From the CIO

VCU Technology Services

January 2022 CIO Update

by Alex Henson

We have certainly hit the ground running in 2022. Many exciting projects for the year are well underway. These include design and construction of the new Technology Operations Center, the migration of Banner to the Ellucian Cloud, implementing and supporting a new cloud-based data warehouse, and multiple other projects to support transformational innovation at VCU. I’ll provide updates on these projects in the coming months, but for this month’s entry, I would like to share an update from our Information Security Office on a new variation of data security threat we are seeing more and more here.

Phishing scams through email are almost as old as the Internet itself. Over the years, scammers have continuously improved their tactics in the art of tricking people into falling for their scams.

What is reply-chain phishing?

In the most recent round of enhancements to the scammers’ tactics, we have seen the rise of the new and dangerous reply-chain phishing scam. While it may be easy for many to spot the typical phishing scams, reply-chain phishing scams are different and very dangerous, as they leverage the existing trust we have with another person.

So just how does this scam work? The reply-chain phishing scam first involves the compromise of another party’s email account by the scammer. Once the account is compromised, the scammer will start sending email replies to messages in the compromised victim’s inbox, usually with generic one or two-line replies including a link that leads to a malicious document or a malicious attachment attached to the email.

Figure 1. Example of reply-chain phishing (source: SentinelOne blog)

If the recipient of the scam clicks on the link and downloads and opens the attachment, then she is in for a nasty surprise, as the document will then proceed to download malware and attempt to infect her computer. Some ransomware groups are known to have been successfully leveraging this technique for criminal campaigns against large enterprises since early 2021.

The reply-chain phishing scam is very effective due to several factors:

  1. The email accounts used in the scams are always legitimate company accounts.
  2. The scams will always come from known individuals with whom we have interacted.
  3. The links or attachments are sent as a reply to an existing conversation.
  4. The language is usually generic enough that victims of these scams can be tricked into clicking on the link.

How can we protect ourselves?

In order to protect ourselves against these new threats, there are several things we can do. First and foremost, it is important for us to recognize some signs of these scams. The signs of a reply-chain scam can include:

  1. The use of generic language that may not make sense in an existing email conversation. (e.g. “Please see attached details”, or “Please review the following documents”)
  2. The request to download and open a document (The document usually is in Macro-enabled Microsoft Office docm, xlsm, docb, xlsb format, but could also be malicious PDF files)
  3. A download link that seems abnormal. You can always hover over a link or tap and hold the link on a mobile device to see its actual destination. Scammers will many times host malicious files on hacked websites. So if the download link is from a small business website when you are dealing with an employee from a large company, then the email could be a scam.

Once we have identified a suspicious message that could be a scam, there are a few things we can do to protect ourselves:

  1. If you know the sender but are suspecting the email could be a reply-chain scam, then calling the sender or talking to the sender in person to verify is the simplest way to identify whether you are dealing with a scam. You should not reply to the email if you suspect that the email is a reply-chain scam, as the scammers may have control of the sender’s email inbox.
  2. You should never click on any links or download any documents if the message itself is suspicious. If you do accidentally download the document, then please do not open the document if it is a Macro-enabled Microsoft Office (usually Word or Excel) document (xlsm, xlsb, docm, docb).
  3. Most importantly, if you suspect a message is a scam or are unsure of whether the message is legitimate, then you can always send the message to infosec@vcu.edu for review. If you have received a scam, then there is a likely chance that others have as well, so by identifying and reporting the scam, you can not only gain peace of mind for yourself, you may also help to save someone else from becoming a victim to the scam.

Wishing you the best for 2022!

Alex

Leave a Reply

Your email address will not be published. Required fields are marked *