Increased Phishing Attack Activity and Enabling Passwords

We have recently seen a increased uptick in phishing attacks targeting the MIT SHASS Community.

These attacks include but are not limited to bad actors sending fake IT notices about account status, unlocking new IT features, or performing some kind of fictitious security verification to trick users into clicking a link or downloading a malicious payload.

This is in addition to bad actors attempting to impersonate the Dean, faculty members, and faculty section heads to grift cash cards. These stylized “Are you there?” attacks aim to take advantage of a users’ lack of familiarity with the impersonated sender as well as take advantage of their relationship of trust with the impersonated sender. Please be advised that if you receive any email like this, it is a phishing attack. If you have any doubts, you should send a NEW email directly to the person you believe sent you the suspicious email and ask them if they sent it.

These attacks can and DO originate from MIT addresses, usually from compromised on campus machines.

INFECTING BY PHYSICAL ACCESS
————————————————–

Some of you may have heard the hacker’s mantra: “Physical access is full access.” If a bad actor can physically access your machine, your machine can and will be hacked in seconds. Many of them use special USB tools that emulate keyboards that can deliver a malicious payload in seconds. One of the easiest ways to perform physical USB hacks is when users do not require passwords when their machines start up or enable passwords when their machines go to sleep. This is the computer equivalent of leaving the doors to your house unlocked.

But a hacker with special tools really isn’t necessary for a machine with doors unlocked to be compromised and infected. Any unauthorized off hours user of your machine surfing the web to play free internet games or surfing porn sites could also infect your machine with bad stuff, especially if they’re told “to download this package” in order to watch the video/play the free game.

Going forward, we are recommending all users, especially our Administrative staff users to:

1) Discontinue using automatic login on their machines if they have them enabled.
2) Turn on their screensavers if they haven’t already.
3) Require a password after waking your Mac from sleep or after the screen saver begins.

HOW TO DO THIS:

MAC USERS
——————

1) Disable Automatic Login on a Mac:

https://www.intego.com/mac-security-blog/mac-security-tip-disable-automatic-login

2) Require a Password after sleep or screen saver begins:

https://support.apple.com/guide/mac-help/require-a-password-after-waking-your-mac-mchlp2270/mac

3) How to display a screensaver on your Mac:

https://support.apple.com/en-us/HT204379

WINDOWS 10 USERS
——————————-

1) Disable Automatic Login in Windows 10

https://www.securicy.com/blog/how-to-disable-automatic-login-in-windows-10

2) Require a Password after sleep or screensaver begins in Windows 10:

https://www.pcworld.idg.com.au/article/581512/make-windows-10-ask-your-password-when-wake-up-your-laptop

3) How to enable Screensaver in Windows 10:

https://www.windowscentral.com/how-enable-screen-savers-windows-10

4) How to enable the screensaver password in Windows:

https://www.securicy.com/blog/how-do-i-set-a-windows-screen-saver-password

Please let us know if anyone needs help doing any of these things. As always, please let us know if there are any questions or concerns.