Online scammers have sent e-mails over the Pentecost weekend with the subject “Unfortunately I have bad news for you”. Some of these e-mails went to e-mail addresses at the University of Cologne, but mostly these were sent to external recipient addresses.

In terms of content, these emails were an attempt at blackmail. We have displayed warnings on our website about precisely this situation for several years.

The main feature of these e-mails was that the sender made them appear as if they had been sent directly from the University of Cologne when in fact this was not the case.

Unpeeling the first layer of the Onion

At first glance, the e-mails attempt to coerce the recipient and pressurise them to pay the fraudsters. The name or e-mail address of the recipient is used as the visible sender to pretend that the fraudster has access to the victim's mail account. However, the fraudsters do not have access, because it is merely a fake sender. This scheme is detailed on our page on phishing.

Unpeeling the second layer of the Onion

At second glance, the e-mails appear as if they have been sent via the mail servers of the University of Cologne. To do this, the fraudsers used the host name of UoC’s webmail system and configured their own mail servers so that these servers should use the University of Cologne server name. Of course, the scammers cannot redirect real emails to the wrong server in this way, but they can make it appear as if the University of Cologne was responsible. Complaints about these unsolicited e-mails end up being directed back to the administrators of the mail systems at the University of Cologne.

Unpeeling the third layer of the Onion

As mentioned, using this technique the fraudsters cannot technically send from the University of Cologne mail systems. The mail servers of the recipients of these fraudulent e-mails will notice that the e-mails are not actually being sent from mail servers of the University of Cologne. Nevertheless, the receiving mail server notes the alleged sending server's name and the technical mismatch in the e-mail header. In addition, the receiving mail server also notes the actual IP address of the sender’s mail server, because this IP address cannot be faked as easily as the sender domain. This IP address allows recipients of the fraud e-mails to establish with which server operator they should file their complaint. And a complaint can be directed at this server operator as they are ultimately responsible for these scam e-mails being sent.

A group of fraudsters is currently trying to obtain money by sending e-mails that appear to come from the respective superiors. E-mails that appear genuine at first glance but come from an external e-mail address claim that the facility management is in urgent need of gift cards/vouchers that should be purchased as quickly as possible. We have compiled more information about the so-called gift card scam under the following link: https://rrzk.uni-koeln.de/en/information-security/it-security/gift-card-phishing-scam

Please do not get involved in this scam! It is easy to find out the name of a facility's superiors through the websites, so a fake e-mail is written quickly. So look carefully from which address the e-mail came! If in doubt, ask your superiors by other means whether the e-mail was genuine or faked!

A fake e-mail from the Federal Police with a "mandate for legal proceedings" has caused uncertainty among some users. Part of the email is a graphic file containing a letter with the heading "for your attention". This type of scam mails aims to mislead users who are supposed to contact a Google mail address. The "real" federal police would never do that. Please ignore this call and delete the mail. Further measures in this context, such as changing your password, are not necessary.

Beware of a new wave of phishing attempts! Currently we are detecting an increasing number of attempts to obtain access and account data from university members. An e-mail claiming to be from the "IT Service Desk" contains a link to a fake website. Please ignore this mail and delete it directly – and please do not click on the link.

How you can recognize phishing mails and check the sender addresses or the links they contain is well explained by the "Secuso" team, see https://secuso.aifb.kit.edu/1047.php

From around week 45 onwards, emails were and are increasingly being sent to UoC recipients, which contain an encrypted zip file as an attachment, with the decryption password stated in the text of the email. These files contain malware. If you have received such an email, it is best to delete it immediately. Do not under any circumstances open the attached file.

These emails are more sophisticated scam emails than previously common. The fraudsters automatically create emails whose aim is to exploit a relationship of trust between the supposed sender and recipient. At first glance, the emails look as if they were messages addressed to you personally. The following techniques, among others, are used:

• The sender of the email appears to be a person with whom you have had email exchanges in the past.
• Your name or the name of someone you work with should be included in the subject line.
• The subject corresponds to that of an email exchange in which you are currently involved.
• The body of the fraudulent email contains a quote from a previous email exchange in which you were involved.
• The text of the email mentions the University of Cologne or a subunit (working group, faculty, ...) where you work or with which you collaborate.

Don't let this apparent proximity fool you! These are automatically generated emails that serve the sole purpose of tricking you into opening the email attachment. As mentioned at the beginning: Please do not open such attachments, even if the email contains the password needed to open the file.

In addition, these “better” scam emails also use the usual means to put the recipient under pressure. This procedure is the same as that common with “classic” phishing emails. For example, sometimes there is talk of an “invoice” that needs to be paid or of an “invoice correction”. Another distinguishing feature of these fake emails is that the reference to a previous email exchange is only formal. In most cases, the supposed “answer” does not match the previously written and quoted text in terms of style, approach or content. An email with a “slapped-on” attachment, without any further explanation and without any prior agreement, should also make you suspicious.

Background Information

The fraudsters act cleverly and try to get closer to more and more victims. Once they find a first victim who has fallen for the scam and opened the file containing the malware, the scammers can gain control of the victim's PC. From there, they copy the victim's inventory of emails and analyze these emails. This way you can automatically find out who is in regular email exchange with whom. The criminals use the information obtained in this way about relationships between people (sender, recipient, CC recipient) and emails exchanged in the past to automatically generate emails that roughly look as if they came from someone you know and concern a topic you are familiar with. In this way, the fraudsters move on to the next victims in the original victim's environment. If you receive such a scam email, you can assume that someone close to you has fallen for this scam in the past (but this does not necessarily have to be the supposed sender of the email you are receiving). the incident may have happened some time ago). The fraudsters also use the technique of “senseless encryption” (encrypted file with key included) to hide the contents of the file from virus scanners. Because as long as the file is encrypted, the dangerous content cannot be detected automatically. If the file were unencrypted, the email would generally not even be delivered because the file in question would already be recognized as virus-infected on the mail server. However, the technology of “pointless encryption” is also treacherous, because no sensible person would transmit the password that can be used to remove the encryption on the same channel as the encrypted data. In this case, encryption could be avoided because every recipient of the encrypted data can make the original data readable again, while encryption actually serves to protect certain data from arbitrary access. Therefore, you can also recognize attempted fraud by this feature (encryption, which only serves the purpose of hindering detection by virus scanners).

E-mails to members of the University of Cologne are currently being registered on behalf of the company Böttcher AG. The fake emails contain malware in the attachment. The aim is supposedly to entice users to download the invoice from the attachment.

Please delete this email immediately and do not open the attachment there! In general: Be careful and check the sender address of emails for plausibility before opening them.

Attention: If you have received an email with the subject: "Unusual activity has been detected in your account [...]", or: "Dear email User", please delete this email immediately and, above all, follow it not the link provided!

The IT Security Awareness Days are organized jointly by several German universities and will take place for the third time from May 2nd to May 19th, 2022.

The online event series with lectures on information security. The lectures are organized by various universities. In addition to the University of Cologne, the following are involved: TU Braunschweig, TU Darmstadt, University of Hildesheim, KU Eichstätt-Ingolstadt, University of Göttingen/GWDG, University of Marburg, University of Osnabrück, Leuphana University of Lüneburg, University of Duisburg-Essen. The lecture topics ranging from “Security in the Home Office” to “Social Engineering” were mostly aimed at users without prior knowledge. However, there are also lectures for technically experienced people.

Particularly recommended: Participation in the “Cybersecurity Escape Room”, where you can put your information security knowledge to the test in a puzzle!

You can watch all lectures at:
https://blogs.tu-braunschweig.de/it/it-sad-it-security-awareness-days-sommersemester-2022

At https://www.bakgame.de/ Spiele you can easily acquire your knowledge of cybersecurity, phishing and secure computers. Try it!

From now on you will find the latest news from the area of IT security here! The tasks of the newly founded Security Operations department also include information and communication in the area of IT security-related topics. We regularly post one or two pieces of news here that might be important or interesting for you as a user at the University of Cologne - such as security messages or phishing warnings. "Stay tuned"!

Auf den RRZK-Webseiten finden Sie weitere Informationen und Erläuterungen zu diesem Thema.

In the last few days, scam emails have been sent with the subject “Alert: Email Outgoing Blocked” [sic]. It falsely claims that the email account must be renewed via a specific website or will otherwise be blocked. Of course, these emails are just an attempt to trick you into entering your login details on a fake website.

As always, the following applies to such emails: Please do not fall for this scam, it is best to delete the message in question immediately.

If you receive such an email, believe it to be genuine and have entered your login details on a third-party website, please change your password via the as soon as possible on uniKIM-System.

You can find further information and explanations on this topic on the RRZK websites.

Your computer is the last barrier between you and your data. Make sure no-one but you has access to your device. This also applies to your physical workspace, e.g. you office desk, and all documents, records, and files stored there. Please ensure that such documents are locked away securely and inaccessible to others so that no-one can inspect, abstract or damage them. In practice appropriate measures include:
Lock your computer (or sign out of your account if you share a device) as soon as you leave your workplace, even if it is just for a short time.
Lock away all confidential documents, including external data media such as hard drives or USB sticks.

Check if data encryption is a feasible option for your data. Current operating systems can carry out device encryptions by default if the corresponding setting has been turned on:

Microsoft: Device Encryption

Microsoft: Turn on Device Encryption

Update prompts and security alerts can be bothersome — and oftentimes they are ignored or clicked away. However, security breaches can make systems and software unsafe to use. Third-party attackers may be able to compromise your device if security holes are exploited. To prevent this, update your software regularly, especially if the software requests you do it as soon as possible! Your operating system, your internet browser, and your PDF software have the highest priority in this regard as they are the most vulnerable software. For this reason, always pay attention to security alerts.

USB sticks, external hard drives and other such storage media may pose significant security risks. These devices can potentially install harmful malware into your network or the network of the university. Never connect external drives whose origin you do not know (e.g. because you found them somewhere) to your computer or portable devices. Be careful when using external drives from third parties like colleagues, friends, and family — their drives may be compromised without their knowledge.

The most important advice for this is: Do not use the same password for all services! Otherwise a password illegally obtained in e.g. a cyber attack may be used to compromise more than one account and/or system. If you use the same password for your private online shopping and your business accounts, one security breach in one automatically puts the other one at risk as well.

Never share your login details or passwords with others for any reason, not even WiFi or VPN access. Just don’t.
This applies to the login details of all accounts you may have for digital services. Please note that the terms and conditions of your university account explicitly prohibit sharing your account data with third parties. Doing so may result in a ban of your account and that further action under German labor law may be taken against you.

A regular backup of your data is important to prevent data losses in the case of hardware defects or other issues. Not backing up your data risks not being able to access any of it in the case of crashes, malfunctions or compromisings. Please bear in mind that this also applies to data on external drives.

USB sticks in particular are prone to data losses and should not be used as a backup medium.

Backup on MacOS using "Time Machine": Apple: Time Machine Backups

The University of Cologne also offers the use of TSM as a backup system for advances users.

Save data on trustworthy drives such as SoFS or internal network storages only. Be cautious when choosing storages for your data and its backups — sensitive data does not belong on third-party storage options such as Dropbox.
If you are unsure which data should be saved where, please do not hesitate to reach out to the RRZK help desk to address your questions or be redirected to the appropriate point of contact.

Never share information thoughtlessly with third parties. When discussing sensitive or business-related matters, always make sure to ask yourself which information and how much information is appropriate to share. This applies to all kinds of information regardless of its source or the medium of communication.

A responsible treatment of the data entrusted to you also includes the ability to delete data correctly, comprehensively, and irretrievably. You can find an introductory guide for this here.

Phishing attempts and spam e-mails have existed ever since communication went digital. The number of phishing attempts has evidently and considerably risen worldwide in recent months and years. Our university is no exception here.
Be careful and stay calm if you should ever receive an e-mail that tries to extort money from you, threatens an account ban unless you log in to your account on a certain website, or puts you under any other kind of pressure. Phishing e-mails will also ask you to use sensitive login data on external or faked websites.
Make sure to check the sender, e-mail address, and the website you are being redirected to very carefully.
Never enter any sensitive account data on any website that looks even the slightest bit suspicious.

When in doubt, please always consult the RRZK help desk to discuss your concerns and find out if any kind of action on your part is required.

We have compiled some more useful information on phishing on this info page.
We have also made some example e-mails from recent phishing attempts available on our website (German only).

There is a host of information on spam and phishing available on external websites, e.g. from Cisco here.

Please also be wary of Spear Phishing, as this is a highly targeted and well-disguised kind of phishing attempts.

For more information on spear fishing, you may also want to read through this article on CSO Online.

By the way: Forging e-mails is as easy as sending a postcard under a false name. If you are not sure whether an e-mail you received was sent from the person named as the sender, check back with that person using a method of contact that you know is only accessible by that person. A quick phone call can often clarify the situation and prevent harm.

Separating your business from your private life is always a good idea, and that is true for IT maters as well. Create different account for different purposes so that your data and your software can be used separately to avoid putting a lot of information and data at risk at the same time.

It is also advisable to use a local user account on your device.

This has been the standard for MacOS and Linux systems for some years now, but it will have to be set up separately if you use Windows 10:

Microsoft: Create a local user

If you are unsure whether cryptic error messages or suspicious messages are legitimate, do not hesitate to reach out to the appropriate support services. For the University of Cologne, the RRZK help desk can answer most of your questions or redirect you to the appropriate service or point of contact.

Large-scale phishing attempts at our university are also warned of on the RRZK website. This can be a useful resource for surveying the general situation if e.g. you receive a suspicious e-mail.
Most importantly: Keep calm, and do not let yourself be put under any kind of pressure.

Situations of mental pressure make it harder to judge the overall setting and may lead to significant misjudgments.
Do not be afraid to ask too much if you are ever in doubt regarding issues of information security.