A computer in an RIT department was infected with ransomware from a file attachment purporting to be an example of work from a student. The student name on the email was spoofed. The email had been caught in the RIT spam filter. However, the spoofed sender name looked authentic and the recipient released the email and opened the zipped attachment, triggering the ransomware attack.
Sample Phishing Email
Sender: firstname.lastname@example.org (name changed)
Recipients: name@.rit.edu <RIT username>
Subject: Re: RIT Application
[Executable Attachment] Namecodes.zip
I have submitted my application for <Specific RIT Program.>
I have attached an example of my work to this mail to help me strengthen my application. My unique application id is :f3ba5c. Thank you Sir for your
guidance and support.
How do I know this is a phishing attempt?
- You can’t tell at first glance that it’s a phish. However, the email was caught by the RIT spam filter because of the executable attachment. (An executable attachment is like a small malicious program.)
- Unfortunately, the days of looking at an email and knowing immediately that it's a phishing attempt are over. The sender address and any logo may look authentic. Pay attention to what the email is asking you to do, or if it has an unexpected attachment.
- The sender address may have looked legitimate or may be from a compromised external email account.
- For more information about detecting Phishing, please visit the RIT Information Security Phishing page.
What is RIT doing to protect me?
- RIT blocks most phishing/malware attacks from reaching RIT e-mail accounts.
- MySpam will block or quarantine many of these phishing e-mails. However, senders actively modify messages to avoid spam traps, and that allows a few to slip through.
- myMail.rit.edu has not been compromised.
- McAfee VirusScan (McAfee HIPS) with up-to-date virus definitions will protect against viruses and many other threats that may be associated with phishing emails. (Antivirus software is available free to RIT students, faculty, and staff for home use from http://www.rit.edu/its/services/security/).
What can I do to protect myself?
- Ensure that your information is backed up regularly and properly. Because ransomware can encrypt the files on your computer and any connected drives (including connected cloud drives such as Dropbox), it’s important to regularly back up your files to a location to which you’re not continuously connected. To determine the backup capabilities available to you at RIT, contact your IT Service Desk.
- If you find there’s a message in the RIT spam filter and you’re not sure that it’s really spam, preview the message while it’s still within the spam filter. Don’t release it until you are certain it’s legitimate. ITS provides instructions for the spam filter at <https://www.rit.edu/its/servicing/secure-computing/spam-filtering>
- Unless you’re expecting an attachment, don’t open it without ensuring that the message is legitimate.
- Phishing attacks can come through emails, texts, social media messages, and phone calls. Be careful!
- Report phishing attempts by creating a new message to email@example.com and dragging the suspected phishing message into the new message.
For More Information
- For information about protecting yourself against Ransomware, visit the RIT Information Security Ransomware page.<https://www.rit.edu/security/content/ransomware-0>
- Visit the RIT Information Security Phishing page at http://www.rit.edu/security/content/phishing for information on keeping yourself safe from phishing attempts.
- Visit the RIT Information Security website and explore our best practices for keeping you and your information safer on line. <http://www.rit.edu/security>
REMEMBER: RIT will NEVER ask for your password through e-mail.
Quick Infosec Tip: Most security pundits described 2016 as the year of Ransomware. Security experts expect to see many more ransomware attempts in 2017.