November 2020 Safe Computing

Information Security Behind the Scenes

Fraudulent and Malicious Phishing During COVID-19

Phishing attacks are a persistent information security threat. University personnel are particularly vulnerable during times of significant events, such as the COVID-19 pandemic. Phish attacks exploit with increasing sophistication, taking advantage of psychology and human behavior, and the availability of computer processing power and machine learning.

The University continues to see long-running phish attempts, for example, with the subjects “Are you available?”, “Urgent request”, or “Quick favor.” These messages appear to originate with a colleague you communicate with regularly. Messages may request you to take action such as providing your personal cell phone number, which is often sold, and used for call or text messages for spam or malicious activity. Messages may request that you purchase gift cards (gift cards are easily redeemable for cash, and difficult to trace).

The University has seen several sophisticated and widespread phishing attempts during the pandemic. In some cases, these attempts targeted over 4,000 valid University email addresses. With broad distribution and a compelling subject, the likelihood that even a few users would be deceived is high.

We have had reports of the following wide-spread and compelling phishing attempts, including:

  1. An email appeared to originate from a University IT Office, with the subject “COVID-19 Update.” The email brought users to a link for a document entitled “COVID-19 Update.docx,” which prompted you to provide your username and password. This type of phishing may steal your credentials, plant malware, or both.
  2. An email with the subject of “The University of Maine: Benefits Approved” requested users to click on a link entitled “myUMaine” to view the supposed benefit amount approved.
  3. An email with the subject of “UMaine Wages Bonus”, and appearing to come from a valid Vice President of Campus Human Resources (Chris Lindstrom in this case) requested users to click on a link to a document entitled “UMaine Wages Bonus.pdf,” and additionally, included a fake link to email “Chris Lindstrom”, which may acknowledge your email account as valid and active, and start a dialog with the phish actor.
  4. An email with the subject of “Upgrade Email Quota” appeared to originate from a valid University email address. Contrary to the examples above, this email did not seek to exploit a sensitive issue such as the pandemic, but rather communicate an urgent and routine administrative issue, which is less likely to be immediately recognized as suspicious.

Tips for recognizing these attempts as phishing are:

  1. Recognizing email that takes advantage of an urgent topic (the pandemic, or to continue a necessary service as in the Upgrade Email Quota example);
  2. The sender/department may not be a usual channel for the communication (for example, the IT Service Desk communicating COVID-19 updates);
  3. The University has provided an official communications channel (for COVID-19 related communications – the official channel is the UMS portal); and
  4. it is unlikely that an official University update would send a mass email that requests you to provide username and password to view a critical update or continue your email service.

Your best defense is to forward suspicious email to phish@maine.edu for guidance, and/or create a new email to the sender (don’t respond to the originating thread) to verify the legitimacy of the communication.

Information Security Office Activity in Response to Phishing

 

The Information Security Office receives hundreds of reports to phish@maine.edu every month, and with an increase in sophistication and frequency seen during the COVID-19 pandemic. Reports are encouraged! Reports indicate increased awareness of suspected phishing, and alert the Office to large-scale phish attacks.

A report to phish@maine.edu leads to review and investigation by our team. Most reports indicate relatively innocuous activity, however, phishing remains one of the greatest security threats to the University. Here are the actions taken by the Information Security Office:

  1. Our initial goal is to respond to specific questions about the email you’ve submitted. The most common questions are whether a link or an attachment is malicious, or whether the overall content of the email is legitimate.
  2. A variety of tools and techniques are used to identify malicious phishing. Links and attachments may be checked against online reputation services such as Virustotal or Hybrid analysis. We may open the email in a protected environment, such as a virtual machine or sandbox, to safely click links or open attachments.
  3. When malicious links or attachments are found, we review email log activity for the individual user(s) for evidence of exploitation. If evidence is found, the user is contacted with further information and instructions.
  4. We inspect email headers for details on how the email was sent. We identify the servers that the message passed through, to determine whether the sender was the company or person identified in the email body or if false information was provided, and if the sender was located in the expected country or region.
  5. Our autoresponder message when you make a report to phish@maine.edu reminds you of the common steps you can take to delete the email, and to protect your accounts if you fell victim. If you ask a specific question, we respond directly to you with the results of our investigation.
  6. We review Gmail server metadata to see how many University addresses received the same message. When a particularly effective phishing email has bypassed Gmail phishing detection algorithms, these logs allow us to notify recipients of the email about the malicious content.
  7. With a large-scale or particularly convincing phishing attempt, the Information Security Office publishes a University-wide or department-wide email alert. We balance important alerts with “email fatigue” – our minds are less likely to register urgency when it is repeated frequently. We welcome your feedback and comments on communications to infosecurity@maine.edu.

Phishing Trends to Watch For

Be alert for the following trends:

  1. Phishing that targets software services such as the G-Suite (Gmail, Google Docs, Google Sheets, etc.) is on the rise. The look and feel of these attacks is not new; however, instead of impersonating commercial organizations such as Amazon or a bank, they impersonate a Google Doc, PDF, Box or Dropbox link or attachment. Among other messaging, the subject may portray a sense of urgency, or note that there was suspicious activity on your account, or that your password has expired (prompting you to enter your credentials). A single compromised account can cause damage beyond targeting you personally; for example, the compromise can grant access to the email or files of the entire University.
  2. Once a phish actor has access to one account, they can embed themselves and use it to send malicious emails to others, expanding their access. A further sophistication of this impact is “late stage” phishing, where the actor replies to an existing subject thread, spoofing a legitimate sender. This is much more difficult for a user to detect, as not only does the sender look legitimate and as originating from someone with whom you would expect to communicate, but the subject looks familiar as well.
  3. Phishing attacks are expanding beyond email, to other communication apps such as Slack, Teams and Facebook Messenger. While users are trained to be suspicious of email, they tend to be more trusting when using these other apps. Many non-email platforms do not have the same built-in security as email, such as link scanning or malware detection.
  4. Interactive dialog attacks contain no links, attachments or malicious content – just a message from someone pretending to be your boss or colleague. These attacks lead to real-time, interactive dialogs with the attacker. Only after multiple dialogs does the attacker make a request for you to click on a link, attachment, purchase a gift card, or provide personal information; the prior innocuous dialog lowers your guard. Attackers can use highly-targeted, personalized messages.
  5. Malicious links may be embedded in a document on a shared platform, such as a Google or OneDrive document. File-hosting services may scan for malware, but they do not scan for malicious links. Commonly, the victim will be directed to authenticate to view the document by entering their credentials.

New Opt-In Phishing Simulation Training

 

Every year, hackers get more sophisticated and introduce new phishing strategies. In 2019, Verizon reported that 90% of 2018 breaches started with a click.

Are you interested in building your awareness and skill at detecting phishing trends? The Information Security Office offers a new, opt-in training that will periodically send you fake, simulated phishing. You will receive feedback based on whether or not you fell victim to the simulated attack. You may cancel participation at any time. Email infosecurity@maine.edu and request KnowBe4 training.

 

 

The Information Security Office has new information resources available, including a page on remote work and COVID-19 cyber security available from the Information Security portal.

Questions? Comments? Contact UMS Information Security at infosecurity@maine.edu.

(Content for this page was provided by Jean Schmidt, UMS Information Security Analyst)