase in ransomware attacks worldwide in recent months. The Information Security Office team is seeing large numbers of spam emails being intercepted here at Otago that are connect to ransomware attacks.

A recent attack

Many staff recently received an email claiming to be from a lawyer that suggested the user had breached copyright on some material. This spam was deliberately sent during the weekend so that users would not have the usual support channels available (Alarm bell #1). This email was sent to many other Universities.

An analysis from another institution of the email revealed that some interesting things.

  • The email had a zip file attached (Alarm bell #2)
  • The zip file attached to the email contained a pdf that had a script in it.(Alarm bell #3)
  • This script requested the user to install a special font in order to read the pdf (Alarm bell #4)
  • If the user (or their IT support person) finds the font and installs it then the ransomware is installed and immediately starts encrypting all the user’s files INCLUDING those on file shares.

Protecting yourself

Targeted spam attacks are getting more sophisticated. They use real companies and individual’s names. They are sent outside normal work hours, i.e. during weekends or holidays, or overnight. They often appear to be relevant to the target people, i.e. copyright issues for academics, or account information for financial staff.

Things to do (or not do)

  • Do not respond to unexpected emails outside work hours (It really isn’t that urgent)
  • Do not respond to requests to “take an action” (It truely is not that urgent)
  • Check with IT staff or colleagues if you get an unusual email. Chances are it will be a known attack, or it will alert staff of a new one under way
  • Be prepared. Make sure all your data files are properly backed up. Some of the ransomware attacks are now targeting backups as well as file shares so backups should not be accessible to the attack

For more information or assistance, contact the ITS ServiceDesk or the Information Security Office.

Malware – more than just a virus?

Thursday, March 3rd, 2016 | Mark Bedford | Comments Off on Malware – more than just a virus?

Seems that the term malware is causing confusion as the term itself covers a wide variety of malicious activity and is a contraction of the two words “malicious software”. It is generally used in the information security area to refer to software that is malicious in intent but does not cover unintentionally bad or faulty software.

There is a type of malware called spyware which is sometimes embedded in applications that appear useful but may have additional hidden functionality that gathers marketing information.

The SANS Ouch this month contains information describes it in more detail and provides some tips on ways to protect yourself.

Financial fraud phishing emails

Wednesday, February 17th, 2016 | Mark Borrie | Comments Off on Financial fraud phishing emails

The Information Security team has noted an increase in phishing emails that are targeting staff who may handle financial transactions. Initially these emails targeted senior staff and attempted to get fraudulent payments made by the University. A tertiary organisation up north fell victim to this and may be out of pocket to the tune of over $100k.

The phishing emails are now targeting departmental staff. The email will appear to come from another University staff member and attempt to establish further email communication. The email address will not be an @otago.ac.nz address. Eventually the target victim will be asked to set up a fraudulent financial payment. These emails are asking staff to work outside University financial processes by suggesting that there is some urgency in processing the request and hence bypass normal processes.

Staff who handle financial transactions are asked to be vigilant for these types of attacks. If you receive unusual requests to process payments then ensure that the following is undertaken
– Check with the apparent requester via another channel, i.e. if the request comes via email then give them a call to verify.
– At all times follow the University account processing systems. Contact FSD if you have questions.
– Report any attempts of this nature to the Information Security Office so that we can keep up to date with current attacks.

If you have any questions regarding this matter then please contact myself.

Thanks, Mark

P.S. A copy of this email has been posted on the Information Security Blog site for verification. See https://blogs.otago.ac.nz/infosec/2016/02/17/financial-fraud-phishing-emails/

Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin 9054, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-8813
Email: mark.borrie@otago.ac.nz

Airline Boarding passes

Thursday, October 8th, 2015 | Mark Borrie | Comments Off on Airline Boarding passes

Ever wondered what is recorded on your airline boarding pass? Well someone has done some analysis of one and quickly turned up some interesting information. The bottom line is don’t throw them away, instead make sure you take them home and destroy them at the end of your travels.

See http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/ for an explanation.

Password Managers

Thursday, October 1st, 2015 | Mark Bedford | Comments Off on Password Managers

Passwords and password memorisation simply stated is a chore and many people reuse the same password for multiple services to avoid having to remember them. Enter password managers. I am not going to review them in this post, rather point you to a lifehacker article that does a decent job of reviewing them.

The summary is to use one that meets you needs rather than re-use the same password. If you go the next step, you can then store your password file (which should already be encrypted) on an internet facing service such as the Otago Syncplicity service where it will be available to you from anywhere on the internet.

LinkedIn Scams

Tuesday, September 1st, 2015 | Mark Borrie | Comments Off on LinkedIn Scams

In recent weeks there has been an increase in fake requests on LinkedIn for users to connect with people. These are likely to be precursors to attempted scams or fraud.

Some examples I have noticed are from people claiming to be from financial companies based overseas. After connecting with the person a message quickly follows asking for more information about yourself.

If you are unsure about these connect requests there are a few things you can do. Check out the company affiliation. If you cant find the company then there is a good chance it is fictitious.

Also check the profile picture. This is easy with Google. Open the Google search page and select the images link. Now drag the profile pic into the search bar and see if there are any matches. You might be surprised at where that profile picture originated from.

Now there is no requirement that someone will use an actual picture of themselves on LinkedIn, however you may want to think about why someone uses a picture of someone else.

So what to do with these requests. There are options on LinkedIn to report people that appear to be misrepresenting themselves. Alternatively, simply don’t connect or disconnect from people you don’t trust.

Above all else, keep safe.

Psychological trick used for spam

Friday, June 26th, 2015 | Taichi Nakamura | Comments Off on Psychological trick used for spam

Subject Title “stop spamming me”

There was an interesting spam today caught on the university email spam filter system.
It used a psychological trick manipulating people’s behaviour.
The subject title and the content contained a complaint towards spams being sent continuously from a certain department and had a Microsoft Word document attached with the details of the spam they were receiving.

The uniqueness to this spam was that it avoided being deleted instantly by not using the common subject title and its following sentences that spammers use.
Then carefully sent to a third party employee that is interested in helping.
Hope for the spammer next was that the employee will try and be helpful. Otherwise from the human nature of curiosity the employee would click the attachment.

Of course after that, the malware hidden in the Word document would be infecting the PC.

More Specific

The spam looked like a genuine complaint. But the complaint was not real.
The sender and receiver’s email address was forged. But with the recent standard email applications usually hiding the headers by default, it would be difficult for the receiver to have spot it.

How the subject line and contents looked was not like the commonly computer generated spam. But rather a complaint written by a native English speaker.
It had nothing to identify it was a spam. It had enough but minimal information gaining more necessity to investigate further to understand the full picture.
With that it gained more possibility to have the employee read the contents rather than throwing the spam straight away, and then checking the attachment.

The receiver wasn’t associated to the department being complained on the spam’s contents. But it did look like a genuine complaint having real department names included.
So if the employee tried to be helpful he/she could have easily been tricked to check the attachment and then be infected by the malware.

How to Avoid 

Best practice is to never open an email attachment unless you know who it is from, expecting them and absolutely sure it is legitimate.
If there is an attachment that you are not expecting it is best to be suspicious and contact the sender or Information Security Office to receive clarification.

Recent Type of Spams

Often spams provide the notion that the matter is critical to be responded immediately and requesting to do something.
It often contains malicious attachment sor links.

Recent spam types:
Bank requesting change of passwords
Helpdesk informing your email account being out of quota and to click on a link to avoid getting locked
Someone wealthy overseas wanting to send money or funds
Unknown parcels having difficulty to be delivered
Copyright and other infringement notices that you do not recognise the reason for
Conference and paper submission invites
Sales of equipments and goods
Apple iTunes and other vendor’s apps and services requesting to go to a website and authenticate

Microsoft’s iOS and Android Outlook app

Wednesday, February 4th, 2015 | Jim Cheetham | Comments Off on Microsoft’s iOS and Android Outlook app

Microsoft have recently released a new “Outlook” email app on the iOS and Android mobile platforms. This app is a rebrand of the recently-purchased Acompli.

The user interface apparently is quite effective, mixing calendar and priority mail and allowing fast response to messages.

Unfortunately, at this stage in the app’s existence it takes some security shortcuts that are not ideal. All your email is copied into “the cloud” (this is a techno-marketing phrase that simply means “someone else’s computer” – and of course we should assume that “the cloud” will always be in a hostile legal environment, where government agencies from multiple countries will have free access to all your data). Worse, if you are accessing an Exchange service (i.e. University mail) your username and password are also stored in the cloud in order to make this work. The app doesn’t make this clear to users, and for some people that could represent a real problem.

More directly, this cloud-based login also actively violates the security policies that the University sets on Exchange email access. In order to protect University-owned data, devices that connect to Exchange are required to have local security policies like active screen locking, and to respond to remote wipe requests when they are reported stolen/missing. The current Outlook app does not apply these policies to the devices that use it, and although remote wipe might correctly remove data copied into the cloud, it doesn’t remove anything from the missing device. Worse, if you have multiple devices using this app, we can no longer wipe just the missing one; this app services them all from the same connection, and therefore a wipe affects all of them at the same time.

There has been a lot of press about this Outlook app recently – from the usability point of view it’s all positive, and from the security point of view it is all negative. Hopefully Microsoft will be able to put in some new development resources to help address these problems soon.

In the meantime, ISO recommend that you do NOT use this app with University email services.


Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.