Letter from the CISO, Vol 4 Issue 8
WashU Community:
A New Year of Opportunities and Approaches
Our theme for January is “Celebrating the New Year – from new tech to new approaches, what’s new?”
Unfortunately, while we keep deploying better tools to keep everybody safe and secure, cybercriminals are also developing new tricks and taking new approaches to circumvent our safeguards, making you our last and best defense against attacks.
This letter highlights ways that malicious actors are using legitimate tools to make us feel comfortable so they can exploit us.
Abusing QR Codes
This first trick isn’t completely new, but it is still common because it evades important defenses we’ve deployed.
We’ve become very good at detecting and blocking malicious web addresses in email messages. Malicious actors are trying to evade our defenses by hiding malicious links in QR codes, which our email defenses (so far) only see as an image and don’t decode to see if they are malicious.
The QR code generally makes us use our smartphone camera to scan it. This has the additional benefit of shifting dangerous activities to your phone – which is generally not protected by WashU’s Information Security defenses.
To me, the infuriating thing about QR codes is that there is (almost) never a valid reason to email a QR code with a web address. It would be much simpler to provide the web address itself.
Bottom line: email messages with QR codes should be reported as phishing. Use the Phish Report Button in Outlook to report it easily; non-Outlook users can report by forwarding the email as an attachment.
Abusing DocuSign, PayPal, Intuit, and similar services
The second trick takes advantage of legitimate services like DocuSign, PayPal, Intuit QuickBooks, and similar accounts. Creating or stealing accounts with these companies, criminals can send invoices and contracts that are difficult to detect and block as malicious. So many people and organizations use these services for legitimate billing, contracting, and communications activities.
It is therefore imperative that we verify the authenticity of invoices before paying them or sending them to accounts payable.
Deceptive Layering
In some cases, malicious actors will use “deceptive layering” to create a chain of emails.
Starting with an invoice from a legitimate service like DocuSign, PayPal, or Intuit QuickBooks, the email shows what appears to be a series of messages between someone with university payment approval authority and a vendor. The email thread ends with a message to someone who can process the payment and asserts that the authorizer has already approved payment.
Unfortunately, in many cases this back and forth has been completely faked. It’s designed to con the recipient into paying the fake invoice without following the usual approval processes.
Cyber criminals love to add threat of legal action or worse to add urgency and hijack our critical thinking. The more urgent the request, the more important it is to verify it. Call or email the authorizing person using their phone number or email address on file.
It also isn’t safe to “reply all” to a message, including the approver’s email address. It is very easy to spoof them to really go to an account in the control of the criminals.
This underscores the importance of using Workday and other formal approval processes and not to take shortcuts.
Perpetual vigilance is hard
My monthly mantra is to encourage everyone to be “vigilant, skeptical, and a little bit paranoid.”
This month is no exception, but I want to recognize how difficult it is to perpetually be on guard.
This makes it equally important to be kind to yourself when mistakes happen. The important thing is not to panic. Report the mistake to the Office of Information Security as soon as possible. Often, when quickly alerted, we can intercede before things go from bad to worse.
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column and for being a member of the university’s Information Security team!
Good luck, and be careful out there!
-Chris Shull, CISO