You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Current »

The University of Vienna is so kind to tell the whole world about your email address, and the world surely is making use of that information. It’s just that its intentions aren’t always good. There are malicious actors out there who want to trick you into disclosing your University of Vienna username and password, infect your computer with malicious software, get you to pay them money, or simply to visit a website. Some of those emails are easy enough to recognise (”You have won $100,000,000 in the ACME Inc. Lottery! Just send us your credit card number, its expiry date, your CVC, and your date of birth by TOMORROW!”). This is no accident; the people who send these emails only want you to reply if you are gullible enough to fall for their schemes. However, some of these emails are harder to recognise; above all, those that are crafted to trick you into revealing your username and your password or running malicious software. So here is checklist to help you decide whether you should trust an email.

Checklist

Who is the email from?

If the email is not from somebody you know, be careful. Check what it wants you to do and whether it appears to be from somebody who can ask you to do so legitimately. For example, if an email requests that you login into your University of Vienna account, does it originate from the University of Vienna’s computer centre? You can check this by looking at the sender’s address. If it ends with “@univie.ac.atand the part in front of the “@univie.ac.at” contains “zid” (for Zentraler Informatikdienst) it is from the University of Vienna’s computre cetre. If not, the email is not legitimate. Watch out for variations! For example, a malicious actor may send an email from an address that ends in “@univle.ac.at” or “@univie.edu.” These are not legitmate. It's only when the sender's address ends with “@univie.ac.at” that the sender works or studies at the University of Vienna. If the sender is not legitimate, the email is certainly fraudulent. The reverse does not hold true, however. Just because the sender appears legitimate, the email may still be fraudulent. There are ways to forge sender addresses. And malicious sometimes actors manage to get illegitimate access to legitimate accounts.

Does the email request that I visit a website (or imply that I should)?

If the email requests that you visit a website (or implies that you should) and is not from somebody you know, it is likely fraudulent. Again, check whether the email appears to be from somebody who can make that request legitimately. But don’t stop there! Also check whether the website the email asks you to visit matches the request. For example, if the email asks you to so something that requires you to login into your University of Vienna account, then the domain part of the website’s address, that is, the part between “http://” or “https://” and the next “/”, must end with “.univie.ac.at”. Again, watch out for variations! For example, if the domain ends with “.univle.ac.at” or “univie.info”, then the website does not belong to the University of Vienna. The website’s domain must end with “.univie.ac.at” or the email is fraudulent. The reverse does not hold true, however. Just because the website appears to be the University of Vienna, the email may still be fraudulent. There are ways to forge these addresses. Also, the University of Vienna’s network is large, some servers are run by individual departments, and hackers manage to gain access to those from time to time.

If you did visit that website (and you shouldn’t have), then you may notice that the website does not look like other University of Vienna websites. This is another warning sign. Again, the reverse is not true. We have already seen fake Univesity of Vienna websites that looked like the real thing.

Does the email request that I login somewhere (or imply that I should)?

If so, this email is likely fraudulent. Unfortunately, many companies, first and foremost Google, have started to email people to request that they review their privacy or their security settings. Still, most organisations and companies never do that. The University of Vienna’s IT department never does that. There is no technical reason for an IT department or a company to ever ask you via email to login to your account just for the sake of logging in, “updating” your account, “confirming the security” of your account, etc. Note, an email may just as well ask you to do something that requires you to be logged in, so that you won’t wonder if you encounter a login mask.

Does the email request that I open an attachment (or imply that I should)?

If so and the email is not part of an ongoing conversation, then it is almost certainly fraudulent. Never open attachments before you have checked whom they are from. Never open attachments from people that you don’t know. 

Does the email create a sense of urgency?

If so, the email is likely fraudulent. Malicious actors try to scare you (“Your account will be disabled!”) or to create a sense of urgency (“Important message!”) in the hope that this will make you act on the email before you took the time to check whether it’s legitimate.

Does the narrative check out?

  • Are you referenced by name? (And is it your name?)
  • Do you understand what the email is about (or does it throw around jargon, leaving you only with a vague idea of why you are supposed to do something)?
  • Did you expect to receive an email in that matter (or does it come out of the blue)?
  • Do you know the other people that the email references?

If the answer to more than one of these questions is “No,” you should be suspicious. Again, the reverse is not true. A malicious actor may take the time to craft a good story or may even target you personally.

Examples

Example 1

Betreff:     Dringende Infos
Datum:     Mon, 14 Oct 2019 08:48:56 +0100
Von:     Studienzulassung@univie.ac.at <a12345678@unet.univie.ac.at>
An:     Recipients <Studienzulassung@univie.ac.at>

Sehr geehrte/r

Sie haben 1 neue wichtige Planungsnachricht

Klicken Sie hier, um zu lesen  <https://forcerealty.com/cgi>

Danke,

Universität Wien
Universitätsring 1
1010 Wien

Dies ist ein automatisch generiertes E-Mail; bitte keine Antwort an diese Adresse schicken!

There are many things to note about this email, from top to bottom:

  1. The subject claims that the email is urgent (“Dringende Infos”).
  2. It’s from a University of Vienna email address. But if you look more closely, you’ll see that it claims to be from Studienzulassung@univie.ac.at, but is really from a12345678@unet.univie.ac.at. That there are two different email addresses in the “From:” field is a warning sign in itself. (In this case, the real email address belongs to a student, whose account has probably been hacked.) What is more, the email address doesn’t match the narrative of the email. The email tells you about a “planing message,” but claims to hail from the department for student enrolment (”Studienzulassung”). Why would that department send you a “planning message” (whatever that is?). Are you involved in student enrolment?
  3. The email is not addressed to you in person. (“Sehr geehrte/r”)
  4. The email appears to be from some department of the University of Vienna, but asks you to visit a website that does not belong to the University of Vienna. You can see this because it’s domain part, that is, the part between “https://” and the next “/” reads “forcerealty.com”, so it does not end with “univie.ac.at”.

The points 2 and 4 of this list are each sufficient on their own to judge this email fraudulent.

Example 2

Betreff: DEANERY shared "schedule Oct-Dec(1).xls " with you.
Datum: 14.10.2019 14:28
Von: DEANERY <juzhuo@juzhuo.net>
An: "userID@univie.ac.at"<userID@univie.ac.at>

          Here's the document that DEANERY shared with you.

          This link will work for anyone.

          [1]

Links:
------
[1] https://chogoon.com/srt/4f2hn

Again, from top to bottom:

  1. The subject mentions that “Deanery” wants to share a file with you? Presumably, it’s the attackers best guess for “Dean’s office.” Do you expect the people who work there not to know the proper English term for their department?
  2. Did you expect to get a file from Deanery?
  3. The email implies that you should visit a website; presumably, it will ask you to download malicious software from there.

This email is a good example for the rule that you should ignore (or delete) emails that (1) are from people you don’t know, (2) come out of the blue, and (3) ask you to visit a website or open attachment.

Example 3

Betreff: CL meeting schedule.xlsx
Datum: 16.10.2019 14:04
Von: "Parsons, Michelle" <noreply@youtilita.co.uk>
An: "userID@univie.ac.at"<userID@univie.ac.at>

Hi,

Thank you for offering to find rooms for me for this schedule.   I can eventually attached it!
https://dw2.dropbox-eu.com/?73TE8nod7aaI5eaW-a1140479@univie.ac.at-dDi8Oo12312bO3I3Ez7iTOt4TiaI1sxY1OexrLZaasdd1234145nf8iG47oAy2PJOE46576opeOlH25EHp6ks66u078saahCg7taUu8Uto603aso4zTAagIOioag4KwiocFoAYat42

Thanks again
Michelle

This example is similar to example no. 2. An email that is from (1) somebody you don’t know, (2) comes out of the blue, and (3) and ask you to download a file. (In this case, it’s an Excel speardsheet that likely contains a macro virus.)

In case of doubt

If you’ve read the list above carefully, you will have noticed there are no hard and fast rules to determine whether an email is fraudulent. You have to use your judgement. If you aren’t sure, please get in touch with the department’s IT support. We are also happy if you inform us about any fraudulent email you got, so that we can warn others; in particular if it’s a well-crafted one.

  • No labels