Suspicious Emails with Attachments

Recently, the University, and other organizations nationwide have been experiencing an increase in the number of malicious emails being sent to their users.  These attacks are being used to ransom systems and data, steal intellectual property, and threaten the individual privacy of users online. The attacks can take on many different forms including unsolicited resumes, fake shipping notifications, as well as claiming to be from organizations such as Revenue Canada in an effort to steal to income tax information. 

 These emails will often contain an attachment in one of the following three forms: 

  1. Microsoft Office Document (Word, Excel, PowerPoint, etc.)
  2. Adobe Acrobat Document
  3. Zip file

These types of files, in and of themselves, are not bad.  We send and receive many of them every single day; however, when the source of the email is not trusted, and/or the type of communication is unexpected or outside the normal topics generally covered with that user, we need to be very suspicious of its contents.

An example

For example, a department here at the University received the following email with a Word Document attached:

From: Shirley Gawron [<some-account>@rambler.ru]
Sent: March-08-16 5:49 PM
To: U of L <some-address@uleth.ca>
Subject: Quick Question

 

How's your day?
I was visting your website on 3/8/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.

Yours respectfully,

--
Shirley Gawron

So let’s analyze this email and find out why we should be suspicious:

First:  the return address:  <some-account>@rambler.ru is a Russian address.  Unless you frequently get emails from Russia, this should be a huge red flag of danger.  We can identify this by looking at the very last portion of the email address (.ru).  Typically we will only be communicating with people that come from one of the following types of addresses. Those that end in:

  1. .ca (Canada)
  2. .com (Commercial email address)
  3. .org (generally for non-profit organizations)
  4. .edu (education)
  5. .net (a common extension used in the United States)

This is not a definitive list, but anything outside it should be looked at with a bit of suspicion.  Many countries will have their own extension, (called a top-level domain) and they aren’t a bad thing, but if you don’t know the person sending the email, take extra caution when analyzing whether or not you should open it up.

Second: The wording in the email is entirely generic, not grammatically correct, and the email is completely unsolicited.  If applying for a position, I would hope a candidate would offer a cover letter or talk more specifically about the position being looked at.  As a general practice, we should never process a resume that didn’t come through our HR portal anyway.

Third: The subject line doesn’t address a specific position or posting.  We have no idea what kind of position they are talking about.

Fourth: The actual attachment was infected with a virus.  Fortunately, our antivirus would most likely have caught the infection, but given the information above, no one should have tried to open it, and instead, the email should have been immediately deleted from the inbox without a second thought.

Spoofing

There are other attack methods that don’t always advertise themselves like a foreign email address.

We often have attackers who “spoof” the ‘from’ address of an email to appear like it comes from a legitimate source (i.e. an @uleth.ca email address), but behind the scenes have redirected any responses to a different account.  This is done in an effort to bypass filters that may be preventing non-trusted email addresses from getting through the system.  There is nothing you can do to prevent spoofing, but be aware that what you see on the surface may not actually be the whole truth.  The address could even be your own email address, so nothing is sacred in this form of attack.

Some simple rules

Image result for phishingThe University receives these types of attacks quite frequently, but the following rules should be applied to all financial/personal information transactions which will help us eliminate the threat.

  1. No change to any financial system should be performed with only email authorization.  At a minimum, a telephone call from a trusted location should be held.  It is preferable to use a binding legal document sent via fax or encrypted email services which provide a level of non-repudiation, (proof of where/who the change request came from), authorizing the transaction to take place.  Any changes to University of Lethbridge financial systems should be done with the authorization of two people at a minimum. 
  2. No financial information should ever be provided over the phone when the user did not initiate the communication.  Even if a company you do business with calls and asks for this information, offer to call them back at their publicly listed telephone numbers to make sure you are talking to the actual organization.
  3. Banks, universities, and other professional organizations will never ask you to confirm your account details, passwords, or other personal information over email.  If they do, politely tell them you will call the support numbers available to you and provide the data.  Never provide your password under any circumstance to any organization.  Instead ask them to reset it for you, conduct your business, and then change it to an unknown value. 
  4. Do not provide personal information to any organization unless they can tell you how that information will be used and protected.  This is a requirement of our Freedom of Information and Protection of Privacy Act (FOIP) legislation in Alberta, and we should expect organizations to be in compliance with it.

These types of attacks are not going to go away any time soon, and there is no magical technical solution that can prevent all of them from getting through our email filters.  Users need to apply a little caution when receiving unsolicited communications from outside individuals and protect themselves and the larger organization from getting resources stolen, destroyed, or misused. 

For more detailed information and to answer any lingering questions about information security, please don’t hesitate to reach out to the Information Security Office.  Feel free to visit its webpage at http://www.uleth.ca/information-technology/security or email Kevin Vadnais at kevin.vadnais@uleth.ca.

 

Thanks,

IT Services- Information Security Office

Category: