phising – The Concordian

University sends warning to students not to open hyperlink in spam mail

An email was sent by Concordia University to students on Oct. 3 advising them not to open a phishing email circulating in the student community. The phishing email was sent by newsonlineconcordia@concordia.ca, according to a screenshot sent by the university.

The phishing email read: “Concordia University Latest News & Media.” A second line included a hyperlink with the words “Breaking News. Find out more.”

In its message to students, the university asked to “please delete [the email] immediately […] Phishing techniques such as this can spread viruses and malware.”

The message continued: “A recent example of the dangers of this type of email is the WannaCrypt/WannaCry ransomware attack, which paralyzed thousands of computers across the globe.”

Phishing emails and potential cyberattacks have been commonplace in Montreal universities over the past two years. Last May, 120 computers at the Université de Montréal were infected by the WannaCry virus, which encrypted copies of user files before deleting the originals, forcing people to pay a ransom to regain access to their documents.

Phishing emails were sent to Concordia University students by a fake administration email account in early October

On Aug. 31, as previously reported by The Concordian, phishing emails were also sent to McGill University students.

Cyberattacks occurred on two occasions at Concordia in the last two years. In March 2016, keyloggers were installed at the Webster and Vanier libraries. The devices allow hackers to record all the keys pressed by a person, allowing them to remember everything that was typed.

In April 2017, the university’s online course system, eConcordia, was also hacked.

Concordia President Alan Shepard told The Concordian in September that cyberattacks were a “big issue.” “We were lucky in both episodes that we didn’t have any major damage that we’re aware of,” he said, referring to the two incidents at Concordia.

According to Shepard, the university made “some technical changes to try and prevent repeats of these episodes.” The president wouldn’t disclose what these changes were.

Raymond Chabot Grant Thornton, an accounting firm, audited the university’s IT security in 2017, according to Shepard. The IT audit was part of the annual audit presented to the university’s board of governors. Shepard said the audit showed the university’s cybersecurity had strengthened.

The audit differs from a separate project Shepard described as a “large-scale review of cybersecurity.” As the The Concordian previously reported, a call for tenders was sent by the university in July through the publicly accessible Système électronique d’appel d’offre du Québec (SEAO), seeking professional services to assess the university’s cybersecurity risks. Shepard said the result of the assessment will be private.

Eight different companies bidded for the contract, including Bell Canada, Montreal-based GoSecure and Okiok Data. The value of the contract is still unknown.

A new internet safety course among options to protect schools from cyber threats

Benjamin Fung is forthright when asked about the weakest link in cybersecurity. “The most vulnerable attack channel is always humans,” said the McGill University professor, who is also Canada’s research chair in data mining for cybersecurity.

The best way to avoid cyber threats is to ensure the person operating an electronic device is well-informed and knows what to watch out for, Fung explained in a recent interview with The Concordian.

Phishing emails—fake emails that appear to be legitimate and ask a user to enter personal information—are an example of a common threat that can easily be avoided if the email user is well-informed.

On Aug. 31, an article posted on the McGill Reporter reported “several McGill email users have recently received phishing emails that look like legitimate McGill correspondence but are actually designed to steal your confidential personal information.”

A similar message was published in May on Concordia’s website. It explained that Concordia email service users had received phishing emails and asked users to “delete [the email] immediately and to not open any attachments or click any links within the body of the message.”

In an interview with The Concordian, cybersecurity expert Terry Cutler said, “It’s very important to keep control of your digital life […] You never know how your information can be used against you.”

Screenshots of Concordia IITS guidelines about avoiding cyber threats available on their webpage

Last week, Cutler released a consumer course called Internet Safety University, geared towards teaching university students and staff effective ways to avoid cybersecurity attacks.

The program contains about six hours worth of tutorials and is currently being tested out by students and staff at a local CEGEP. According to Cutler, the college’s staff will then have a six-month trial period to observe the impact of the training on its cybersecurity.

Different modules instruct users about numerous hacking techniques and tools, including keylogging, a hardware that records keystrokes on a keyboard without the user’s consent or knowledge.

According to director of public relations and university spokesperson Mary-Jo Barr, Concordia employees are provided workshops during orientation sessions to teach them about IT security measures. She said faculty and staff are also routinely updated on effective IT security measures via email.

Barr added that the university holds an IT security awareness campaign every October to teach people about “laptop safety, password safety and phishing.”

Cutler said one module in his course also explains ransomware, a software which renders data on a device inaccessible until a ransom is paid. In May, approximately 120 computers at Université de Montreal were compromised by the WannaCry ransomware, reported CBC News.

In an email to The Concordian, Barr also pointed out that Concordia—specifically its IT services—routinely distributes information through social media and the NOW newsletters for students.

Screenshots of McGill’s IT Services Awareness Training web page

In comparison, Fung described McGill’s training as “very comprehensive.” Staff, faculty and students at McGill have access to the university’s IT Knowledge Base, an online tutorial consisting of 16 modules.

McGill’s IT services website also features a series of online IT security awareness courses, including videos about email phishing, phishing websites and mobile security.

Concordia’s Instructional & Information Technology Services (IITS) provide information and guidelines about how to avoid email phishing and cybersecurity threats on their webpage. The guidelines offer strategies for anti-virus protection, password security and protecting devices from keylogging.