In September 2020, a Portable Document Format(PDF) file and digital document service, Nitro, suffered a data breach. This breach contained data for approximately 78 million customers and was exposed online. The customer information included names, passwords and the titles of documents. No financial information was leaked.

 1,440 UMBC accounts were victims of this breach. The victims are being notified via their UMBC emails and/or their alternate emails. If you have a Nitro account, please contact them to see if you have been affected by this breach. To see if you were involved in any other breach, visit: https://haveibeenpwned.com/.

More about Nitro data breach:

https://infosec.berry.edu/2021/01/19/data-breach-notification-nitro-pdf/#:~:text=In%20September%20of%202020%20there%20was%20a%20breach,or%20vikings.berry.edu%20email%20address%20 included%20in%20the%20 breach.

If you have any questions or concerns, email us at: security@umbc.edu.

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

In June 2018, an online fashion website, Romwe, suffered a data breach. This breach has data for approximately 20 million customers. The data was sold online. The customer information includes names, email addresses, IP addresses, physical addresses, phone numbers, and passwords. No financial information was leaked.

229  UMBC accounts were potential victims of this breach. The victims are being notified via their UMBC emails and/or their alternate emails. If you have a Romwe account, please contact them to see if you have been affected by this breach. To see if you were involved in any other breach visit:https://haveibeenpwned.com/.

More about Romwe data breach:

https://us.romwe.com/datasecurityFAQs-a-1039.html?SASSource=cjunction&affiliateID=100357191_5250933&url_from=cj.com&cjevent=dd0a33c1077f11ec804300290a82b82d

If you have any questions or concerns, email us at:security@umbc.edu.

Information about this breach was provided to us by Have I Been Pwned(HIBP). 

______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

Vendor Breaches and Account Compromises

Internet vendors will, at times, suffer data breaches.  Sometimes the service will attempt to contact it’s account holders and other times it won’t.  Often, after some time has passed, the malicious actors who stole the original data or others who have acquired it in the meantime will release it publicly.  UMBC’s Division of Information Technology (DoIT) subscribes to a service called HaveIBeenPwned which looks for such public releases and searches them for email addresses ending in @umbc.edu.

For example, if you registered for a member’s discount card with Giant Food or signed-up for online banking and entered your email address as myname@umbc.edu,  DoIT may receive notification if a publicly released breach included that email address.  This does NOT automatically mean that your UMBC account was compromised.  If you use a different password on your Giant account than you use on your UMBC account, then your UMBC account is still secure.

If DoIT determines that your UMBC account has been compromised (or if we are unable to determine that it hasn’t), your password will be replaced with a random string of text.  You will also receive email in your Password Reset Email account (not your primary UMBC account) notifying you of the password change. 

DoIT has no way of knowing what the new randomized password is, but you can recover access to your account by going to the MyUMBC login page and selecting “Forgot your password?” (see image below).  You will then need to answer the security questions you set up for your account.  After answering correctly, a link will be sent to your designated Password Reset Email account.  If you have trouble with this, the Technology Support Center (https://doit.umbc.edu/tsc/, 410-455-3838) can assist you.

Working remotely during the pandemic required the workforce to constantly adapt work processes and procedures and we all learned a great deal in this process. With a gradual return to campus and hybrid work we will need to continue to upskill in order to evolve as the nature of our work and our workplace evolves. The Hybrid Workplace series offers staff training in the available productivity and collaboration tools that will help contribute to individual and shared success in our new normal.

TRAINING VIDEO: Docusign Session  - Hybrid Workplace Training Series

Docusign is a tool that allows employees to initiate a document to collect relevant data, digitally sign and follow a workflow that replaces paper form completion and routing.  There is no need to print or scan and it is mobile friendly. 

Course objectives:

·         Docusign uses (Single Use & Templates)

·         Docusign framework (Webform, Docusign Dashboard & Email Notifications)

·         Docusign portal as a dashboard (Quick views & filters, docusign status and form review)

·         Docusign Do’s and Don’ts (Finish Later, Decline to sign, Corrections, etc.)

·         Initiate a DocuSign document

·         Download a DocuSign document

·         Advanced Features Overview (Overview for a future session)

Check out additional sessions from the Hybrid Workplace Training Series on demand 

Foundations of the Hybrid Workplace. The series includes the following sessions:

·        Webex: Messaging and Calling

·         Webex Meetings

·         Gmail & Calendar

·         Google Docs

·         Google Sheets

·         Google Slides

Strategic Planning for the Hybrid Workplace. The series includes the following sessions:

·         Webex: Messaging and Calling

·         Webex Meetings

·         Facilitating Hybrid Meetings

·         Leading Hybrid Teams

·         Surveys with Google Forms/Qualtrics

·         Docusign

Recently, DOIT received an email from a compromised account at North Central Kansas Technical College(NCKTC) impersonating Dr Hrabowski. The email consisted of a Microsoft word document titled “EVALUATION FORM.” Below is a copy of the email. We removed the name of the NCKTC user and the To field for privacy reasons.

The link for the email will take you to the EVALUATION FORM document. See below to look inside the Word docs. 

This link will ask you to sign in to your Microsoft account to view a file/form that the compromised account shared on One Drive. DO NOT CLICK ON ANY OF THE LINKS IN THE EMAIL OR THE DOCS. However, if you have done so already, please contact us immediately atsecurity@umbc.edu. 

A lot of phishing emails contain a link that asks the recipients to sign into their accounts. Whenever you receive such emails, always try and verify with the senders on an entirely different email if you know them. Feel free to always send the message to us to validate the email.

For more information about phishing, visit:https://itsecurity.umbc.edu/critical/?id=98136.

If you have received any message similar to the one listed above, please forward it with its headers tosecurity@umbc.edu. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. For instructions, visit: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

Recently, DOIT received multiple reports of suspicious messages about student loans from email addresses with the format <emails@alert###.info>. The recipients of these messages marked them as phishing, but on careful investigation, we realised that these were legitimate. We therefore classified these messages as spam instead of phishing. 

According to Phishing.org, “[p]hishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.” A third party company, CollegeLoans, sent these messages on behalf of these loan companies. Therefore, they are not malicious or criminal; instead, they are commercial. 

Nonetheless, you might not have subscribed to receive these messages; hence they are spam. According to Cisco.com, “[s]pam is unsolicited and unwanted junk email sent out in bulk to an indiscriminate recipient list. Typically, ...sent for commercial purposes.” These emails are advertisements. They target university students since people in this demographic may need help covering tuition costs. 

As mentioned earlier, these loan messages or advertisements originated from the third party company, CollegeLoan. This company is located in Puerto Rico. When you click on the link in the email, they will earn a commission whether or not you apply for the loans. It is business. It’s email marketing. 

CollegeLoans sends out links on behalf of the following companies:

• Sallie Mae Smart Student Loan

• Discover Undergraduate Loan

• Credible Student Loan

• Earnest Student Loan

• College Ave Student Loan

• CommonBond Student Loan

We were also suspicious because clicking the link might take the reader to Amazon.com rather than the advertised site.  Among the information webservers can collect when you click is something called a User-Agent-String.  This string helps the website determine the version of the browser you are using in order to avoid trying to perform advanced functions on old browsers.   Bad actors may use this feature to hide from browsers commonly used to analyze malicious sites. However, we determined that the link is not malicious. 

We are not sure of the reason that CollegeLoans chose to use browser detection. However, it is not uncommon for developers/companies to add this feature to their code/applications. According to  MDN web Docs, using a browser detection would depend on one of the following:

• If you are trying to work around a specific bug in some version of a browser.

• If you are trying to check for the existence of a particular feature.

• If you want to provide different HTML depending on which browser.

Source:

https://www.phishing.org/what-is-phishing

https://www.cisco.com/c/en/us/products/security/email-security/what-is-spam.html#:~:text=Spam%20email%20is%20unsolicited%20and,botnets%2C%20networks%20of%20infected%20computers.

To read more about user agents, visit https://towardsdatascience.com/the-user-agent-that-crazy-string-underpinning-a-bunch-of-analytics-86507ef632f0.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent

______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity.

During the past week, the Division of Technology(DOIT) has received phishing reports of scammers impersonating state-licensed retirement support representatives. Below is an example of such a message. The reporter’s name and email have been removed to protect their privacy.

This message is not legitimate. If you have received this email, DO NOT CLICK THE LINK IN THE EMAIL. The link takes you to the website below. DO NOT FILL OUT THIS FORM.

If you have filled out this form, DO NOT JOIN THE APPOINTMENT.If you have joined the video conference or phone call and provided your financial information to the actors, immediately notify your bank. View our article on Identity Theft to help protect your identity: https://itsecurity.umbc.edu/critical/?id=102139

Forward this email with its headers immediately to security@umbc.edu. Instructions on how to find the email headers can be found below.

The HR Department advises that all valid retirement-related emails are sent from their approved retirement vendors

______________________________________________________________________________________________________________________________________

Receive any suspicious emails?

Forward it to security@umbc.edu along with the email headers. Instructions for doing so can be found at the UMBC support wiki: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970.

Follow us on myUMBC:https://my3.my.umbc.edu/groups/itsecurity