Advisory: Malware Delivered by Email

Please beware that several individuals at UT Arlington have reported receiving email messages containing an attached “.zip” files that contains hidden malware (malicious software).

While the Office of Information Technology continues to determine the nature of the malware, all emails that are received that contain compressed files will be quarantined until further notice, and access to shared drives (K:) will be blocked. This action is to mitigate further receipt and propagation of the malware.

OIT is in the process of removing email from inboxes – malicious email that has been received will remain in your inbox until removed or deleted. Please do not open the attachments of any messages that appear suspicious or you are not expecting. Sample messages included at the bottom of this message.

The malware appears to be a ransomware (cryptolocker variant) – it will encrypt files on the infected computer as well as network drives. The email subject line is not consistent and may have one of the following subject lines:

  • Commission
  • Please find attached invoice no: <<random number>>

Your Actions:

  • If you receive a suspicious or unexpected email similar to the description above, do not open the attachment.  Instead, we ask you to send the email as an attachment to spam@uta.edu for analysis.
  • If you are expecting legitimate email with attached zip file, you will need to manually release it from quarantine. The email system should notify you of emails being placed in quarantine, or you can login to https://quarantine.uta.edu/ to check quarantined mail.  Please do not restore and open any suspicious or unexpected attachments you may find within the quarantine.
  • If you received the message and opened the attachment, please contact OIT help desk for assistance.

Example 1 of the message:

From: document@uta.edu [mailto:document@uta.edu]
Sent: Monday, August 29, 2016 5:58 AM
To: <<recepient>>
Subject: Please find attached invoice no: 6862055379

Attached is a Print Manager form.

Format = Portable Document Format File (PDF) ________________________________

Disclaimer

This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.

End of Example 1

Example 2 of the message:

From: <<random name and email address>>>
Sent: Monday, August 29, 2016 4:12 AM
To: <<recepient>>
Subject: Commission

Good morning <<name of recepient>>

Here is the excel file of the commission you earned last month. Please analyze the attachment to confirm the amount.

Regards,

<<Random Name>>

End of Example 2

 

New Phone Scam

The Information Security Office wants to alert students, faculty, and staff of a type of phone scam called Vishing (voice phishing) which uses fake caller-ID data to give the appearance that calls come from a trusted organization (such as UT Arlington). The caller tells people they owe money to the University and a warrant has been issued for their arrest. Next, the caller solicits immediate payment for the alleged debts.

University officials will not contact you in this manner or threaten arrest for non-payment of debts. Verifying UT Arlington debts, including citations, can be done by checking MyMav or visiting the Bursar directly.  Be aware that this is a type of social engineering wherein someone uses influence, deception, and persuasion to get information that would otherwise be unavailable to them (which is also known as fraud).

Caller ID is far from proof positive of a caller’s identity or authentication. Don’t trust incoming calls based on Caller ID. Make 100% sure you know to whom you are speaking. If any incoming calls from supposedly legitimate companies ask for any personal information of any kind… it is a scam. It is fraud. Period.

If you receive an unexpected call like this from someone claiming to be from UTA DO NOT provide your credit card information.  If you fall victim to the call, contact UT Arlington’s Police Department at 817-272-3381.  For information on preventing social engineering and theft, please contact the ISO at security@uta.edu or call us at 817-272-5487.

For more information about Identity Theft, go to:

http://www.uta.edu/security/identity_theft/

For more information about Social Engineering, go to:

http://www.uta.edu/security/socialengineering/

Holiday Season Cyber Scams and Malware Campaigns

As we approach the holidays, the Information Security Office (ISO) would like to remind the UT Arlington community to be aware of seasonal scams, phishing and malicious software (malware) distribution campaigns.

Every year, cyber criminals take advantage of the increase in online purchases and electronic seasonal greeting cards to trick victims into believing they’ve received packages or personal messages. They often use multiple methods to attract victims, such as posing as legitimate websites and/or using fraudulent emails that are crafted to look legitimate; they steal the logos, email or web templates of legitimate businesses *e.g. FedEx, DHL UPS, Amazon.com, etc.) in an effort to entice victims into clicking links or opening attachments.

These phishing and malware campaigns may come in the form of :

  • Fake shipping/courier notifications.
  • Electronic greeting cards or links to holiday screensavers or other forms of media.
  • Request for charitable contributions that may appear to be for legitimate causes but originate from illegitimated sources claiming to be charities.
  • Credit card or gift card applications or enticing discounts in online shopping advertisements that lead to websites you’re unfamiliar with.

In addition, be aware of social engineers who may call you on your personal or work phone using a themed pretext (holiday offers, package pickup, etc.).

Don’t be a victim!  The ISO advises caution when you encounter these types of email messages or websites by:

  • Looking for tell-tale signs that a website or email is not legitimate:

………….– The senders address or website address does not match the organization listed in the content of the message.
………… – The grammar in the message or website is poor.
………… – Format of the email or website is poor or inconsistent with what you’re used to seeing from the organization.
………… – Hovering over the links with your mouse reveals web address inconsistent with the content of the message.

  • Never clicking on links in emails that you’re not expecting.
  • Never opening attachments in emails that you’re not expecting.
  • Never providing your personal information in an email or on a website unless you are completely sure.

The United States Computer Emergency Readiness Team encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

Phishing Attempt – 2014/01/23

The Information Security Office has been made aware of a phishing attempt that has been sent to some UTA employees.  Please delete this email if you receive it:

“””

Hi Web-mail User’s ,
Please take a moment to verify your email for this 2014 account’s verification. It’s really important because if you neglect this our server admin provider will delete your account because our server quota is congested. Just click the link and you’ll be all set up.

[REMOVED IMAGE]

With web-mail  you get all kinds of free stuff this year 2014:

  • Unlimited storage limit
  • High speed mails
  • Custom voicemail

Thanks and we hope you have a blast!
– team update ( c ) 2014

P.S. If you’re not a web-mail account user and have never heard of web app outlook, we’re really sorry! Someone must’ve typed your email address in by mistake. Just forward this email to us at support@microsoft.com and we’ll take care of it.
Virtua Health, Inc. maintains systems for protection of electronic information, which are the property of Virtua Health, Inc. and are to be used for legitimate business purposes. You shall at all times protect and maintain the confidentiality of your user name and password and shall not disclose them to any third party. You are responsible to comply with the regulations and security rules set forth by HIPAA and Virtua Policies regarding the protection of data & confidentiality. Excessive use of systems for any reason other than legitimate business purposes is prohibited. Virtua Health, Inc. monitors all system transactions. No right to privacy exists when using Virtua Health, Inc. systems at work or when accessing Virtua systems from a personal computer or other device. Virtua Health, Inc. has the right to monitor, access, review, audit and disclose information obtained through Virtua Health. Inc. systems, including email, without advance notice to and/or without consent. All users of Virtua Health, Inc. systems are required to notify the IS Help Desk if they become aware of any misuse. I confirm that I have read this acknowledgment and understand

“””