DePaul University Information Services > Security > News & Updates > Security Announcements

Security Announcements

[April 2017] DePaul University Employee Phishing Training Reminder

On April 19th, 2017, Wombat Training Platform sent the following email to all employees who have not completed the Phishing training. Please note that this is a legitimate email.

Subject:  Phishing Training Reminder

For validation of this email, please refer to DePaul's internal websitesecurity.depaul.edu , please click "NEWS & UPDATES" on the left, and then "Security Announcements."

On January 23rd, an email was sent to all DePaul University employees regarding online phishing training.  DePaul has contracted with Wombat Security Technologies to provide training to help employees recognize and avoid phishing scams.  Your personal link to the training on Wombat's site is below.

We strongly encourage all employees to take advantage of this training to be better able to protect their own and DePaul's private information.  As always, if you have any questions on this or other information security issues, please let us know at security@depaul.edu .

Link to training:  xxxxx

Sincerely,

Information Services

[February 2017] DePaul University Employee Phishing Message

On Februrary 2nd, Wombat Training Platform sent the following email to all employees. Please note that this is a legitimate email.

Subject:  Phishing Training Reminder

For validation of this email, please refer to DePaul's internal website.  At security.depaul.edu, please click "NEWS & UPDATES" on the left, and then "Security Announcements."

As referred to in an email earlier  today from Information Services, this is a reminder that DePaul has contracted with Wombat Security Technologies to provide  training to help employees recognize and avoid phishing scams.  Your personal link to the training on Wombat's site is below.  

We strongly encourage all employees to take advantage of this training to be better able to protect their own and DePaul's private information.  As always, if you have any questions on this or other information security issues, please let us know at security@depaul.edu.

Link to training:  xxxxxxxxxxxxx

Sincerely,

Information Services

[January 2017] DePaul University Employee Phishing Message

On January 23rd Information Services sent the following email to all employees. Please note that this is a legitimate email.

The Problem with Phishing
 
Everyone online these days is experiencing an increase in phishing scams in their inbox. At DePaul, we have seen a marked increase in phishing scams sent to a wide DePaul audience.  We see nonspecific, widespread attacks as well as extremely targeted phishing lures sent to specific members of our community, whom the malefactors have clearly researched before attacking. The purposes of the phishing emails vary – but the most common ones try to steal email or portal credentials, personal information and/or to deliver malware (including viruses and ransomware).
 
Phishing message quality ranges from clearly fake to extremely sophisticated, wherein the sender does an outstanding job of hiding the original source of the message and the links or attachments appear legitimate.
 
What We Need You to Do
 
Unfortunately, technology today has only limited mechanisms to detect and stop these messages from getting to your email box.  The best defense against such scams is for you to be educated on how to avoid becoming a victim. To that end, DePaul has contracted for its employees to take advantage of online education aimed at giving you information to be able to spot phishing attacks in your email and avoid compromising your personal information.
 
We strongly encourage you to take this brief online training.  Below you will find a link to your personal account at our security awareness education vendor where you can get started.  We have selected modules which we believe are especially relevant to the environment at DePaul and will be the most helpful.
 
[Personal link to training]
 
Please do not forward this email as it contains your personal link to the training.  You can also find this email at http://offices.depaul.edu/information-services/security/news-updates/Pages/Security-Announcements.aspx <http://offices.depaul.edu/information-services/security/news-updates/Pages/Security-Announcements.aspx> .  if you would like to confirm the validity of this email.
 
 
We appreciate your attention to this matter and we encourage you to email us if you have any questions at security@depaul.edu <mailto:security@depaul.edu>  <mailto:security@depaul.edu>  .
 
Sincerely,
 
Information Services

[January 2016] Social Security Phishing Messages

We'd like to alert the DePaul Community to a malicious phishing message that many have received with the subject "Social Security Statement." The text of this email is an almost exact copy of the US government's email entitled "Social Security Statement" or "Annual Reminder to Review Your Social Security Statement".   The link in both messages looks the same, however if you hover over the links with your mouse you will be able to see the true destination URL.  This particular malicious message has a malware-infected document, while the government email will take you to www.socialsecurity.gov/signin.    To be safe, it is always a good practice to type a URL into your browser rather than clicking on a link in an email.

As we head into tax season, we can all expect to see more scams and phishing messages with subjects related to taxes.  Please be very careful about clicking on links and in giving out personal information.  Another tax scam that has been on the rise in recent years has persons submitting their taxes only to find that identity thieves have beaten them to it. For that reason it's a good idea to file as early as you can, especially if you're expecting a refund.

As always, if you have any questions or would like confirmation on any particular email you receive, please contact the Technology Support Center at 312.362.8765 or email security@depaul.edu.


 

[January 2015] FBI Issues University Employee Payroll Scam Alert

This month the FBI issued an alert regarding phishing attacks on University employees.  The text is below:

University Employee Payroll Scam

University employees are receiving fraudulent e-mails indicating a change in their human resource status. The e-mail contains a link directing the employee to login to their human resources website to identify this change. The website provided appears very similar to the legitimate site in an effort to steal the employee’s credentials. Once the employee enters his/her login information, the scammer takes that information and signs into the employee’s official human resources account to change the employee’s direct deposit information. This redirects the employee’s paycheck to the bank account of another individual involved in the scam. 

Consequences of this Scam:

  • The employee’s paycheck can be stolen.
  • The money may not be returned in full to the employee.
  • The scammers can take the employee’s log-in credentials and attempt to log into other accounts that belong to the employee.

Tips on how to Protect Yourself from this Scam:

  • Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses. Many of the scammers who send these messages are not native English speakers.
  • Roll your cursor over the links received via e-mail and look for inconsistencies. If it is not the website the e-mail claims to be directing you to then the link is to a fraudulent site.
  • Never provide credentials of any sort via e-mail. This includes after clicking on links sent via e-mail. Always go to an official website rather than from a link sent to you via e-mail.
  • Contact your personnel department if you receive suspicious e-mail.

If you have been a victim of this scam, you may file a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov. Please reference this PSA number in your complaint. The IC3 produced a PSA in May 2014 titled “Cyber-related Scams Targeting Universities, Employees, and Students,” which mentioned the university employee payroll scam. The PSA can be viewed at http://www.ic3.gov/media/2014/140505.aspx.


 

[January 2015] FBI Issues Warning of Scams Targeting University Students

FBI Warns of Fictitious ‘Work-from-home’ Scam Targeting University Students

College students across the United States have been targeted to participate in work-from-home scams. Students have been receiving e-mails to their school accounts recruiting them for payroll and/or human resource positions with fictitious companies. The “position” simply requires the student to provide his/her bank account number to receive a deposit and then transfer a portion of the funds to another bank account. Unbeknownst to the student, the other account is involved in the scam that the student has now helped perpetrate. The funds the student receives and is directed elsewhere have been stolen by cyber criminals. Participating in the scam is a crime and could lead to the student’s bank account being closed due to fraudulent activity or federal charges.

Here’s how the scam works:

  • The student is asked to provide his/her bank account credentials under the guise of setting up direct deposit for his/her pay.
  • The scammers will add the student’s bank account to a victim employee’s direct deposit information to redirect the victim’s payroll deposit to the student’s account.
  • The student will receive the payroll deposit from the victim’s employer in the victim’s name.
  • The student will be directed to withdraw funds from the account and send a portion of the deposit, via wire transfer, to other individuals involved in the scam.

Consequences of Participating in the Scam:

  • The student’s bank account will be identified by law enforcement as being involved in the fraud.
  • The victim employee has his/her pay stolen by the scammers utilizing the student’s bank account.
  • Without the student’s participation, the scam could not be perpetrated, so he/she facilitated the theft of the paycheck.
  • The student could be arrested and prosecuted in federal court. A criminal record will stay with the student for the rest of his/her life and will have to be divulged on future job applications, which could prevent the student from being hired.
  • The student’s bank account may be closed due to fraudulent activity and a report could be filed by the bank.
  • This could adversely affect the student’s credit record.

Tips on how to Protect Yourself from this Scam:
  • If a job offer sounds too good to be true, it probably is.
  • Never accept a job that requires the depositing of funds into your account and wiring them to different accounts.
  • Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses. Many of the scammers who send these messages are not native English speakers.
  • Never provide credentials of any kind such as bank account information, login names, passwords, or any other identifying information in response to a recruitment e-mail.
  • Forward these e-mails to the university’s IT personnel and tell your friends to be on the lookout for the scam.

 
If you have been a victim of this scam, you may file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov​. Please reference this PSA number in your complaint. The IC3 produced a PSA in May 2014 titled “Cyber-related Scams Targeting Universities, Employees, and Students,” which mentioned this scam. The PSA can be viewed at http://www.ic3.gov/media/2014/140505.aspx​.


 

[February 25, 2014] Critical Apple Security Vulnerability

Information Services would like to notify any users of Apple devices to a security concern.Users of Apple devices should install a critical security patch issued last Friday by Apple. Updates can be performed by navigating to Settings>General>Software Update and applying the update on iPads and iPhones.

 This update is critical for the following devices:

 - iOS 7.0.6 (used in iPhone 4 and later, iPod touch-5th generation, iPad 2 and later)

- iOS 6.1.6 (used in iPhone 3GS, iPod touch-4th generation)

- Apple TV 6.0.2 (Apple TV 2nd generation and later)

 We strongly recommend that all users of the above devices update their systems as soon as possible.The vulnerability addressed by the updates could allow for sensitive data, such as passwords or financial information to be "hijacked" from these devices.

 Unfortunately, Apple has not yet released a security update for the Mac OSX Mavericks operating system level, although it is known to be vulnerable to the same issue.  The industry is expecting Apple to release a Mavericks update shortly.We recommend all Mavericks users check frequently for the update. It is also being reported that Chrome and Firefox on Macs are unaffected by the vulnerability, so switching to either of those browsers instead of Safari would be advisable before the update is available.

 In the time before you are able to update your device or before the fix is available for your Mavericks installation, it would be safest to avoid unsecured wireless systems (such as those at hotels, airports,coffee houses),which generally, do not use encryption that can mitigate this risk.At DePaul the depaul secure wireless system is recommended.

 If you have any questions on this, please email security@depaul.edu, or call the TSC at312-362-8765.


 

[Jan. 30, 2013]

The US Computer Emergency Readiness Team (US-CERT) has issued an advisory for a vulnerability for software in many Universal Plug and Play (UPnP) devices.  A security research company has discovered tens of millions of vulnerable devices on the Internet.  

At DePaul, we are scanning our network for the vulnerability, and, if found will notify the equipment owner.

This vulnerability is expected to be heavily prevalent on home networks - especially on routing equipment.  To scan your home network, please investigate a free tool at: 

http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp


For the full US-CERT advisory, see:  http://www.kb.cert.org/vuls/id/922681


 

[Jan. 15, 2013]

Oracle has issued an update for Java version 7.  This new version, Java 1.7 update 11,  is the only version of Java 1.7 that should be used.  Many people are using Java version 1.6 - the latest update for this version is update 38 and anyone on 1.6 should be sure they are on the latest update.    If you are not constrained by a business-system requirement to be on Java 1.6, we recommend you update to Java 1.7 update 11, as Java 1.6 is scheduled to be unsupported at the end of February 2013.

The University community should review the software on their systems to:
- Be sure you are on the latest version of either Java 1.7 or Java 1.6
- Update to the latest version of whichever browser you are using

The Department of Homeland Security still recommends disabling Java browser plug-ins unless Java is necessary for a business system.  The security community is fairly skeptical that the latest Java patch will be completely "bullet proof" - and foresees further update levels.  If you cannot disable Java browser plug-ins because of business system requirements, it is strongly advised that you use a dual browser approach:  one browser, your default, should have Java disabled, and the second should have Java enabled and be used only for those sites which require Java.


For information on disabling Java in browsers, please see:  http://offices.depaul.edu/is/security/protect-yourself/Pages/How-to-Disable-Java.aspx

or https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

To install latest version of Java 1.7:  http://java.com/en/download/index.jsp

To install latest version of Java 1.6:  http://java.com/en/download/manual_v6.jsp


 

[Jan. 11, 2013] Critical Java Vulnerability


For more information on disabling Java browser plug-ins, please see:

http://java.com/en/download/help/disable_browser.xml

https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

Background
 
On January 10, 2013, security researchers reported an unpatched vulnerability in a number of versions of Java.  All versions of Oracle Java 7 (aka 1.7) from the initial release up through update 10 are vulnerable.  Other version may also be vulnerable.   Oracle has not issued a patch, nor made a statement on this issue.
 
Security researchers have also commented that "attack code" to take advantage of the vulnerability is being "massively exploited in the wild."  Miscreants use such exploits to turn compromised websites into platforms for silently installing key loggers and other types of malicious software on the computers of unsuspecting website visitors.
 
Browsing the web with a vulnerable version of Java installed and enabled means that simply visiting a website is enough for an attacker to compromise your computer.   The malicious software installed through these attacks may collect usernames and passwords used on the compromised computer, including credentials for sensitive websites, bank accounts, email etc.
 
What we are doing
 
This is a developing situation and many in there are many discussions in the Information Technology community regarding mitigations and workarounds.  Information Services is following these closely and testing some potential mitigations. 
 
Information Services will continue to monitor the situation and we hope to have further instructions and advice to our community next week.   We do, however, want to make sure our community is aware of the situation. 
 
The safest course of action would be to remove the Java plug in from all Internet browser - and, this is what the United States Department of Homeland Security and the United States Computer Emergency Response Team are recommending.  Yet we know that some applications will not function without the plugin.
 
What you can do
 
If you do not need Java, the safest course of action is to disable your browser plug-in for Java. 
 
Continue to be suspicious of and do not click on web popups, but close the window instead.   If a suspicious window won't close, open your task manager and force your browser to close.
 

[Aug. 31, 2012] Critical Java Vulnerability

On August 27, 2012 security researchers reported a vulnerability in Oracle Java version 7 (also known as 1.7). Oracle typically releases Java patches every three months, but they made public an update that resolves this vulnerability on August 30, 2012. The vulnerability in Java is actively being exploited, and has been ported to utilities that make it relatively easy to target unpatched computers.
 
Recommendation: We urge the community to apply the latest security patch released by Oracle as soon as possible. The patch can be downloaded from the Java page: http://java.com/en/download/inc/windows_upgrade_xpi.jsp
 
At the above site, please click to Agree and Start Download.We recommend that you unclick a subsequent box offering to install a toolbar along with the patch.
 
Browsing the web with a vulnerable version of Java could lead to your computer being infected by simply being redirected to an infected web page. This is known as a “drive-by download,” where minimal user interaction is needed to fully compromise your system.
 
Platforms Affected:
· Windows computers running Java version 7 are vulnerable.
· Mac computers running Java on OS X Lion or Mountain Lion are NOT vulnerable
 
If you are unsure which version of Java you are running, you can find out by pointing your web browser to the following tool: http://javatester.org/version.html
 
If the pink block shows that you have “Java Version: 1.7.0_07 from Oracle Corporate,” then you are no longer at risk. However, if your machine is not properly patched, we strongly encourage you to download and install the latest version of Java.
 
Please call the Technology Support Center at 312-362-8765 or write to security@depaul.edu if you have any questions.
​​
​​​​