Please beware that several individuals at UT Arlington have reported receiving email messages containing an attached “.zip” files that contains hidden malware (malicious software).
The malware appears to be a ransomware (cryptolocker variant) – it will encrypt files on the infected computer as well as network drives. The email subject line is not consistent and may have one of the following subject lines:
- Please find attached invoice no: <<random number>>
- If you receive a suspicious or unexpected email similar to the description above, do not open the attachment. Instead, we ask you to send the email as an attachment to firstname.lastname@example.org for analysis.
- If you are expecting legitimate email with attached zip file, you will need to manually release it from quarantine. The email system should notify you of emails being placed in quarantine, or you can login to https://quarantine.uta.edu/ to check quarantined mail. Please do not restore and open any suspicious or unexpected attachments you may find within the quarantine.
- If you received the message and opened the attachment, please contact OIT help desk for assistance.
To learn about Ransomware:
To learn about Phishing:
Example 1 of the message:
From: email@example.com [mailto:firstname.lastname@example.org]
Sent: Monday, August 29, 2016 5:58 AM
Subject: Please find attached invoice no: 6862055379
Attached is a Print Manager form.
Format = Portable Document Format File (PDF) ________________________________
This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
End of Example 1
Example 2 of the message:
From: <<random name and email address>>>
Sent: Monday, August 29, 2016 4:12 AM
Good morning <<name of recepient>>
Here is the excel file of the commission you earned last month. Please analyze the attachment to confirm the amount.
End of Example 2
The following note has been adapted from a Texas Department of Information Resources notice to state agencies:
As you may have heard, there could be a serious weakness in the mechanism that protects your username, passwords, and other confidential information on various Internet sites. This advisory provides IT personnel with steps to ensure agency websites are safe. It also provides all agency staff with guidance for protecting credentials on work-related or personal websites that have the Heartbleed vulnerability.
IT personnel should take the following steps immediately:
- Patch all vulnerable OpenSSL systems – The information Security Office has identified a number of servers and has contacted most server owners directly. Server owners include OIT and those in departments. Servers for whom OIT is unable to identify owners or that are not patched will be disconnected.
- Revoke and reissue certificates that use OpenSSL/TLS – Contact the information security office if you need assistance with this for a University owned server.
- Once items 1 and 2 are completed, force user password changes for all impacted accounts. UT Arlington Office of Information Technology will send a communication when NetID password changes should occur.
Additionally, all staff should take the following steps to protect their personal information:
- Check to see if any non-UT Arlington websites you use (and on which you have accounts) are vulnerable:
- Heartbleed Hit List – a listing of some popular websites and their vulnerability status [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/]
- Heartbleed Test – a tool for checking status of individual websites [http://filippo.io/Heartbleed/]
- Qualys Heartbleed Test – a more in-depth analysis of encryption on websites [https://www.ssllabs.com/ssltest/]
- CNET has posted a list of the Heartbleed status of the web’s top 100 sites [http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/]
- The password manager, LastPass, also offers a simple Heartbleed checker that not only tells you if a site uses OpenSSL, but when the SSL certificate was regenerated, providing additional insight into what companies are doing to protect users [https://lastpass.com/heartbleed/]
- Immediately change passwords for non-UT Arlington sites that are not vulnerable (whether repaired or never affected), giving first priority to critical accounts and email.
- Create fresh, unique passwords for each account. Hackers will use credentials from one account to break into your other accounts.
- Be alert for phishing scams attempting to lure you to credential-stealing sites. Do not click on links in emails that ask you to reset your passwords. To change your password, type the URL of the organization in a browser.
- Note: Do not change your password before a site has addressed its Heartbleed vulnerability.
Now is a great time for everyone to do some password maintenance. Make sure your usernames and passwords are strong, choose unique passwords for different accounts, and change critical passwords frequently. And always be on the alert for malicious activity on the Internet.
Please be aware that a potentially new variant of the Cryptolocker ransomware has been identified. “Ransomware” is a new category of malware that can prevent access to a computer, or the data on it, unless the victim pays a ransom to the malware creator. The Cryptolocker malware encrypts files on the victims computer and then demands payment for the files to be unlocked.
Because this is a new variant of the malware, there are no current ways to protect you from it. The only protection is to not open attachments that you are not expecting or that look suspicious. The malware is primarily delivered via email and often contain a subject line enticing you to open an accompanying attachment. Below is an example of the message (Subject: Invoice Payment Confirmation; Attachment: Invoice_Details_01.04.2014.zip).
The malware can potentially be sent to your UTA email or your personal email (e.g. gmail, Hotmail, yahoo, etc) account.
If you fall victim to this virus, you will not be able to unlock your files and must rely on your backups. The malware can be aggressive has been known to encrypt files on local hard drives, external drives and potentially your file shares (e.g. your K: and J: drives).
UTA Employees: To backup your data on a UTA owned computer, you may use CrashPlan (search for “CrashPlan” in the search box on the UTA website).
For updates on this advisory, please check back periodically or send an email to email@example.com. If you need help on how to use CrashPlan or if you are a victim of this virus, contact the Help Desk at 2-2208.
Please see our previous blog entry about Cryptolocker for background and tips.
Apple has released the next version of OS X, 10.9 (Mavericks). If you have SecureDoc encryption software installed on a University owned Macintosh Computer, do not install this update until OIT announces support for it. The SecureDoc software as well as other OIT supported application software have not been tested for compatibility with OS X 10.9 and is not currently supported. WinMagic has not announced a release date for the compatible version SecureDoc encryption software. SecureDoc compatibility testing will begin immediately after WinMagic has released a version that supports OS X 10.9 and the campus will be notified when and how to proceed with the update.
For technical assistance contact the OIT Help Desk at 2-2208.
Phishing is when criminals send specially crafted email messages in order to get users to give up their usernames and passwords, or other personal information. Their goal is to obtain access to user accounts, often to send spam from compromised email accounts, but also to acquire access to bank accounts or information useful for identity theft. Please access the ISO phishing website for guidance on how to recognize a phishing message, what to do if you if you’ve received a suspicious message or if you’ve fallen victim to one. At minimum:
- Don’t click on links sent to you by individuals you’re not familiar with.
- Don’t open any attachments that you’re not expecting; confirm with the sender to be sure that attachments or links are legitimate.
- Never divulge your password to anyone, and pay close attention to the web address of any website requesting you to log in.
- Don’t use the same password for all of your online accounts (e.g. facebook, Twitter, Linkedin, Apple, Amazon, bank, U. T., etc.) in particular those providing access to funds or confidential information.
- Be aware of the typical email communications of the services you use; any non-typical behavior is a warning sign.