Phishing and Ransomware Dave Phillips Information Technology Resources March 2, 2016
Phishing Phishing What it looks like How to identify What happens to your credentials Remember that ITR will NEVER, EVER ask for your login credentials in an email.
Sample - Phishing Email Subject: You have two message's from your Admin. Date: February 29, 2016 Dear dphillips@hartnell.edu Your have two important message's on your Etudes from Office of Faculty Administration. Click here to read Thanks Etudes Team
Phishing - Sample Email Subject: Alert Date: February 18, 2016 Your Two incoming mails were placed on pending status due to a recent upgrade to our data, In order to receive the messages Click Here to login and wait for response from Administrator, we apologize for any inconvenience and appreciate your understandings. Thank you!
Phishing Sample Email Hartnell University Email Account Security info replacement Someone started a process to replace all of the security info for your Email Account. If this was you, you can safely ignore this email. Your security info will be replaced with 153#234 when the 5-day waiting period is up. If this wasn't you, someone else might be trying to take over your email account. Click here to fill in details and verify your current information in our servers and we'll help you protect this account. Thanks, Dave For: Hartnell University Email Team Phone: 831-755-6729 Email: alert@hartnell.edu
Phishing Sample Email Official Notification Letter Email from Google Corporations : Official Notification Letter 8/14/2015 7:02 PM Google Corporations 1 attachment View Open in browser Download Save to Drive Dear Google User, This is to officially inform you that you have been selected as a winner for using Google services, attached is our official notification letter for your perusal. Sincerely. Larry Page CEO & Co-founder of Google
Spear Phishing Sample Email
Phishing How to Identify
Phishing Show Original Delivered-To: dphillips@hartnell.edu Received: by 10.107.9.10 with SMTP id j10csp2188264ioi; Wed, 2 Mar 2016 04:55:51-0800 (PST) X-Received: by 10.55.82.85 with SMTP id g82mr32980902qkb.107.1456923351075; Wed, 02 Mar 2016 04:55:51-0800 (PST) Return-Path: <webmaster@intervent.com> Received: from mout.perfora.net (mout.perfora.net. [74.208.4.196]) by mx.google.com with ESMTPS id j32si3040185qga.91.2016.03.02.04.55.50 for <dphillips@hartnell.edu> (version=tls1_2 cipher=ecdhe-rsa-aes128-gcm-sha256 bits=128/128); Wed, 02 Mar 2016 04:55:51-0800 (PST) Received-SPF: neutral (google.com: 74.208.4.196 is neither permitted nor denied by best guess record for domain of webmaster@intervent.com) client-ip=74.208.4.196; Authentication-Results: mx.google.com; spf=neutral (google.com: 74.208.4.196 is neither permitted nor denied by best guess record for domain of webmaster@intervent.com) smtp.mailfrom=webmaster@intervent.com Received: from oxusgaltgw15.schlund.de ([10.72.72.62]) by mrelay.perfora.net (mreueus002) with ESMTPSA (Nemesis) id 0M9HxI-1akQWW1q5m-00CiBP for <dphillips@hartnell.edu>; Wed, 02 Mar 2016 13:55:50 +0100 Date: Wed, 2 Mar 2016 07:55:50-0500 (EST) From: "\"[[\"jfitch@hartnell.edu" <jfitch@hartnell.edu> Reply-To: "\"[[\"jfitch@hartnell.edu" <jfitch@hartnell.edu>
Phishing Show Original Delivered-To: dphillips@hartnell.edu Received: by 10.107.9.10 with SMTP id j10csp2187788ioi; Wed, 2 Mar 2016 04:54:41-0800 (PST) X-Received: by 10.140.132.149 with SMTP id 143mr33255775qhe.7.1456923281571; Wed, 02 Mar 2016 04:54:41-0800 (PST) Return-Path: <webmaster@intervent.com> Received: from mout.perfora.net (mout.perfora.net. [74.208.4.197]) by mx.google.com with ESMTPS id g184si35827941qhd.51.2016.03.02.04.54.41 for <dphillips@hartnell.edu> (version=tls1_2 cipher=ecdhe-rsa-aes128-gcm-sha256 bits=128/128); Wed, 02 Mar 2016 04:54:41-0800 (PST) Received-SPF: neutral (google.com: 74.208.4.197 is neither permitted nor denied by best guess record for domain of webmaster@intervent.com) client-ip=74.208.4.197; Authentication-Results: mx.google.com; spf=neutral (google.com: 74.208.4.197 is neither permitted nor denied by best guess record for domain of webmaster@intervent.com) smtp.mailfrom=webmaster@intervent.com Received: from oxusgaltgw15.schlund.de ([10.72.72.62]) by mrelay.perfora.net (mreueus001) with ESMTPSA (Nemesis) id 0MLxKE-1aXpZk3r5g-007iJl for <dphillips@hartnell.edu>; Wed, 02 Mar 2016 13:54:40 +0100 Date: Wed, 2 Mar 2016 07:54:40-0500 (EST) From: "jfitch@hartnell.edu" <webmaster@intervent.com> Reply-To: "jfitch@hartnell.edu" <webmaster@intervent.com> To: dphillips@hartnell.edu
Delivered-To: dphillips@hartnell.edu Received: by 10.107.9.10 with SMTP id j10csp2277976ioi; Wed, 2 Mar 2016 07:54:25-0800 (PST) X-Received: by 10.31.150.193 with SMTP id y184mr17064874vkd.99.1456934065918; Wed, 02 Mar 2016 07:54:25-0800 (PST) Return-Path: <eprice@hartnell.edu> Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com. [2607:f8b0:400c:c05::22c]) by mx.google.com with ESMTPS id o130si22583198vkf.206.2016.03.02.07.54.25 for <dphillips@hartnell.edu> (version=tls1_2 cipher=ecdhe-rsa-aes128-gcm-sha256 bits=128/128); Wed, 02 Mar 2016 07:54:25-0800 (PST) Received-SPF: pass (google.com: domain of eprice@hartnell.edu designates 2607:f8b0:400c:c05::22c as permitted sender) client-ip=2607:f8b0:400c:c05::22c; Authentication-Results: mx.google.com; spf=pass (google.com: domain of eprice@hartnell.edu designates 2607:f8b0:400c:c05::22c as permitted sender) smtp.mailfrom=eprice@hartnell.edu; dkim=pass header.i=@hartnell-edu.20150623.gappssmtp.com Received: by mail-vk0-x22c.google.com with SMTP id e185so205782798vkb.1 for <dphillips@hartnell.edu>; Wed, 02 Mar 2016 07:54:25-0800 (PST)
Phishing Report Phishing
What Happens to Your Credentials Cumulus Experiment http://www.hartnell.edu/sites/default/files/library_documents/br_where_is_your_data_report_2016.pdf
Survey from Wombat Security 85 percent of respondents said they were a victim of a phishing attack (up 13%percent from the prior report) 67%percent said they experienced a spear phishing attack (a 22 percent increase) 60%percent said they believe the rate of phishing attacks has increased overall
Survey from Wombat Security 44%percent complained of lost employees productivity 36%percent faced consequences related to the loss of proprietary information 20%percent dealt with damage to their reputation
Always Remember When in Doubt Check it Out! Look at email headers (Show Original) Ask ITR for help Remember that ITR will NEVER, EVER ask for your login credentials in an email.
What to do if you are a Phishing Victim 1. Turn off your computer. 2. Log into PAWS on another computer and change your password immediately. 3. Call ITR for help.
Ransomware Ransomware What it looks like Recent Cases Latest Rasomware Locky What to do NEVER open an attachment if you were not expecting it, even if it is from someone you know.
Ransomware What it looks like A ransomware Email looks very similar to Phishing emails. Goal is to get you to download the malicious software by clicking a link or a button. The software install will usually ask you for permission.
Ransomware - Cryptolocker
Ransomware Family Growth
Ransomware Latest Victims Hospitals, businesses, schools, and yes, even police precincts are victims. http://www.ibtimes.com/ransomwarehackers-bigger-threat-ever-forcinghospitals-police-pay-hostage-fees- 2319822
Ransomware Latest Version Locky
Ransomware Another Locky Email
Ransomware Latest Version Locky
Ransomware Latest Version Locky
What to do Ransomware Victim 1. Forcibly turn off your computer (hold the power button down for 8 seconds). 2. Log into PAWS on another computer and change your password immediately. 3. Call ITR immediately. Don t leave a message find someone in ITR to help.
Always Remember When in Doubt DON T check it Out! DON T let your curiosity win out! NEVER open an attachment if you were not expecting it, even if it is from someone you know.
Always Remember Questions? Comments?