Careful – Don’t Let Yourself Get Duped!

Contributed by Glenn Flenorl, Cybersecurity Major

In Today’s world of technology and learning, the threat of someone misusing technology is always present.  Recently, there have been a rash of bogus emails going around the school as seen below (Figure 1).  This is called Phishing.

Figure 1: A Sample Phishing Email

What is a phishing attack? Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message ( google 2017). This is a example of what been going around the campus.  As We take a closer look at the email it looks all normal. That’s what its suppose to do look normal.  Then we look at the name now since I’m a student here I got to thinking to verify things I looked up the name.  There is a number of things faculty and staff to do if they get something that looks bogus or untrustworthy.  Simple ask your co-workers, look up the name like I did in the school staff dircetory.  That  was evdince for me to say this is not real and I told co-workers and students right away.  And the school always sends out help deck emails with no link in in its been standard protocol here at the college that the HELP DESK does not put links in the emails. So it is good practices to always be sure of the email that is being sent to you is by the party the is familiar.  Step one is to go to the MCC My WAY site click Menu (Figure 2).

Figure 2: MyWay

Second go to the employee directory (Figure 3).  In the drop down menu got to help desk to get yourself armed with knowledge to better combat phishing attempts by knowing who is in the help desk department and or building location.

Figure 3: The Directory Search Page

I just happen to know building 4 is where IT HELP DESK is here on Fort campus an as you can see there is no Hoffman anywhere (Figure 4).

Figure 4: No Hoffman Here!

Just by knowing who is in an around the technology can better prepare us as learners and as staff to not get dupped into bogus email opening.

My name is Glenn and I’m an Information Technology Assurance Transfer. I work at MCC’s 180-Re-entry assistance program as a peer-mentor. A former office mate (Lyndsie Gibbs) encouraged me jump back into INFO SCI. and I really enjoy the learning and using the new technology available.

The Art of Phishing: How to Protect Yourself

Contributed by Matthew Reida, Cybersecurity Major

Phishing is a type of attack that relies heavily on human nature. Humans are easily distracted by things that are too good to be true. Most phishing attacks are emailed, and some are very well disguised. They often imitate a normal email communication from a bank or online store. The goal of a phishing email is not to “hack” a user by exploiting their system, but rather to obtain information from a user, who is willing to give it away. The user usually makes the first move, by interacting with the email in some way; most often times opening a link that is contained in the body of the email, or opening an attachment.

In order for the phish to accomplish this, it must appear legitimate: many emails are sent from supposedly reputable companies, however the “from” email address can be easily spoofed. If one looks closely, many times an email claiming to come from “JP Morgan Chase”, for example, may actually come from an email address that does not belong to that domain. More sophisticated and aimed phishing attacks may actually spoof the “from” field in an email header, meaning that information in the header field is forged, making it appear to even careful users that the sender is legitimate, even though the email originated from outside that domain.

Once the user is convinced that the email is legitimate, attackers coax the user to interact with the message, like asking the user to open a link within the email. This is dangerous, because attackers can create their own website, designing it in a way that looks similar to the target site, and if one does not look closely to the opened URL, they can voluntarily give away their passwords to attackers.

The best way to defend against this sort of attack, besides being generally suspicious of emails encouraging direct action, is to view the URL that will be opened. This can be done on computers by hovering over the hyperlink with the cursor, and on mobile devices by pressing and holding on a hyperlink. This launches a tooltip that reveals the URL, which would then be opened upon clicking. Even though an email may appear to contain a link to a legitimate site, the actual URL may be completely different.

My name is Matt Reida, and I am pursing an associates degree in Server Administration at Metropolitan Community College. As a very young child, I was enamored with computers, and strived to learn about them constantly. As I grew older, my passion for learning remained, and inspired me to pursue a career in the IT field.

Phishing Campaigns at MCC

Contributed by Christopher Wagner, Cybersecurity Major

Phishing is just what it sounds like, but with a different spelling.  A fisherman places bait on their hook and hopes that fish will come along and bite it.  The bait in this analogy often takes form of an email, text message, or even a Facebook message and at times they can claim to be friends, relatives, or even the MCC Help Desk.  The fish, being the individual who received the message, is often directed to click on a link or provide credentials (username and/or password).  These emails are made to appear authentic and to trick the user into giving up information.

With the holiday season coming up phishing emails will be on the rise appearing from legitimate companies.  The best way to be able to spot a phishing email is to look for key indicators on where the email is from, what the email is asking you to do, and what incentives there are for opening the email.  In the example below from my own email address, I have a phishing email claiming to be from Amazon about an order and an opportunity to a $50.00 reward as a promotion.

Highlighted in the red boxes are indicators that alert me to this email is in fact a phishing attempt.  Although the email says it is from Amazon, 1st red box, we can tell upon further inspection that it is not from Amazon.  Looking at the email address of the sender and ensuring that it is from the actual website itself and not a suspicious chunk of text is the first red flag.  Going onto the 2nd red box we can see that I’m entitled to a $50.00 reward for my latest activity.  This however is the bait to entice me to clicking the link that will either install malicious software on my computer (malware) or direct me to a website that is designed to appear just as Amazon’s login page looks like and steal my personal information.  Upon hovering over the link with the cursor we can see 3rd red box which is a URL shortener.  Amazon does not use these and being aware of where links are directing the user to is important.  The key part in this is identifying the web address.  Some phishing emails attempt to mask the address as such:  Did you notice the missing M in the link?  By thoroughly reading the website address you can determine if the email is legit.

The main objective of a phishing campaign is to gain personal information by getting unsuspecting users to click on links or provide user credentials, credit card information, or personal information to the attacker.  Phishing emails are designed to entice the user into opening them with the promise of a reward or by creating a sense of urgency such as your password needs updated, or you will not be able to access your MCC account.  By being proactive in looking for indicators in all emails, social media messages, and text message you can help combat phishing and keep your personal information safe from attackers.  Should you receive a phishing email mark it as spam and do not follow the instructions or simply just delete it.

One important note to remember is that the MCC Help Desk will never ask for credentials or provide links for you to reset your password or update your information.  They will simply provide a step by step guide on how to access the Password Station or how to change your password when logged onto campus computers as seen below.  This email is from my personal account at MCC stating that my password will soon expire and contains no links whatsoever, in addition to having the correct MCC Help Desk email address.

Christopher Wagner is a computer enthusiast and enjoys learning about InfoSec.  At age 10 he was given his first computer and that sparked a growing passion in learning how they worked.  In addition, he found an interest in the ever-evolving world of InfoSec.  What started as simple viruses to annoy people to ransomware demanding payment in return for decrypting data.  Learning how to build computers and troubleshoot issues that arose, he was able to start freelancing computer repair.  Most recently, Christopher started attending Metropolitan Community College for Information Assurance and hopes to one day find a career in InfoSec.