The shift to remote learning, remote instruction, and remote work and the associated rise in use of personal devices to do University work has led to an increased risk to UC Merced’s information security posture. We want to remind you that the threat of social engineering, phishing and disinformation campaigns surrounding Coronavirus (COVID-19) remains high. Please be on the alert!
Across the globe, there is an increased amount of phishing and ransomware activities initiated by criminal organizations and nation state actors. These sophisticated attempts are targeting COVID-19 researchers, health providers, and anyone who might have access to institutional resources and data assets mostly in the form of COVID-19 exposure notification messages. These activities are also confirmed by FBI through public service announcements.
In general, criminals and bad actors are using the COVID-19 pandemic to raise fear and concern via phishing emails and text messages. These scams might indicate that you have been infected and/or you were near someone that is infected with COVID19, say that found out about you due to social tracking, and instruct you to download a form and proceed immediately to the nearest hospital.
Even before COVID-19 contact tracing programs have legitimately been rolled out in Merced, cyber criminals have been sending emails alleging that staff members have been infected. These malicious messages—ostensibly from institutions such as the World Health Organization (WHO), or Center for Disease Control (CDC), University of California faculty and staff, or even medical professionals—are intended to spread disinformation and disrupt economic recovery efforts. Many instances of this type of cyber crime are also very targeted, such as the Social Services Letter circulating in Merced County indicating COVID-19 testing is mandatory for all households and failure to comply will result in a suspension of benefits.
Please be aware that the United States government and medical professionals and institutions do not do any social tracking of the COVID-19 virus. Hackers will say that they traced you down via your phone or a charge card receipt for a location or someone that you might know. Typically, they try and keep everything as vague as possible so that you will click on the link included with the message. Keep these tips in mind:
- Please do not click on any suspicious links in messages. Read messages critically, even if they’re about COVID-19.
- Visit websites that you know and trust such as UC Merced’s Campus Covid-19 Updates or the Centers for Disease Control and Prevention for legitimate information.
- Do not respond to texts, emails, or calls about checks or the government stimulus package. This is another way for actors to obtain your personal information and infect your devices with malicious code.
- Ignore online offers for vaccinations and home-test kits. No such approved products exist currently.
- Hang up on robocalls.
- Visit our Phishing Email Archive: https://it.ucmerced.edu/phishing#heading-3 for regularly-updated examples of phishing attempts and stay informed to stay safe!
UC Merced Information Security has noticed a large spike in phishing scams and spam emails using a subject line containing “Coronavirus” or “COVID-19” as the lure to entice our campus community to click on links, download files, and open attachments. Many of these emails impersonate legitimate institutions and authorities.
One specific threat, reported by the Health Sector Cybersecurity Coordination Center (HC3), is an alert that cyber criminals have already begun circulating links to a “Live Coronavirus - COVID-19 map” falsely claiming to be from Johns Hopkins University, which actually contains malware. This malware can steal your browser history, cookies, cryptocurrency and other credentials including email addresses, passwords and credit card numbers.
More generally, beware of emails and sites containing information about or selling products that would allegedly cure or prevent COVID-19. These are also potential sources of phishing and spam.
As always, we urge users to:
- Exercise caution when clicking on links or opening attachments, even if they look like they’re from someone you know
- Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message
- If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it
If you’re unsure if an email is legitimate or if you know for certain it isn’t, please report it directly to Information Security at firstname.lastname@example.org. For more information, be sure to visit our How to Spot a Phish page.
In November, 2019, Americans told Pew Research Center they're feeling frustrated that companies and the government are constantly tracking them online and collecting their personal information, but they're also increasingly vulnerable to identity theft as security breaches rapidly proliferate.
According to data retrieved from Privacy Rights Clearinghouse, the number of educational institutions (EDU) records exposed in reported data breaches each year from 2004 to 2017 remained steady at less than 5 million records. In 2017, this number increased to 7.6 million records. However, there was a dramatic increase in 2018 when a single data breach exposed 40 million records, bringing the total number of exposed records for the year to almost 41 million.
During the same time period, the number of reported EDU data breaches decreased from 64 reported data breaches in 2004, climbing to a high of 107 reported data breaches in 2007, and then dropping to 17 data breaches in 2015 and 2018. This demonstrates that cyber-criminals have steadily gotten better at accessing greater amounts of data with fewer breaches—as is most evident in the case outlined above, when the single data breach yielded 40 million records.
Armor, a Cloud Security company, reports that educational institutions were hard hit by ransomware in 2019. According to Armor, there were ransomware attacks against 72 school districts (links to map) from the period of January 1 through December 31, which may have impacted as many as 1,039 schools in the U.S.
Analysis on attack methods for ransomware reveals that most attacks begin with phishing, spear-phishing, and social engineering. For this reason, it’s important that educational institutions train their users via awareness campaigns to help protect their networks. Awareness campaigns should include education about current and emerging cybersecurity risks and phishing emails. Training should focus on policies regarding how to maintain secure passwords and how to properly respond to suspected phishing scams.
LogMeIn, a subsidiary of LastPass Password Management company, published the results of a survey they conducted in the first half of 2018. According to LastPass, even though 91% of respondents said they understood the risks of password reuse across websites, a staggering 59% reported doing it anyway. There are several reasons for user apathy, but the main culprit seems to be fear of forgetting what their password is.
Compounding this risky user behavior, 53% of respondents said that although they were aware of the risks, they had not changed their passwords in the past 12 months or longer. This holds true even when they learn of a data breach that involved user passwords. Adding still more to their risk profile, nearly 60% engaged in these behaviors: password reuse and failure to change passwords despite a data breach.
LogMeIn explored whether there was a significant difference in how users create passwords for personal and work use. Almost half of users said they didn’t do anything unique between creating personal or work passwords and, even worse, 62% said they reuse the same password between personal and work accounts. Only about one in five users reported creating stronger passwords for work than for personal use.
As part of their 2019 National Cybersecurity Awareness Month reporting, TechRepublic highlighted the findings of a recent survey conducted by Google. Here are some of the key numbers on American's cybersecurity habits:
- 59% = Percentage who have incorporated a name or birthdate into their password
A further break down of this last percentage reveals:
- 33% = A pet's name
- 22% = Their own name
- 15% = Spouse or partner's name
- 14% = Child's name