Technology Security

Phish Information

These listed below are currently ACTIVE on GCSU campus:

Phishing email on 08/13/2019 with subject line: message notification

You have recieved a document from onedrive Cloud
it was scanned
Number of Images:1
Attachment File Type:

For more information on OneDrive products and solutions.
Outstanding


Phishing email going to MANY on campus, 08/07/2019:


There is a phishing email being sent to many on campus with a subject line of Action Required: Delivery Status Notification (Failure) that instructs people to click the "Restore Now" blue button to restore their emails.

Please know that this is a phishing email. They're looking to get you to login and thereby provide your user name and password.

You may delete this email. The URL's have been blocked on campus and we're working to block the URL's from Microsoft Outlook at this time.

If you did click on the "Restore Now" blue button, please notify the Serve Help Desk ASAP. You will need to change your password by going to unify.gcsu.edu and choosing the My Password tab. Please do not hesitate; change your password immediately and contact Serve.





Email coming in with subject line: [Anonymous] to Ext. 1002 on 16/07/2019 9:58 AM for 36sec



Phishing scammers are coming up with more innovative methods to convince their targets to provide login credentials. Such is the case with a new OneNote Audio Note phishing campaign that is currently underway.

This campaign comes in the form of an email with the subject something about an anonymous call/message received and claims that you have received a new audio message from a contact in your address book. In order to listen to the message, though, you will need to click on a link to listen to it.

Of particular interest is that the phishing scammers are now commonly including footer notes stating the email is safe as it was scanned by a security software.

When you click on the "Listen to full message here" link, you will be brought to a fake OneNote Online page hosted on Sharepoint.com. This page states that "You have a new audio message" and then prompts you to click on a link to listen to it.

It is important to remember that Microsoft login forms will just be on microsoft.com, live.com, microsoftonline.com, and outlook.com domains only. If you are presented with a Microsoft login form from any other URL, avoid it and only use your normal bookmarks to go to these sites.

Email appearing to come in from Dr. Costas Spirou. Subject: URGENT REQUEST!!! 06/19/2019

Recently we seen a resurgence of a fraud email being circulated at GC. Scammers are creating email accounts that appear to come from a campus executive or leader. Recently we’ve seen them impersonate Dr. Dorman, Dr. Brown, Susan Allen, and most recently Dr. Spirou. They also have impersonated Deans, Department Chairs, etc.

The subject lines are usually something simple to try to create a sense of urgency, like “URGENT REQUEST!!!”. The body of the email is also usually very simple, like “Are you available?”.

The end result of the email conversation with the employee is to convince them to purchase and send them gift cards or money in some form to the criminal.

Please remember that if one of our executives, deans, or directors had an urgent need they would most likely call/text, not email. No one at GC will use an external email for state business.

If you are not sure about an email, please check with the sender, their administrative assistant, or send it to serve@gcsu.edu, iso@gcsu.edu, or abuse@gcsu.edu.

To help you identify scams like these, please review the email below and notice the following:
• The From: Has Dr. Spirou’s name, but the “mailto” is @gmail.com
• The email has a subject line that is meant to elicit a sense of urgency, in this case “Urgent Request!!!”
• There are no details within the message.
• The message does not directly address a specific person.
• The email has no signature line.


From: Dr. Costas Spirou [mailto:costas.spirou.gcsu.edu@gmail.com]
Sent: Wednesday, June 19, 2019 4:30 PM
Subject: URGENT REQUEST!!!


Hello.
Are you available right now?


Email coming in from kelli.brown@gcsu.edu. Subject: I will be in London, UK June 18th-22nd. 06/13/2019

Many at Georgia College received an email this morning that appeared to be from Dr. Kelli Brown with the subject line “I will be in London, UK June 18th – 22nd”. This email was not sent by her nor her email account. Ultimately if you clicked on the “PLAY VOICEMESSAGES.wav” it sent you to one of many phishing sites where you were prompted to enter your GC credentials.

If you clicked on the “PLAY VOICEMESSAGES.wav” portion of the email, please call the campus Information Security Officer at x6354 as soon as possible and change your password through Unify (My Password) immediately.

Here is an example of the email:

From: "kelli.brown@gcsu.edu lncoming Voicenote"
Date: June 13, 2019 at 4:32:38 AM EDT
To:
Subject: I will be in London, UK June 18th – 22nd
You missed an lncoming voice_note for kelli.brown@gcsu.edu ,

Received on Thursday, June 13, 2019

Duration: 01:23sec


PLAY VOICEMESSAGES.wav


PRIVILEGE, CONFIDENTIALITY, PROPRIETARY INFORMATION AND TRADE SECRET NOTICE
The information contained in this electronic mail message is intended for the named recipients only. This message contains material that is privileged, confidential, proprietary and trade secret and otherwise protected from disclosure.



Subject: Secure Messaging Notification

Email coming in from Wayne Harrison at USG. Subject: Awaiting Approval. 03/19/2019

Please be on the alert. If you receive one of these, please forward them to hance.patrick@gcsu.edu or serve@gcsu.edu and we'll have the URL's blocked. This is not how you'd receive an invoice. You may delete the emails.



A document has been sent to you for review and requires signature.

PREVIEW OR DOWNLOAD

Best Regards,
Private Group Communication Service

Many are receiving emails that appear to be from POSTMASTER at Augusta University. 03/10/2019

Please be on the alert. If you receive one of these, please forward them to hance.patrick@gcsu.edu or serve@gcsu.edu and we'll have the URL's blocked. This is not how you'd receive an invoice. You may delete the emails.

Secure Messaging

You have been sent a secure message by Augusta University.

View the message by clicking here. It has been classified as sensitive and may only be accessed from within this Secure Messaging service.

Need help? If this is the first time you have received a secure message from this company, a password will be emailed to you separately.

If you did not receive your password or are experiencing trouble logging in, click here to request a new password.

Subject: Invoice (as of February 12)

Many are receiving bogus invoices that appear to be from a GC person, but they're using a non-vetted email account that has nothing to do with GCSU.

Please be on the alert. If you receive one of these, please forward them to hance.patrick@gcsu.edu or serve@gcsu.edu and we'll have the URL's blocked. This is not how you'd receive an invoice. You may delete the emails.


Subject: IT Syetem Support from Mike Hammill (as of February 11 at 10:20am)

From: Hammill, Mike
Sent: Monday, February 11, 2019 10:17 AM
Subject: IT Syetem Support

Dear Employee, Staff.

We are migrating all staff email account into staff Outlook 2019 office web mail and as such all active Staff and Employee are to verify and Log in for this Upgrade and migration to take effect now. This is done to improve the security and efficiency due to recent spam mails received.

Please all Staff and Employee Click Here Switch to Outlook Webmail 2019 for Staff

Note that, This switching on Outlook is for all email users on this service and if not done, we will start deactivating and deleting unverified and inactive email accounts without any further delay within the next 24 hours.

PLEASE DO AS ADVISE ABOVE.

Regards,
External Email Administrator,
Outlook Service for Staff and internet Service
Copyright 2019.


Subject: Invoice Jan 2019 from A. Kay Anderson (as of January 18, 2019 at 1:07pm)

Phish or virus coming in to many with the subject line saying "Invoice Jan 2019 from A. Kay Anderson" sent from Kay's email account. This is actually a full spoof of her email and didn't actually come from campus. hey want you to click on the link, by asking "I have enclosed a copy of the invoice for your reference". Please report all of these to iso@gcsu.edu. You can then delete the email.

Subject: Important: Please Review (as of January 17, 2019 at 10:10am)

Phish or virus coming in to many with the subject line saying "Important: Please Review" send from Joy Godin's email account. The sender is actually using Joy's email account. They are NOT coming in from Joy, but a hacker using her account. They want you to click on the link, by asking you to "View Document". Please report all of these to iso@gcsu.edu. You can then delete the email.

Subject: Invoice (as of January 12, 2019)

Phish or virus coming in to many with the subject line saying "Invoice". The sender is usually a pure spoof of someone on campus. They are NOT coming from that person. They want you to click on the link, by asking "I have enclosed a copy of the invoice for your reference. You can download it at this link:". Please report all of these to iso@gcsu.edu. You can then delete the email.

Subject: Payment (as of December 7th, 2018)

Latest PayPal phish is coming in from service_online@paypal.com with a subject line of: Payment. The image in the email are actual images to PayPal and some of the links actually go to the real PayPal site. However, the link where it says "Download transactions details file" and the link in the transaction numbers all take you to a hacked phishing site. Please delete the message.

IMPORTANT MESSAGE FROM DEPARTMENT OF EDUCATION (as of December 5th, 2018)

USG Cybersecurity received multiple reports of a suspicious email message sent to USG employees. This message has the subject line, “[[[IMPORTANT MESSAGE FROM DEPARTMENT OF EDUCATION!!!]]]” and may appear to be from someone you know. The body of the message contains the following text. These email messages are not legitimate. Please do not open any attachments or click on any embedded link. They could be used to compromise your account credentials and allow intruders access to confidential information. If you receive a message having these characteristics, please delete the message.
If you have additional questions or concerns, please contact the USG Enterprise Service Desk at 706-583-2001, or by email at helpdesk@usg.edu.

Alisson L. Guth has shared OneDrive files with you. Click review below to view file.

Review File

Best Regards

Alisson Louise Guth
Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202"

SPOOF EMAILS being circulated (current and active since July 2018)

For the last few months hackers have been circulating emails that spoof (imitate) someone on campus. Most often the person being imitated is a department lead. Most (not all) are coming in as "Firstname Lastname ". The names are accurate but of course my.com is not a GCSU email domain.

These emails are fraudulent. Please do not respond to them. Most come in with a subject line similar to "Follow Up" and the content of the email is something as simple as "Are you available?". The hacker is working towards credit card theft/fraud.
----------------------------------------------------------------

From: Dr. Desha Williams
Sent: Monday, December 3, 2018 4:38 PM
Subject: Re: Hello

I'm in a meeting right now and that's why I’m contacting you through here. I should have called you but phone is not allowed to be used during the meeting. I don't know when the meeting will be rounding off and I want you to help me out on something very important right away.

 

 

Recent Phish (but not known to be active at this time):

PHISH/VIRUS: Notification - Review New Doc (Late October 2018)

A few people are getting email notices that appear to be OneDrive documents to be reviewed and approved. If you do not know the sender, please do not click on the documents. Also, if/when you receive these emails, please send them to Serve as well as the ISO (serve@gcsu.edu and iso@gcsu.edu). Thanks.
----------------------------------------------------------------

From: Tomas Rehak
Date: October 30, 2018 at 8:29:55 AM EDT
To: "updates@onedrive.ms"
Subject: Notification - Review New Doc

You have received a new document on OneDrive and it is said to be important

Your document is ready!

 




Virus Information

General Information

General Information Regarding Cybersecurity (aka. Information Security) at GC:

Subject: On Behalf of Executive Vice Chancellor Teresa A MacCartney: Cybersecurity attacks

Good afternoon,

Cybercriminals are using advanced social engineering techniques to gain access to USG sensitive information and personal credentials, such as your log-in information, to commit fraud and identity theft. These criminal attempts include phishing emails requesting private information regarding social security numbers, bank accounts, debit/credit cards, etc.

Your commitment to safeguarding sensitive information is critical and should include:
• Discussing/reviewing security procedures,
• Implementing multi-factor authentication technology,
• Establishing protocols to validate requests or changes to sensitive information,
• Establishing notification (including police, senior leadership, etc.) response and recovery procedures in the event of a breach.

Please share this information with all of your direct reports.

Your attention to this matter is greatly appreciated. If you have any questions, please contact your campus ISO Hance Patrick at hance.patrick@gcsu.edu or x6354.

Thank you,
Teresa MacCartney