UW Office of the Chief Information Security Officer (CISO) has made available a new online training on Emotet malware. You can watch it here: https://ciso.uw.edu/education/online-training/emotet-malware/
It’s only 8 minutes long but gives a very good overview of what Emotet is and how to best avoid infection.
You may have seen my recent emails warning everyone to use extreme caution when opening attachments from 3 Labmed staff and wondered what was up. The pcs used by these 3 individuals were infected by a malware called “Emotet” back in April.
Some background on Emotet. It first appeared in 2014 and targeted the banking industry, but it soon morphed to become a threat to everyone. It is spread by email, in particular malicious attachments or links. The emails use a technique called “phishing” which is a type of “social engineering.” The point of phishing and social engineering is to trick you into revealing personal information, often financial data.
Emotet is very clever. For starters, it is “polymorphic,” which means that it can change dynamically to avoid detection by anti-virus software. It also connects to a server to get updates in the same manner as legitimate software such as Windows operating system. Emotet can also be used as a “trojan,” which means that it has the ability to download other malware to the infected pc.
So what happens when your pc gets infected with Emotet? In our particular case, what happened was that Emotet stole email data including contacts and message contents. It then used this information to generate emails that contained malicious attachments. Because these emails contained snippets of real email conversations, they were hard to recognize as fake.
What can you do to prevent Emotet infections? The most important thing is to approach email with skepticism. If something seems off about an email, go with your gut instinct and do not open any attachments or click any links. It’s fairly easy to fake sender name and even address, so these elements cannot be relied upon to confirm legitimacy. If you’re not sure, report the email to IT. Another thing you can do is call the supposed sender on the phone and ask them to verify that they sent you that specific email.
Sent via email on 7/2/17.
- Workday- You can tell that these are legitimate because the links in the body of the email are for domain myworkday.com/uw/. Also, when the UW login screen pops up, the address is idp.u.washington.edu. Note that there are known scams related to Workday, so make sure to hover your mouse over the links in any Workday emails you receive to make sure they go to our Workday site and not a fake site.
- UW Athletics- You can tell that these are legitimate because the links in the body of the email are for domain uwathletics.fan-one.com. Per the UW Athletics dept, they have a new ticketing system and are sending out new system activation instructions to everyone who has used their system in the past.
Fake Fake Fake:
- American Airlines order confirmation email saying that your credit card was charged. The intention is to alarm you and fool you into providing your credit card info on the malicious website. Similar scams involve Apple and Amazon order confirmations. If you receive an order confirmation email and don’t know if it’s legit or fake, I recommend that you log onto the vendor website via bookmark or Google search rather than clicking on the link contained in the email.
- The usual phishing emails targeting UW accts. The latest one is called Unusual Login Attempt and has a link to the malicious website http://universityofwashiington.weebly.com/. Note that the domain of this link is not a UW domain (it’s weebly.com), therefore it is malicious.
Tips for recipients:
*The key thing to watch out for is unsolicited email. Unsolicited means that you were not expecting it.
*It doesn’t matter if you recognize the sender or not- sender name and address are easily faked.
*If an unsolicited email contains a link or attachment, do not click link or open attachment unless you can verify that the sender sent you this exact email. It doesn’t matter that they have sent you emails in the past.
*Checking on unsolicited emails does take extra time. But it might save you from getting phished or having your computer infected with malware, both of which are time-consuming problems to fix.
Tips for senders:
*To the extent possible, don’t send emails with links or attachments. Instead reference where the link or document is on a shared resource. Example: “To log onto the UW Employee Self Service webpage, please use the link on the Clinical Lab Links webpage under the UW Resources header.”
*Never send unsolicited emails with links or attachments. Always let your recipient know ahead of time if you will be sending a link or attachment.
*Never send links to secure systems that require login. This trains recipients to click links in email and log in when prompted, which is a key component of phishing campaigns.
Let’s do everything we can to keep ourselves and our co-workers safe!
Fake– These are scams so do NOT click links and do NOT enter info into websites.
- Google Docs invite- This one looks very real because links actually go to Google. In this case, Google accounts were hacked and were hosting a phishing scam targeting Google accounts. Google has since shut this down.
- Xerox multifunction doc- This one includes “conf” or “order” in the title followed by a number. It is personalized with your name. It instructs you to open an attachment which was sent from a Xerox machine. The link looks like an attachment name, but actually goes to a malicious website.
- “You have a message from President Ana M”- Curious what the UW prez would like to tell you? Don’t be, because this one’s fake. It’s a scam to steal UW NetID credentials.
- “Update”- This one appears to be from a UW email address (faked). It targets your UW NetID acct, threatens to suspend your email if you don’t respond within 24 hrs, and contains a link to a malicious website.
- “NetID Update”- This one also appears to be from a UW address. It also targets UW NetID and threatens to terminate your acct if you do not respond. It has a link which appears to be to a UW website, but is actually a malicious website.
- “Employee Self Service” – This one is a real mishmash. It features obviously fake email addresses, references to Microsoft Outlook, a link to a malicious website, and oddly, a National Health Laboratory Service disclaimer.
- “Re-validate mailbox”- This is another generic sort of phishing email targeting Microsoft Outlook users. It asks you to verify acct in order to increase storage capacity.
- “Scanned_Invoice873.pdf -Dropbox”- This one invites you to go to a malicious website (supposedly Dropbox) and retrieve a mysterious PDF invoice.
Real– I have confirmed that the following are legit emails. You may safely click links in the email and enter your personal information on the websites.
- UW Transportation office reminder to renew UPASS and other commute products.
- UW Transportation office request to update vehicle registration.
- UW Office of Regional and Community Relations employee housing survey- links to Survey Monkey.
Can’t get enough of phishing examples? No problem!
The UW CISO (Office of the Chief Information Security Officer) has some great examples on their webpage.
They also have a great explanation of phishing vs. regular old spam emails.
There have been a lot of malicious emails lately, so I wanted to give you a quick update on what is real and what is fake.
1. Email from UW Office of Research titled “Your Action is Needed! Significant Financial Interest (SFI) Annual Update Required in 14 Days.” It sounds spammy but I have confirmed with the Office of Research that it is legit.
2. UW TAP survey- also confirmed real
Fake Fake Fake
1. “Email Account Closure” notice for Office365 users
2. “Urgent Review” with attached malware-infected PDF
3. “Update Required” phishing attempt to get tax info (says it’s from HR/Payroll)
4. “Beware of phishing emails” with details about supposed UW acct maint and threats to suspend acct
5. “UW Notification”- name-drops both UW and Office365, again threatening to suspend acct
6. Emails claiming you bought a shockingly expensive item- phishing scam targeting your credit card or bank info
7. FedEx delivery scam with attached malware-infected PDF
8. “Meeting notification” phishing scam targeting UW NetID
9. Our old favorite, USAA bank phishing scam
10. And the weirdest one I’ve seen yet- “Notice of Unsatisfied Photo Enforcement Ticket” supposedly from DMV, featuring such convoluted language as might appear in a real government notice.
I could go on and on, but you get the point- fake emails greatly outweigh legitimate ones. If something sounds fishy (or phishy), it’s because it is. Trust your judgment but ask if you’re unsure.
It’s been quiet since the USAA scam emails have died down, but don’t let your guard down yet! There’s a new phishing scam making its rounds.
Like a horoscope, this one is just vague enough to seem to apply to everyone. Note also the inclusion of “uw” in sender address and link- again, what we see is that “uw” is not in the right place in the address for it to be an actual UW domain website.
From: Justin Alexander [mailto:email@example.com]
Sent: Tuesday, December 20, 2016 12:06 PM
We have noticed some unusual login attempt to your account, Kindly update
your mailbox for your security purpose, please <http://web32uw.esy.es/>
Click Here to avoid cancellation.
Thank you for helping us protect you.
IT Helpdesk Support.
This USAA bank phishing scam email looks very official, doesn’t it? Only the link and the slight misspellings and grammatical errors give it away as a fake.
What scammers did with the link is quite clever. If you hover your mouse over the “Validate Your Account” link, you would see “usaa.com” in there twice. However, usaa.com is not in the right place. If you clicked the link, you would be taken to the web server shown below in red, not usaa.com. Tricky!
There were several variants of this email. Scammers often change sender address, web link, or even organization name in order to avoid detection by email filters.
Today’s phishing example shows off a new technique- threatening to withhold your email until you click link and provide acct information. Not only does it inspire panic, but also curiosity- aren’t you dying to know what those 2 emails are?! I am too, but not enough to get phished.
From: Bodnar, Brittanee Sue [mailto:firstname.lastname@example.org]
Sent: Thursday, September 01, 2016 7:03 AM
To: Bodnar, Brittanee Sue
Subject: Upgrade your account
Your Two incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages CLICK HERE to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understanding