Learn How Doxxing Attacks Work

Recently, news outlets reported threats to a U.S. Supreme Court justice. What began as a social media attack became potentially a physical assault. This type of attack is called “doxxing.” Doxxing is defined as publicly revealing previously private information about an individual or organization, usually via the internet.

Doxxing attacks often focus on a journalist or public figure–like a faculty member–over something they have written. An individual or group opposed to what’s published can severely disrupt the author’s life, and in extreme cases their safety is threatened. Doxxing frequently results in abusive phone calls and text messages, sometimes in conjunction with a social media campaign or series of emails designed to harass and intimidate the writer.

The first step to protecting yourself against doxxing is to find out what information about you is publicly available. Conduct online searches in multiple browsers (e.g., Google, Firefox, Safari) and find out what others can see. Then, request removal of private information you find listed on any website. Also, be careful what you share on social media, especially information that could be used to find you or your family, such as location data in photos or posts. The most important step is to secure all your accounts with strong passwords and multi-factor authentication whenever possible. Visit UF’s Information Security Office “Protect My…” webpage and learn more about keeping personal information private.

Identifying Deepfake Videos

Misleading content online becomes more sophisticated with each technology advancement. One type of “fake news” becoming more prominent across all social channels is the deepfake, a video that’s been modified to make the subject appear to be doing or saying something they did not.

Deepfake videos are made to fool viewers for a variety of reasons including political agendas, financial gain, to embarrass someone or a group, or to use for blackmail. Public figures can be made to say things they never said, inciting viewers or followers to think a certain way and take action based on misinformation. A viral deepfake video supposedly of Tom Cruise has more than a million views. Here’s a breakdown by the video’s creator on how he utilized AI to construct the video: DeepTomCruise TikTok Breakdown.

It is possible to identify some deepfake videos by noticing changes in skin tone, jerky facial movements, or lip movements that do not match dialogue. But as the technology improves these clues could become even harder to spot. If you have concerns about the authenticity of a video purporting to be from UF, please contact the department posting the video or send your concern to the UFIT Help Desk.

Enter Phishle Contest to Win Gift Card

The UF Information Security Office’s annual summer contest is open June 1 – 30, 2022. This year, all you have to do is play Phishle — UFIT’s information security take on the popular game “Worldle®” — to qualify for weekly gift card drawings.

Never played Phishle? Like Wordle®, Phishle is a word game. But Phishle focuses on players learning about social engineering terms such as phishing, smishing, vishing, and tailgating while solving the daily word puzzle. Phishle launched in Spring 2022 by Spencer Fasulo, a freshman computer science major who interns with the Information Security Office (ISO). Before entering the Phishle contest, check out the ISO’s great new social engineering webpage. You’ll learn what to watch out for and be better equipped to complete the daily Phishle game and win a gift card!

Phishle players get an entry for each 10 words they find. After achieving 10 correct words, fill out the form provided with your contact information. Two gift cards will be awarded each week, with winners announced on UFIT’s Twitter and Instagram accounts. Gift cards will need to be picked up in the 720 Building by local winners. Winners residing outside of Alachua County will receive their gift cards via US Mail.

Social Engineering Pages Added to Website

UFIT recently added new pages to https://security.ufl.edu/ that educate about social engineering scams. The university community is a huge target for social engineering attacks–attacks that include phishing and smishing. By reviewing the social engineering webpages, Gators can learn the difference between everyday communications and an actual social engineering attack.

https://security.ufl.edu/resources/protect-my/socialengineering/

Received a text recently saying your UF email account will be suspended if you don’t certify your account via the link provided? Smish! UFIT has tracked significant growth in social engineering attempts like this in the past year. Social engineering attempts range from fake bank texts and “extended warranty” phone calls to emails pretending to be from UF professors offering $350 per week jobs. Having a large community on one network is extremely attractive for cyber-scammers. So, helping all Gators better understand which communications are legitimate and which are fraudulent keeps all us safer from attacks.

It only takes one click on a malicious link to cause a world of hurt. Learn to recognize social engineering tactics and help secure UF! If you are unsure whether an email or text purporting to be from UF is legitimate, you can always ask the UFIT Help Desk for assistance.

Learn the UF Risk Assessment Process

UFIT is now offering integrated risk management (IRM) system training. The course focuses on the IRM process and responsibilities of system submitters, project owners, and the information security manager or technical contact listed on the assessment request. Log into myTraining and search for UF_ITT104_OLT to take the training.

Development of this training is in response to requests from information security managers and department staff who work with UFIT on risk assessments. The IRM training takes approximately 45 minutes to one hour to complete. Note that completing UF_ITT104_OLT will soon become mandatory in order to maintain either the UF_SEC_TECHCONTACT or UF_SEC_ISM security roles.

UFIT recommends all IT staff involved in university risk assessments take the training. For more information visit https://irm.ufl.edu/. Anyone with questions about the integrated risk management process may email the IRM team at irm-uf@ufl.edu.

Understanding Social Engineering

Social engineering is the term for exploiting human psychology, rather than traditional hacking techniques, to gain access to buildings, systems, devices, or data. For example, a social engineer might call a UF phone number and pose as an IT support person, trying to trick the employee into divulging passwords. David Maurer in The Big Con writes of 1940s confidence [con] men and how they gained the trust of victims. It’s the same in the 2020s: social engineers want to seem believable whether by email, phone call, text, or in person–they gain the victim’s trust to get what they want. Two types of social engineering techniques are employment scams and tailgaiting:

1. Employment scams are plentiful, and many, if not most, students have received an email advertising a 10 hour per week campus job earning $350 per week. Think twice before clicking on the links in an email advertising a job you didn’t inquire about.
2. Tailgating is when someone enlists your help to gain unauthorized building access. An example is when a person with an armful of packages asks you to open the door with your UFID card since they can’t reach theirs. You naturally want to be helpful, but someone now has access they shouldn’t.

UFIT is launching an updated social engineering webpage this spring. In the meantime, if you suspect an email you receive in your GatorMail may be phishing, report it to abuse@ufl.edu. And remember, Gators…be aware of who you are letting access UF residence halls, academic buildings, and other secure campus spaces.

Tech Resolutions For a Safer 2022

Staying cyber secure is a great new year resolution that won’t have you counting calories or committing to more exercise!  By adopting some of the resolutions below, the UF community can make a huge difference to their overall cybersecurity safety (also known as your “security posture”).  Enhance your cyber footprint security by:

  1. Changing compromised passwords and creating different passwords for each account. Check for compromised passwords at https://haveibeenpwned.com.
  2. Activating multi-factor authentication (MFA) on critical accounts like email, banking, and social media. Find which sites you use support MFA by visiting https://2fa.directory.
  3. Deleting old social media accounts and other accounts you no longer use.
  4. Reviewing privacy and security settings annually on social media accounts and other sites at least once a year.
  5. Removing unused apps from mobile devices. Unused apps are like unused accounts–they store information that can be used against you if they’re compromised.
  6. Creating a guest network for visitors to your home. If you have smart devices like Ring or Nest, consider creating a guest network for those items. Then if the smart devices get compromised, your home network will still be protected.
  7. Thoroughly delete (“wipe”) all electronic devices before donating or disposing, or have them shredded by a trusted vendor. UF Surplus manages the secure disposal of electronic media and electronic waste of university technology.

For more ways to be cybersafe in 2022,  check out the email safety and computer protection boxes on UF’s Information Security Office website homepage.

Threat to Suspend Your Social Security Number is a SCAM

Con artists pretending to be with the Social Security Administration (SSA) are utilizing email, text messages, and phone calls to scare people into providing money and/or personal information. Remember: The SSA will never threaten, scare, or pressure you to take an immediate action.

It is a SCAM if someone…
● Warns of imminent arrest or legal action
● Requests payment by gift card, prepaid debit card, internet currency, or mailing cash
● Pressures you for personal information
● Requests secrecy
● Threatens to seize your bank account
● Promises to increase your Social Security benefit
● Says they have evidence against you, or uses the name of a real SSA official

How to protect yourself from Social Security-related scams:
1. Stay calm. Do not provide money or personal information when you feel pressured, threatened, or scared.
2. Hang up on the caller or ignore the text or email.
3. Report Social Security-related scams. If you receive a suspicious call, text, or email that mentions Social Security, report it to the SSA Office of the Inspector General (OIG). Do not be embarrassed if you shared personal information or suffered a financial loss.

UF’s Information Security Office has an Identity Thefts and Scams webpage where you can learn more about the techniques used by cyber criminals.

Safe Travel is Smart Travel: Cyber Vigilance

As flights and hotel bookings surge past pre-pandemic levels, travelers should prepare for a busy holiday season. Crowded airports can be an early holiday gift for identity thieves. Don’t let the chaos of the airport allow you to let your guard down. Gators, remember while traveling over the break period to:

Avoid public Wi-Fi. If you must use free Wi-Fi in airports, cafes, or in hotels, use a VPN to connect. Also, double-check the network’s name (SSID) before connecting. You could unknowingly connect to a spoofed network or someone else’s hotspot, which means what you type could be seen and copied by others.

Beware of vacation rental scams. While perusing Airbnb or Craigslist for a rental, be alert to an offer that’s too good to pass up. Before booking an accommodation online, research the address, owner’s name, and if the property reviews go back more than a few weeks. Check for multiple ways to contact the owner.

Disable auto-connect features. Most phones enable automatic connections for Wi-Fi, Bluetooth, and location services. These features allow others to track your location or send malicious files to your device. Keep these settings disabled when you are not using them!

Visit https://security.ufl.edu/resources/traveling-abroad/ for more cyber tips for travelers.