Universitetet i Agder

Phishing, viruses, SPAM and crypto-locker flood UIA

During just one hour, from 6 to 7 AM on 9 October, 20 585 emails flooded into UIA’s large rubbish bin. Only 949 of these messages slipped through the net.

By Tor Martin Lien

Published: Tuesday 17 October 2017

This article is more than two years old, and may contain outdated information.

The figures say something about the volume of spam which zips by in cyberspace. At the same time, it also says something about just how important it is to have updated filters that work to stop this flood. But still, some of those 949 messages that found their way through the UIA filters that morning were also spam.

UIA is doing more to stop spam and dubious clicks – now we are going to put up what is known as the “Cisco Umbrella”. More on that later.

Spam@UiA

“It is important to be attentive. Stop and think before you click,” says the security adviser to the ICT department, Annette Thorkildsen Osaland.

If you receive e-mails which you believe might be attempts at phishing, or contain viruses or other undesirable content, you can forward the message in question to the email address SPAM@uia.no. The message will be checked here, and the spam filter updated if necessary.

“UIA collaborates with the University of Oslo on anti-spam systems and updating filters,” says the team leader of UIA’s IT centre, Helge Høynes.

Grafen viser innkommende e-poster til UiAs hovedserver, og hvor mange som slapp gjennom filterne (grønn strek) og alle som ble filtrert bort (blå strek). (Screenshot: Helge Høynes)

The graph shows incoming emails reaching UIA’s main server, and also how many slipped through the filters (green line), and all of those which were filtered out (blue line). (Screenshot: Helge Høynes)

“The illustration shows the number of messages every hour – the green line shows the total number of messages delivered to the recipient, the blue line shows the number rejected because of spam, phishing or viruses – and which are therefore not delivered to the recipient,” says Høynes

Phishing attempts today

On the afternoon of 17 October, the writer of this article received a phishing email which amply demonstrated that, however good the filters are, some do still get through. Several others have reported the same phishing attempt to spam@uia.no.

This is the current reality – this came in on the afternoon of 17 October: If you take away the red marks, it looks relatively trustworthy. But the sender’s address (marked at the top) is highly questionable on closer inspection, even though University of Agder and admin.support@uia.no are contained within it. The email address (marked in the middle) is added to increase its credibility, as is also the case for www.uia.no (marked at the bottom). When I hover the mouse pointer over www.uia.no, an address comes up which starts with yesinc.org. This is a known phishing address. Always test addresses by hovering the mouse pointer over them and checking the given and actual address. If you are in doubt – leave it. Stop – think – click.

Outlook formidler advarselen mot adressen (i rød ring) fra nettleseren Chrome. En av UiAs brukere som ikke så tilsvarende advarsel ved en tidligere phishing-sak, men fylte ut og trykket "Sign in", fikk øyeblikkelig en stormflo av "ukjent mottaker"-e-poster som sprengte inn-boksen. Årsaken var at de som hadde sendt phishing-e-posten tok i bruk e-posten til vedkommende i samme øyeblikk for å sende ut phishing-e-poster i et enormt omfang, og for alle mottakerne med stengt e-post sendte postmasteren "ikke funnet"-svar. Som på UiA når noen slutter - etter kort tid blir e-postkontoen stengt og e-postsendere får svar om "ukjent mottaker" fra UiAs postmaster. Men husk: Advarselen forutsetter at Outlook kjenner til at det er en phishing-adresse. Så får du en ukjent e-post: Stopp - tenk - klikk.

Outlook displays this warning about the address (in the red ring) from the web browser, Chrome. Not all web browsers have this function, or if they do, it is less active. One of UIA’s users who did not see a similar warning in an early phishing case, and who filled out the form and clicked on “Sign in”, immediately received a veritable flood of “unknown recipient” emails which blew apart their inbox. The reason was that those who had sent the phishing email made use of the unfortunate individual’s email at that same moment in order to send out an enormous quantity of phishing emails, and for all those recipients with closed emails, the postmaster sent a “not found” reply. Similarly, email accounts are closed a short time after someone leaves UIA, and email senders receive the reply “unknown recipient” from UIA’s postmaster. But remember: this warning presupposes that Outlook knows this to be a phishing address. So if you receive an unrecognised email: Stop – think – click.

Denne advarselen dukket opp på min maskin, fordi Chrome har lagt inn at yesinc.org er en phishing-avsender. Men det kan ta tid før Chrome får advarselen inn i sitt systen, så gjør som alltid: Stopp - tenk - klikk.

This warning popped up on my machine because Chrome has registered that yesinc.org is a phishing sender. But it can take time before Chrome gets these warnings into its system, so, as always: Stop – think – click.

UiAs nye system - som nettopp er innført - blokkerer nå yesinc.org etter at teamleder Helge Høynes la inn at dette er en tvilsom adresse. Dette er siden du får opp om du prøver å gå inn på adressen.

UIA’s new system – which has just been introduced – now blocks yesinc.org after team leader Helge Høynes recorded it as a questionable address. This is the page you will see if you try to access the address.

Saved from ransom money payment

In the course of the last year, five people from UiA have been tricked by the Crypto-locker virus. It is easily done in one thoughtless moment, even if that moment provides several opportunities to stop – think – click.

It is far from certain that those behind the program, which locks your machine and demands money to open it up again, really do just that when the money is sent. So the rule is: Contact IT sooner rather than later if you have been so unlucky as to have had your machine locked. Do not pay!

But take precautions. There can be significant consequences, particularly if you have not ensured that your files have been saved in a safe place, such as in UIA’s cloud storage. UIA has backups of files there, and there is thus a good chance that your machine can be cleared – reset – and your files uploaded again.

One reason that cloud storage has been introduced is that UIA people can now retrieve their documents and save them in the usual way when they are far away from UIA, the office, or reading area.

“It is really important that everyone saves in the right places, so that you have a backup of your files. If you are unlucky and become a victim of this, it is important to report it as quickly as possible to IT-help, even if it can be embarrassing. It is important that we get started as quickly as possible with restoring your files,” says Helge Høynes.

Phishing – check before you click

Here is an example of one scam from winter. It had a relatively large impact. In this case, it was Telenor that experienced being misused:

E-invoices – check the sender’s address! But in other ways, it looks completely genuine. (Screenshot: Helge Høynes)

If you let the mouse cursor rest over the link in the message, you will see that it does not go to www.telenor.no, but rather to http://tf4.telnor1.net/i80u.php?id=am9ybi5hLmNydWlja3NoYW5rQGFnZGVyZm9yc2tuaW5nLm5v

- something altogether different.

Men når du gjør som du bør - kikker på avsenderadressen før du åpner - så gjør du forhåpentligvis ikke det. (Screenshot: Helge Høynes)

E-invoices – check the sender’s address! But in other ways, it looks completely genuine. (Screenshot: Helge Høynes)

Here, the address is obscured, and those who are particularly attentive will notice that the country code is .pl – in other words Poland – and this should indeed arouse our suspicions. So, therefore: Always check the sender’s address before you open it.

E-faktura - sjekk avsenderadressen! Men ellers ser den helt ekte ut... (Screenshot: Helge Høynes)

If you did, nonetheless, choose to open it, the following picture comes up.

UIA puts up the umbrella

“Cisco Umbrella” is the name of a new security solution which UIA has now introduced. The umbrella helps further in the battle against becoming an unfortunate victim when clicking on addresses or URLs.

Here is IT security adviser Anette Thorkildsen Osaland’s description of UIA’s new umbrella:

Today’s challenge is to protect ourselves against malicious software, phishing attacks and ransomware viruses. We are all dependent on digital solutions, and digitalisation is in a state of rapid growth. Many might think that cybercrime is not something that affects them, but the fact is that digital threats concern us all.

Cyber criminals are utilising more advanced and sophisticated methods than we have seen before, and they operate in a highly professional manner.

Those who carry out attacks tend to target the weakest link, in other words ourselves – humans. It can as a result be difficult to distinguish between what is real and what is an attempted attack.

We try to protect computers with technical solutions, but the most important of all is that we, as users, exercise vigilance. This is about protecting ourselves by detecting and blocking threats before the damage has been done, and therefore UIA has resolved to make use of a solution which helps us with this.

The product “Cisco Umbrella” is, simply put, a solution in which the addresses we click on will be checked against a large database, and access will be blocked if they transpire to be known phishing/malware sites. This increases data security and provides better protection for staff and students at UIA.

It is important to pinpoint in this context that privacy is maintained and that the logs are not traced back to individuals.

Cisco Umbrella provides us with:

- Protection from harmful programs without affecting user-friendliness

- A reduction in the number of infections/successful cyberattacks/encryption of data

- A swifter response to incidents

- Security in depth – several layers of security

Questions about Umbrella? Contact IT help if you are uncertain about anything.

(Illustrasjon: Thomas Andersen)

“Nobody should be afraid to report breaches of security. We are definitely not out to take people down”, says UIA’s IT security adviser, Anette Thorkildsen Osaland. “The reports help us to gain an overview of the security situation at UIA, whilst they simultaneously help us with our preventive security work.”

Security at UIA is not stronger than the weakest link. So it is important that we find what this is in order that we can become stronger together.

“And this is where reports about breaches in security are an important tool,” says the IT security adviser.

Check that you are following UIA’s IT regulations, which take care of information security: Summary page.

Deleting and saving remotely

“All telephones with an UIA email must be able to be wiped from Outlook if there is a crisis. But it can take a while before you realise that your mobile has gone” says the head of UIA’s IT centre, Helge Høynes.

Cloud storage, remote storage or synchronisation services – one good thing can have many names. These are services of the type iCloud, Dropbox, One Drive and others are about. “The cloud” with its storage space is of the type of information storage installation such as is now being built at Støleheia, in Vennesla.

“Regardless of anything else, it is extremely useful to have saved an updated copy of content in a mobile phone, tablet or PC if you have been so unlucky as to have lost one of these,” says Høynes.

At UIA, OneDrive is used as the cloud storage service, both for users of Windows 10 and Mac. This means that the PC automatically saves content in the cloud. But other mobile devices must be configured for cloud storage – in other words, they must be synchronised with the cloud.

Read more about cloud storage on Aftenposten.no: (Be aware that the terms and conditions can often change).

See Telenor’s website for remotely deleting mobile data: How to remotely wipe your mobile

Or for Apple products: See iCloud: Delete your device:

To be on the safe side – this is made especially for security at universities and university colleges. It is a new page – opened Monday 2 October – and is ready with many good pieces of advice and tips.

The security month October:

October is a security month for all government agencies – this means that extra focus will be placed on security. It does not mean that security is something to think about only in October – but this month should be used by everybody to work out good security routines for daily life. And these must be put into practice every day throughout the whole year.

The national security month has been arranged today for the seventh time. The campaign is coordinated by the Norwegian Centre for Information Security (NorSIS), which is a part of the government’s holistic focus on information security in Norway. NorSIS is technically subsidiary to the Ministry of Justice and Public Security.

Other good websites concerning safety online:

NorSIS runs Slettmeg.no – with free advice and guidance services for you if you feel that you have been infringed upon online.

Nettvett.no – Information, advice and guidance about more secure use of the internet and social media. It also provides advice about protecting mobiles and computers etc.

The Norwegian National Security Authority (NSM) is Norway’s expert agency working with information and object security, and it is the national academic group for ICT security. The directorate is a national reporting and coordinating authority for serious information breaches and other ICT security incidents.