PLU Help Desk Ticket Tracking System Transition

On Friday, October 23rd, Information and Technology Services will be transitioning the PLU Help Desk to a new online request and issue tracking system. While we work to complete this transition, there are a few important items that we would like you to be aware of regarding the new system.

• In order to complete the transition, our current online ticketing system will be unavailable for access from 8:00am until 5:00pm on Friday, October 23rd. You will be able to continue to submit requests for service during this time by emailing the Help Desk at helpdesk@plu.edu or by calling them directly at 253-535-7525. Updates regarding the status of the transition will be made available at www.plu.edu/status throughout the day.
• The new ticketing system will look very different, but we think you will find the process of entering and tracking your tickets to be quite intuitive. The document "Getting Started with the PLU Help Desk" provides instructions and includes a brief video tutorial, which addresses some of the more common questions you may have when submitting and tracking your requests.
• After 5:00pm on Friday, the new system will be accessible from the same URL you are familiar with (https://helpdesk.plu.edu) and emails sent to helpdesk@plu.edu from a PLU address will automatically generate a ticket for you in the new system.

Upcoming Changes to the PLU Login Page

As part of the second phase of the PLU’s website redesign that Marketing and Communication has been working on, the PLU login page that is used to access many of our campus resources will be changing.  The new page is scheduled to be put into place on August 10th and there are a few things we would like you to be aware of as we transition to the new design (see a preview of the new design below).

• Beginning on August 10th, instead of being directed to https://allotropa.plu.edu when logging into a PLU resource, the URL presented will be https://weblogin.plu.edu.  Please make note of this and always check for this URL if you have reason to question the legitimacy of the site.

• All links to technical support and relevant campus resources will still be available on the page; however, they will be in a different location with the new layout.

• The new layout benefits from a responsive design, significantly improves accessibility and is much more mobile friendly.

• You will now have an option to view your password while typing if needed to verify it is being entered correctly prior to logging in.

• After the change on August 10th, you should no longer trust login pages that will have the old design.  Mimicking login pages is a common tactic that phishing attackers use to collect personal information.

  

Phishing Messages Appearing to be Originating from the President's Office

Recently a wave of new phishing emails have been sent out to campus email addresses claiming to be sent by President Krise. A screenshot of the email is attached at the bottom of this post.

This email is most definitely fraudulent, and should be marked as SPAM or phishing in your inbox to help Google identify these as fraudulent and begin to block them.

Traditionally, we have reserved this blog and the Status page for updates related to system outages and other items related to the technology at PLU, but due to the craftsmanship which went into these phishing emails and their appearance of authenticity, we felt it was appropriate to post an announcement regarding these messages.

To recap from our previous posts on Spam/Phishing emails from the Help Desk Blog, PLU will never solicit your account information. All of our ePass account transactions (e.g., password changes) take place at epass.plu.edu or via the PLU account login page.

If you have clicked on the links in the fraudulent email or sent any information to the sender, please contact the Help Desk immediately at 253-535-7525 or helpdesk@plu.edu. You can also stop by the Help Desk, located on the first floor of the Library.

Always err on the side of caution when it comes to account security -- if you're ever uncertain of the veracity of an email, please contact the Help Desk for clarification.

We apologize for the inconvenience that these phishing emails can cause, and we will do our best to keep you up to date with current information on when they are being actively spread. We appreciate all who take the time to check with us when they receive these emails and those who are diligent with reporting these emails to us. Your dedication to keeping us informed helps immensely, and we appreciate having an extra set of eyes available to check for these messages.

Fraudulent Email and Phishing Redux

Example of phishing email (click to enlarge)

Yet another round of fraudulent "phishing" emails have been sent across Campus masquerading as an official email warning users that their accounts are about to be shut down unless they are verified.

As we have noted multiple times during these campaigns, the Help Desk will never solicit your account information. All of our account work is done via our ePass website [epass.plu.edu], and we will not intentionally put your account into a position where it cannot be recovered.

Given how these emails continue, we felt it would be appropriate to pass on a small FAQ to help better inform the PLU community about these phishing emails.

Summary

• PLU (I&TS) will never solicit your account information via email
• If you ever have even the slightest inkling that an email might be fraudulent, do not do anything with it and call the Help Desk at 253-535-7525
• If you have clicked on any links in these emails or responded to them, call the Help Desk at 253-535-7525
• This phishing campaign has been attacking users for several months, taking over PLU accounts and sending more phishing emails from PLU accounts
• They often include PLU logos to mimic official PLU emails and claim to be from the non-existent PLU Webmail Management Team

FAQ

Q: What exactly is a phishing email?
A:  A phishing email is basically an email meant to trick users into revealing sensitive information, "baiting" them into giving out private info such as passwords, credit card information, etc.

Typically, a phishing email will masquerade as coming from an official source, often claiming to either have important information for the user or claiming that their "account will be terminated" if the user doesn't give out their password information.

Unfortunately, methods will vary from phishing email to phishing email.

Q: How can I tell if an email is a phishing email?
A: Most phishing emails are plagued with:

• Spelling errors
• Grammatical mistakes
• Strange use of punctuation
• Bits of "code" showing in the email
• Vague claims or threats towards your account
•  Inconsistent or incorrect information about the account system

Q: Why is this still happening months after the initial email?  Can't these emails be stopped?
A:  The way this particular phishing campaign is working is to send out as many emails as possible to PLU emails, collect a few accounts, sit on these accounts for a bit while sending out more emails, and continue to collect more accounts.  Every time the attackers get another account, they can send out hundreds of emails; if even one person responds, that's another account and another couple hundred emails.

It's a vicious cycle that we can only break by educating users about the existence of these emails.  While we do our best to shut down the accounts as soon as we receive a report, usually we don't get a report until after a few minutes of sending, which can be hundreds of emails by that point.

We are considering other alternatives system side, but we need to be vary careful about such alterations as they can affect the receiving of legitimate emails as well.

Q: What do the attackers have to gain by doing this?
A:  Just more sources to spam people with.  Once the spammers have a sufficient number of accounts stocked up, they can start sending out spam emails to other people.  Often times we will cleanse an account and find that it has been altered to look like a bank or a school or a credit union.

Q: What should I do if I have responded to one of these emails?
A:  Change your password immediate by going to epass.plu.edu [epass.plu.edu] and call the Help Desk at 253-535-7525.  We will need to walk you through cleaning your account to ensure that no one else has access.

Q:  Is there anything I can do to help combat these emails?
A:  Yes!  Continue to report them to us every time you get one.  It may seem futile or redundant, but the sooner we know about a new wave, the sooner we can take action.

Tell your colleagues and friends about the phishing emails and about how they can learn more about them; the more people that know, the better chance we have that the phishing waves will be ineffective.

Fraudulent Emails continue to plague PLU Community (or "What exactly is a Phishing email?")

Good Morning!

As many of you probably saw this weekend, yet another round of fraudulent "phishing" emails have been sent across Campus masquerading as an official email warning users that their accounts are about to be shut down due to exceeding their storage limit.  While it may be easy for many of us to write these off as non-sense, the newest batches have become progressively more convincing to the point that even seasoned users would require a bit of research to determine their authenticity.  

From a purely technical standpoint,
this fake email is a thing of beauty

As we have noted multiple times during these campaigns, the Help Desk will never solicit your account information like this.  All of our account work is done via our ePass website [epass.plu.edu], and we will not intentionally put your account into a position where it cannot be recovered.

Given how these emails continue to grow in their elaborateness, we felt it would be appropriate to do a more extended write up with a small FAQ to help better inform the PLU community about these phishing emails.

Summary:

• PLU (I&TS) will never solicit your account information via email
• If you ever have even the slightest inkling that an email might be fraudulent, do not do anything with it and call the Help Desk at 253-535-7525
• If you have clicked on any links in these emails or responded to them, call the Help Desk at 253-535-7525
• We post up-to-date information on the phishing emails going around on our Twitter @PLUHelpDesk
• This phishing campaign has been attacking users for ~5 months, taking over PLU accounts and sending more phishing emails from PLU accounts
• They often include PLU logos to mimic official PLU emails and claim to be from the non-existent PLU Webmail Management Team

It is imperative that we let as many people know about the existence of these fraudulent emails; the more people know, the less likely they are to actually respond to them.  I&TS has been using the Help Desk Twitter @PLUHelpDesk to notify users about the phishing emails, but we would love to know your preferred method of communication!  If you can think of a means of communication you'd prefer we use, let us know, and we will do our best to oblige.

FAQ:

Q: What exactly is a phishing email?
A:  A phishing email is basically an email meant to trick users into revealing sensitive information, "baiting" them into giving out private info such as passwords, credit card information, etc.

Typically, a phishing email will masquerade as coming from an official source, often claiming to either have important information for the user or claiming that their "account will be terminated" if the user doesn't give out their password information.

Unfortunately, methods will vary from phishing email to phishing email.

Q: How can I tell if an email is a phishing email?
A: Most phishing emails are plagued with:

• Spelling errors
• Grammatical mistakes
• Strange use of punctuation
• Bits of "code" showing in the email
• Vague claims or threats towards your account
•  Inconsistent or incorrect information about the account system

In the most recent instances, however, the phishers have gotten really fancy and upped the ante.  These most recent emails appear to be very real, as they include the PLU logo, are fairly free of any spelling or grammar mistakes, and even include our actual address!  (That was particularly surprising)

The only give-away on this wave of phishing emails was that the process for updating account info was completely wrong (we do everything through epass.plu.edu), and that we would never shut down your account in this fashion.  Also, we don't have a Webmail Management Team, and nothing would come up if you searched it.

These phishing emails were so well crafted, the only thing "wrong" about them was that they didn't send you to our actual epass.plu.edu page, which was done by design.  

Q: Why is this still happening months after the initial email?  Can't these emails be stopped?
A:  The way this particular phishing campaign is working is to send out as many emails as possible to PLU emails, collect a few accounts, sit on these accounts for a bit while sending out more emails, and continue to collect more accounts.  Every time the attackers get another account, they can send out hundreds of emails; if even one person responds, that's another account and another couple hundred emails.

It's a vicious cycle that we can only break by educating users about the existence of these emails.  While we do our best to shut down the accounts as soon as we receive a report, usually we don't get a report until after a few minutes of sending, which can be hundreds of emails by that point. 

We are considering other alternatives system side, but we need to be vary careful about such alterations as they can affect the receiving of legitimate emails as well. 

Q: What do the attackers have to gain by doing this?
A:  Just more sources to spam people with.  Once the spammers have a sufficient number of accounts stocked up, they can start sending out spam emails to other people.  Often times we will cleanse an account and find that it has been altered to look like a bank or a school or a credit union.

Q: What should I do if I have responded to one of these emails?
A:  Change your password immediate by going to epass.plu.edu [epass.plu.edu] and call the Help Desk at 253-535-7525.  We will need to walk you through cleaning your account to ensure that no one else has access.

Q:  Is there anything I can do to help combat these emails?
A:  Yes!  Continue to report them to us every time you get one.  It may seem futile or redundant, but the sooner we know about a new wave, the sooner we can take action.

Tell your colleagues and friends about the phishing emails and about how they can learn more about them (@PLUHelpDesk); the more people that know, the better chance we have that the phishing waves will be ineffective. 

Router Backdoors found in tons of router models...but not a big deal for most people

Source(s):
http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/
https://github.com/elvanderb/TCP-32764/blob/master/README.md  (List of known affected routers)

Summary:

For the non-technically inclined, let's define a few terms for this article/post.  A backdoor, in computing terms, specifically refers to a means to control a device remotely via a hidden access.  You can think of it like a secret way into a device in order to control it; these backdoors often have very little or no verification, and will accept any command sent to them without question. 

The discoverer of the backdoor, elvanderb, was focusing on trying to get back into his own router, which he forgot the password to.  In doing so, he found some really strange activity on his router, which upon further investigation revealed the backdoor.  Being a bit of a programmer, he explored the backdoor as best he could and was able to map out many of the controls it allowed.  He published his results in a rather humorous powerpoint presentation (1.9 MB ppt download, some not safe for work language), and many other users tested his program and found quite a few other routers that had the same backdoor.

So, is your own router at risk and should you worry? 

Yes, and No.  

See, the backdoor is pretty specific, and it looks to require that you actually be on the network to pull it off.  Even if you were able to plug the backdoor (which you can't really), the likelihood of someone using this method to gain access to your router is pretty low.  The second link has a list of known affected routers; if you use one of these for your business, there may be some cause for concern, but again, this is a fairly isolated method of attacking a router.

What this does bring up are some interesting questions as to why such a backdoor exists; all routers have a physical switch on them to allow a factory restore, so end users have no use for such an interface, and technicians would likely use this as well instead of using the rather esoteric interface.  This is definitely an issue which warrants further discussion and investigation, but most home users should be able to continue using their routers as they have been without additional worry.

Spam Report 11/25/13

Another day, another spam report, this time courtesy of one of our wonderful Help Desk Technician's, Kate!  Thanks Kate.

This morning the Help Desk received information regarding a group of spam emails that may end up in the inboxes of PLU Students, Faculty and Staff. The email fraudulently claims that the user’s mail server storage has been exceeded and that the account will be deleted if the user does not follow the link provided. Please ignore and delete this email should you receive it. A photo of this email as well as an explanation as to how it was determined to be spam are provided at the bottom of this post for your reference.

We encourage you, as always, to err on the side of caution if you receive emails that raise your suspicions in any way. The aforementioned information at the bottom of this post may help you identify key red flags that can give away a phishing email. If you are ever uncertain as to the legitimacy of an email you receive, please do not hesitate to call the Help Desk at 253-535-7525 and we will gladly assist you in determining whether or not the message comes from a source that you can trust.


If you have responded to the email pictured below and provided any information, please take the following steps to ensure the security of your account:

• Update your epass password at http://epass.plu.edu
• Update your password on any sites where you used that password (i.e., if your epass was the same as your bank password, update your bank password as well)
• Log into your Gmail and sign out of all other sessions; to do this, scroll down to the bottom of the page and look for the section which says "Last Account Activity"; click on the "Details" link; a window will appear which will let you force sign out all other sessions.

If you need assistance with any of these steps or have questions about the phishing email, please contact the Help Desk at 253-535-7525 or email us at helpdesk@plu.edu.

This email tips us off in a number of ways. The text highlighted in the mint color is highly suspicious because it is clear that it does not come from a PLU source. The email address that it comes from is not a PLU address and the link it is advising you to follow is not at a PLU address. Furthermore, the language and format used is not that which PLU utilizes in its communication with students, faculty and staff (“Webmail Subscriber” is not how we refer to members of the PLU community, “your email account will be deleted from our server” is not action that would be taken by PLU in this case, and there is no PLU contact information given at the end).

Simple grammatical errors such as the ones highlighted here in purple are another red flag as this number of errors should not appear in communication from PLU. Finally, the general formatting of the email is unusual, see the large empty space at the top of the email, for example, highlighted here in green.