Current Non-Threats, Current Threats, Security Awareness Newsletters

This Week’s Cybersecurity News, 10/11/2022

Posted on Oct 11, 2022Share on

Cybersecurity Awareness Month logo in blue

We are in week two of Cybersecurity Awareness Month and I want to let you know about a current non-threat, as well as a couple of very current potential threats and some much-needed updates. But I want to begin by giving you a little information about something I often ask people to do when reporting phishing attempts.

When I am asked if an email is legitimate or not, I try to research what I can so I can let that person, and often everyone else, know what to avoid. And when I have determined that an email is a phishing or spear phishing attempt, I often ask the person to forward the email and its Internet header using the Reporting Phishing Attempts instructions. I would like to give you some information about Internet headers so you will know why I ask you to include them.

Internet headers provide a lot of useful technical details about the message. If you have used those instructions to obtain an email’s Internet header you are probably wondering what is in there that can be so helpful. Well, here is part of what can be obtained from the header:

  1. The sender
  2. The software used to compose the email
  3. The email servers that particular email passed through on its way to the intended recipient (or target!)
  4. The timestamps of the delivery route of the email

While it looks like a lot of gibberish, this information can allow the email to be investigated for possible spoofing and allow the source of that message to be determined. The information can also help Exchange administrators determine if a UT employee’s email account has been compromised. Finally, the information allows the Exchange administrators to block certain IP addresses from sending email through our servers, particularly when those IP addresses continue to target our users.


Current Non-Threats

  • Welcome to the party, Optum EAP (email)
    • The email is from University of Tennessee Benefits Team+ALEX <reply@meetalex.com>.
    • This email is legitimate and has been sent on behalf of UT Benefits.
    • The message lets you know about the Optum Employee Assistance Program.
    • The message also reminds you that you have three days left to add (or change) benefits for 2023.


Current Threats

  • Email Confirmation (phishing)
    • The sender appears to be a student at UTK, but the address may have been spoofed.
    • The message is brief and says that UTK is carrying out email validation exercises.
    • The message provides a link for you to confirm that your email is still in use and that clicking the link will keep your account active.
    • UTK does not carry out such exercises, as the Office of Information Technology (OIT) has other ways of finding out if email accounts are still in use…if they have a need to.
    • If OIT sends you a notice, it would not come from an individual student’s address, but would come from an OIT email account.
    • There is no branding within the email at all and OIT does not send emails without something identifying the email as an official email.
    • If you get this email, please forward it with the Internet headers using these instructions for Reporting Phishing Attempts.
  • Advertising Request Received (phishing)
    • The sender is noreply@salesforce.com On Behalf Of Stuff Team.
    • The message begins by thanking you for your email and gives you a request number.
    • Stuff is a New Zealand news media website.
    • I don’t seem to find the connection for Stuff and Salesforce.
    • The email addresses from the message I saw all begin with the same letter and it makes me think there is a massive list that was broken down into smaller lists (and one request number really makes zero sense).
    • I saw several people with the Institute on the recipient list for the one message, so I suspect that lots of people at the Institute received this.
    • The footer mentions Fairfax Media, but Fairfax merged with another company in 2018, and the name was changed at that time.
    • The formatting and punctuation errors are plentiful.
    • If you get this email, please forward it with the Internet headers using these instructions for Reporting Phishing Attempts.


Browser, OS, and Software Updates

  • Microsoft
    • Microsoft has released updates to address multiple vulnerabilities in Microsoft software.
    • Updates are being automatically pushed to Institute-owned computers.
    • If you have recently clicked to have your computer restart later to finish these updates, please make sure you reboot right away to ensure all available updates have been applied.
    • Exploitation of these vulnerabilities could allow an attacker to obtain sensitive information.


I want to thank you for all you do every day to protect the Institute and its data. And I can’t thank you enough for forwarding emails to me asking about their validity. This really keeps me aware of what threats are out there. Please remember if you need me you can email or call me at any time. And please share information with peers, clients, students, and family.

Have a great rest of the week!

Sandy

Sandy Lindsey
Chief Information Security Officer
Information Technology Services
The University of Tennessee
Institute of Agriculture

 

 

G061​ McCord Hall
2640 Morgan Circle Drive
Knoxville, Tennessee, 37996
Phone: (865) 974-7292; (865) 806-5224
sandy@tennessee.edu