Identifying a Phishing Email

By Daniela Cooper, on 6 March 2019

I know what you’re thinking, “Oh no, not another post about phishing emails!“. I know we do tend to bang on about this subject, but we do so with very good reason. A compromise through a successful phishing campaign is still one of the easiest ways for an attacker to get in, so for this reason alone we will continue to bang on about it. Phishing emails are still SO prevalent, if we can all learn to easily identify them, then that’s a big risk of ours reduced.

The phishing email

Before Christmas we sent out a phishing email to all staff at UCL, see below for a screenshot of the email:

Tell tale signs of a phishing email

There are a few common tell tale signs that we ought to bear in mind when we read our email, the following signs relate to the phishing email screenshot above:

1. The from address – ucl@systemaccess.network does not look like a real email address, let alone a legitimate UCL email address.
2. The to address – in this case the ‘to’ address was correct, but often in phishing emails the ‘to’ address is something other than the recipients email address.
3. Subject line – the subject line suggests a sense of urgency.
4. Opening line – the email does not address the reader by name, it says ‘Dear user’. A legitimate email should address the reader by their actual name.
5. Spelling mistakes – some but not all phishing emails contain spelling and grammar mistakes.
6. The URL – like the from address, the URL does not look legitimate either, it’s trying to look like a UCL domain but it isn’t. Always hover over a link to see where it will take you, as it may be different to what the text says in the email.
7. Overall sense of urgency – the whole email has been designed to get the reader to take action quickly without taking the time to properly think about it.

If in doubt?

Even legitimate emails can sometimes look like phishing emails, it may be a good idea to gently point this out to the author when you come across these. As always, if you are not sure whether an email is legitimate or not, before you respond or click – ask us (isg@ucl.ac.uk).

Using LastPass to manage your passwords

By Daniela Cooper, on 30 November 2018

UCL has acquired licenses for UCL users to use the enterprise version of LastPass. This blog article attempts to explain what LastPass is, why you should use it, and how to get a UCL LastPass account.

Why use a password manager like LastPass?

So, what is LastPass? LastPass is a password manager that allows you to store all your passwords encrypted in one place. The advantage of using a password manager over other methods of storing passwords is that you only ever have to remember one password instead of hundreds for all the individual accounts that you have. This is probably a good time to mention that you should never re-use a password for more than one account, if one account is compromised it could compromise all accounts that you have that use that same password. It’s really not worth the risk.

LastPass also allows you to share passwords with other LastPass users, so it’s ideal for using in teams that need to share passwords.

2 Factor Authentication

We highly recommend that you use 2 factor authentication with LastPass, this helps to protect against risks such as key logging software – by using 2 factor authentication if someone was to get your LastPass password they would not be able to access your account without your authenticator code. LastPass allows you to use authenticators such as Google Authenticator, LastPass Authenticator and many others.

How to get a UCL LastPass account

• We recommend that you download the browser plugin from LastPass and/or the app from the app store for your mobile.
• The browser plugin has been pre-installed on all Desktop@UCL Windows 10 machines.
• Then email isg@ucl.ac.uk who will then provision an account for you.

The license we have for LastPass provides two password vaults, one for UCL related passwords and one for personal passwords.  The one for personal passwords can be taken with you if you leave UCL and used with the free consumer version of LastPass.

Training options

LastPass is intuitive and easy to use, however they do provide training materials which can be found through the link below:

https://support.logmeininc.com/lastpass/help/use-the-self-service-training-portal-lp010031

If you have any questions or would like further information, just send us an email: isg@ucl.ac.uk.

Recent Phishing Email Examples

By Daniela Cooper, on 21 November 2018

We are planning on regularly posting recent phishing email examples that are received by users at UCL. This is the first one with some ideas on what to look out for in this and other phishing emails:

1. The sent from address – the sent from address is somewhat random, it is not a UCL email address, in fact in this case it is an email address from the Government of Bermuda!
2. The sent to address – legitimate emails should be addressed to your actual email address.
3. The subject line – there is no Microsoft Active Directory team at UCL. It’s an unusual subject line, it doesn’t explain the contents of the email.
4. The opening line – phishing emails often open with ‘Dear User’, in this case the email says ‘Dear E-mail User’, a legitimate email should use your actual name.
5. The sense of urgency – phishing emails often try to scare users into doing something quickly without thinking about it properly, in this case they are asking the user to respond by clicking the dodgy link to avoid their account being closed.
6. The link / domain – you cannot see from the above screenshot but the link does not go to a UCL domain, it goes to a random website. Remember to hover over a link to see where it’s going before you click on it.
7. The signature – there is no Microsoft Active Directory team at UCL, if you are ever in doubt please check with ISD.

One thing to bear in mind is that easier phishing emails like the one above have been designed so that they could be relevant to any organisation. Ask yourself when reading a possible phishing email if it is relevant to you and UCL.

Of course, this example is a fairly easy one to spot – there will be others that are more targeted and harder to identify. As always, if in doubt please ask us.

Happy Halloween – Win a £25 Amazon voucher

By Daniela Cooper, on 31 October 2018

No trick, just treat!

Tell us your thoughts and win a £25 Amazon voucher!

We are at the point where we are planning our vision for improving our Information Security Awareness programme. We need your help to give us feedback on what we currently do (if you know) and give us some new ideas on what we can do to improve our programme in the future!

Think about how you would like us to contact you, what areas of information security do you want to know more about, and what sort of articles would you like to see on our team blog. Any ideas are welcome.

In return, all responses will be entered into a random prize draw for a £25 Amazon voucher. Entries must be sent using a UCL email address and if the voucher cannot be collected in person, then it will only be posted to a UCL mail address. Send entries to isg@ucl.ac.uk – the winner will be contacted on Friday 30th November.

So get those thinking caps on, and help us improve our Information Security Awareness programme – Good Luck!

Don’t Design Your Emails to Look Like Phishing.

By Robert D Maughan, on 26 October 2018

Something Phishy this way comes

We try to point out to people how to spot emails which are phishing attacks. We would like everyone to be a little cautious and think for a moment before they click on a link or open an attachment. However sometimes genuine emails are written in such a way they start to look like a phishing attack.  We don’t want anyone to miss out on genuine emails nor do we want people to get comfortable clicking on things that look like phishing attacks.

So we thought we would offer a little advice on how to avoid looking like a criminal trying to steal someones identity.

How not to look like a phish

Use a UCL email address to send out UCL emails. Phishers often use look alike domains but should not have access to genuine internal UCL accounts.

Don’t use link shortening services like bit.ly as those are often used by phishers to hide where they are really connecting you to.

If you are referring people to an externally hosted site consider including a link to a page on the UCL website as well. The UCL page can talk about the mailing and show the address you are going to direct people to. This lets people check if a mailing is genuine or not.

Use a spell checker and think about how readable your email is before you send it.  Many phishers don’t have a good command of English and don’t send particularly business like emails.

Thought of an idea I have not mentioned here?  Why not add it as a comment?

Have I Been Pwned?

By Daniela Cooper, on 22 October 2018

Finding out if you’ve been compromised!

This is the first in a series of blog posts on ideas for how you can help look after yourself when it comes to information security.

Have you come across the website www.haveibeenpwned.com?

It’s a website that allows you to check if an account has been compromised in a data breach. It cannot of course tell you 100% that it knows about all possible compromised accounts, but it’s a very good starting point!

It’s a free and quick tool that also allows you to sign up for the ‘Notify me’ service which will tell you if your account comes up as compromised in the future. The data comes from aggregated breaches that have been publicly released.

The UCL Information Security Group has signed up for the ‘Notify me’ service and receives reports for UCL accounts on a regular basis.

If one or more of your accounts does show up, try not to panic. Bear in mind the date of the breach, have you changed your password since then? If not, changing your password would be a good idea. Using a password manager with 2-factor authentication is also a good idea – more on that in the next blog post.

So, give it a go, have you been pwned?

Extortion by Email

By Robert D Maughan, on 22 October 2018

We are seeing another increase in criminals attempting to profit from users of the UCL email system. This particular attack relies on social engineering rather than a technical approach or, to be more blunt, extortion. The criminal emails you and says they hacked your system. They have copies of all your files, your browser history or even photographs or video taken using your webcam.

How the attack works

The criminal might share some information to prove they have accessed your system, a common example is the login details for a site you have visited previously. The attacker tells you they have installed malware on your computer and the only way to prevent them trashing your computer and publishing all the stolen information is to pay a ransom, usually in bitcoins.
Of course criminals lie, so it is very unlikely they have hacked you at all. Much more likely is that there has been a data breach which disclosed the username and password you use at a particular website.

The criminal hopes that by sharing this small amount of information with you, they can trick you into thinking they have much more of your information and get you to pay the ransom.
Similar emails will have been sent to hundreds or thousands of other people and even if only 1% of the people who receive the email pay up it is still very profitable for the criminal.

What should you do?

So what should you do? Firstly never pay a ransom, this only makes it more likely you will be targeted again and again. Secondly if they have sent you login details for a site then change it immediately and if you have reused that password in multiple places change it in all of them. Thirdly move on with your life as the risk they have actually got access to your data, when they make a threat like this, is so small you are more likely to be struck by lightning.

Ongoing Phishing Attacks

By Robert D Maughan, on 17 October 2018

UCL is currently seeing a large number of emails claiming to be from HMRC and to be about how to claim your tax refund.  These are an attack known as phishing.

Unfortunately these are not from HMRC but from a criminal who want to trick people into sharing personal information. In particular they are hoping to obtain bank account information which could be used to steal money from you.  So please do not open these emails, click on any links they contain or open any attachments.

Most attacks of this type attempt to install malware to your device so they can carry out other attacks such as:

• Stealing your documents and photos
• Activating your camera and microphone to spy on you
• Encrypting your files and demanding a ransom
• Or even using your computer as a launching point to attack other people.

So please think twice before you click on links or attachments you are sent. If you want to report receiving this sort of email you can do this at https://www.actionfraud.police.uk/ and that site also has some excellent advice on what to do if you have shared information with a criminal.

Phishing Campaign

By Daniela Cooper, on 10 October 2018

Phishing is when someone malicious sends an email pretending to be from a legitimate person or organisation –  the email will most likely ask for details such as passwords or financial information, but it can also ask you to download a malware infected attachment or ask you to click on a link to a compromised website.

Phishing has long been a problem, and something that we see targeted at UCL almost constantly. A successful phishing attack is an easy way into an organisation that doesn’t involve a lot of skill or effort on behalf of the malicious attacker. Once in, an attacker can gain access to all sorts of information (personal, financial, sensitive), they can steal that information and destroy it. An attacker can also gain control of your computer!

Due to the frequency of phishing attempts and the seriousness of the consequences, the UCL Information Security Group are about to embark on a phishing campaign that will involve sending simulated phishing emails to staff. We hope that staff won’t respond to the phishing emails, however the campaign is intended to help us identify areas that need more education and support, as well as raising awareness on how staff can help protect themselves and UCL.

For more information on phishing and what to look out for: www.ucl.ac.uk/informationsecurity/phishing.

If you are ever unsure whether an email is legitimate, before you click or respond, just ask – phish@ucl.ac.uk.

Have you classified that information?

By utnvrrv, on 16 February 2018

Why classify information?

Information should be classified so that everyone with access knows how to protect it.

To protect information consistently, it is of paramount importance that there is a pan-organisational scheme for classifying information. This scheme should also inform users how information should be handled according to its requirements for confidentiality, integrity and availability. To elaborate further, the classification of data helps determine what baseline security controls are appropriate for safeguarding that data. By implementing an information classification scheme the organisation can endeavour to meet its legal, ethical and statutory obligations
Information classification can also protect the interests of the stakeholders of the organisation and about whom the organisation may hold information.

Information classification based on confidentiality ratings.

Levels of information classification

There are several levels of classification that can be applied to information. For example, HM Government Security Classification includes: Official, Secret and Top Secret which is based on 4 principles. Not all organisations may require such stringent principles when adopting an information classification scheme. However, each organisation must evaluate the risks in terms of reputational loss, loss of business, lawsuits, inadvertent disclosure of information. In some cases, an external partner may not share any further information if the organisation has been known to share information without appropriate controls e.g. encryption.

I’ve outlined some simple steps to help you get started.

Information Management Policy and guidance

It is important to develop an information management policy and guidance for your organisation. This should be commensurate with risks that your organisation may face and the expectations of your stakeholders. It is necessary to consider the legal and regulatory requirements of the country that your organisation operates in. It is also very helpful if a process for classifying and handling information is developed and adopted.

Awareness Training

Staff should undergo awareness training to ensure that they are aware of their responsibilities in managing information that they’ve been entrusted with. This can be tailored according to the kind of information that the staff deal with. Awareness training must be regularly carried out with periodic refresher courses as necessary.

At UCL, we have created a classification tool to help with classifying a specific information asset. See https://opinio.ucl.ac.uk/s?s=45808

If you are from UCL, please see the UCL Information Management Policy here:
Please do contact the Information Security Group if you need more information.

References:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf