• As computing devices become increasingly numerous and increasingly portable, they become much easier to lose — or to have stolen. Recently, phones and computers have gone missing even from within SoM offices and labs. Any employee who's lost a device that is being used for Stanford business, whether

    Reporting a Lost or Stolen Device

Check the whole URL

A few days ago, someone sent us this example of a phishing email, which she correctly identified as a scam. It’s a good example of how scammers will try to disguise a fraudulent link using words you might recognize:

From: Stanford University© <xxxx@nyu.edu>  [Would a Stanford email come from NYU?]
Date: July 21, 2014 at 9:00:33 AM PDT
To: undisclosed-recipients:;
Subject: Re-Notification Update!!!

Your two incoming mail has been placed on hold, click on the link http://secure-weblogin-stanford-edu.yolasite.com/ to reactivate it,

Copyright © 2001-2014,© Stanford University. All Rights Reserved..
SU Home Maps & Directions Search Stanford Terms of Use Emergency Info
© Stanford University.  Stanford, California 94305. Copyright Complaints Trademark Notice

Now, the rest of the email already makes it pretty clear that it’s a scam. But if we just had the URL to consider, we can see what it’s using as a disguise. It has some of the words you should look for — “secure,” “weblogin,” “Stanford,” — BUT there’s more between the first set of slashes that’s a dead giveaway: the real domain is yolasite.com, which means it’s definitely not a real Stanford address. A real Stanford address may have a variety of words between the first set of slashes, but will always end the address with stanford.edu, so that the format looks like this: http://xxxxxxxxxx.stanford.edu/

And even if the link text seems to be formatted correctly, the true link, revealed by mousing over the text, will show you where it’s really leading you. Always check and make sure you know where you’re going, before clicking on a link; stay safe out there!

Phishing: Two Strategies

The goal of a phishing scam is to get you to provide the scammers with your personal, private information; in order to do that, they have to get you to click on their link. Two scams recently sent to us illustrate two common, yet opposite, strategies. An interesting twist is that both emails actually use the concept of email security to gain your trust: hey, if it’s about security, it must be a legitimate email, right? That’s why it’s very important to check any link in any email before you click on it.

Scared into Submission

This is a very common technique: the scammer, usually pretending to represent a trusted institution, presents you with a problem that’s meant to scare you into immediate action, and then provides you a link in order to “fix” your “problem.” In this case, they’re pretending to be Google, and they’re threatening to shut off your email account—unless you click the link. Often, as in this case, scammers use the term “verification,” as if reassuring you that you’re not revealing anything they don’t already know; “verify” is always a warning sign. The email’s grammar and spelling is already dodgy, and hovering over the link reveals that it’s a fake.

Dear xxxx@stanford.edu ,Sorry you are seeing this.
We are doing a spam and fraudulent verification survey.Please its very important you participate in this survey to help us serve you better.Move message to Inbox and perform this verification survey.
Click here to help you perform this verification survey.
The achievement of this survey is to track and shut down fraudulent user and phising domain to help improve and make your mailing system better.Please If a verification response is not gotten from you in the next 24 hours, we will assume you are a fraulent user and shut down your mail account, till after proper verification recovery before you can access you mail account again.Thanks.
All Domain 2014 Team.

powered by: Google+

Under the Radar

This is the type of phishing scam that’s trying to slide under your radar. Rather than scare you, it’s trying to lull and/or bore you. It’s pretending to be a routine business email. Terse and to the point, it’s trying to be an innocuous everyday communication. It seems important, but not that interesting: just the kind of thing you’d be likely to click on, just to clear your inbox. Hovering your cursor over this link reveals that it’s a website based out of India, not Stanford. (We’ve removed the link; we don’t want anyone to actually click on it.)

From: Stanford University <server@stanford.edu>
Subject: You have (1) new Security Mail
June 16, 2014 6:40:46 AM PDT
Reply-To: Stanford University <server@stanford.edu>

Dear User,
You have (1) new Security Mail.
Kindly CLICK HERE to read now.

© Stanford University. Stanford, California 94305


Scam: “WebLogin Updates”

Currently circulating around campus is a very sneaky phishing scam. With a graphic made to look like a Stanford webpage, it wants you to click on a link to “update your account.” Several people forwarded this to us, cleverly noticing that it is a fake. Thanks for passing it along.

Scammers can be very adept at stealing and altering graphics, so always look closely at your email, and trust your instinct if something seems wrong. Warning signs about this one include: the “From” Address (not a Stanford domain), and the strange language about WebLogin included in the message itself. As always, if you receive a message like this, don’t click on anything, and just delete it.

If you clicked on the link and shared any account information, change your password right away; if you have any questions, contact IRT Security.


Fake Weblogin

About: WindowsXP Secure Network

In our previous blog post, we mentioned that Microsoft will stop supporting WindowsXP on April 8, 2014, which means that they will no longer be issuing security patches for that operating system. Therefore, Stanford’s goal is to phase out the use of WindowsXP by that date.

Some equipment may be granted an exception, if the WindowsXP device is used to run equipment where a system upgrade would be prohibitively expensive or otherwise impossible. IRT is therefore offering to host certain WindowsXP devices on a separate, secure network that offers additional protections to make up for the lack of software patches.

If you are in charge of such a machine that can’t be easily upgraded, contact IRT Security to take advantage of this secure network.


Standards for the WindowsXP Secure Net include:

  • Network subnets for XP machines are limited to a range of 14 devices each (/28) to limit the risk to others should one of the machines become compromised.  No traffic between these networks is allowed.
  • Data transfers out are allowed, but no email or web services out – incoming traffic is severely limited as well.

Network Firewall Rules:

  • All outbound SMTP and WEB access is blocked from the WindowsXP Secure subnets.
  • Outbound file transfers allowed to Stanford hosts, other off-campus outbound is blocked.
  • Inbound ping and traceroute are allowed but nothing else.
  • In the case of remote management, from on-campus, we can set up VPN access to the XP devices.

Other Rules for Devices on the Network:

  • Local firewall rules on the computers should be set to disallow incoming communication other than specific port/protocol that may be required to support the primary function of the system and/or the device to which it is attached.
  • Wireless connections are inherently insecure. Wired connections are required on the WindowsXP Secure network.
  • No USB input to the WinXP device without special circumstances.  Transfers should be done on the network.  Software License USB Keys are allowed to use the USB Ports.
  • BigFix client installed, but in the cases where BigFix may interrupt ongoing work processes, it’s optional.

Next Stanford Data Security Deadline: WindowsXP Migration

By April 8th, 2014, all Stanford computers and devices running WindowsXP must be upgraded/migrated to a more secure system. The April 8th deadline marks the day that Microsoft will stop supporting WindowsXP, which means there’ll be no more security patches issued for that operating system, leaving systems vulnerable.

All devices running WindowsXP should therefore upgrade their operating system before the April 8th deadline.

There is an exception process in place for devices that would be very difficult to bring into compliance: a device might be attached to scientific equipment, running specific applications that can’t be easily upgraded, or performing a function that would be otherwise significantly impacted by changing the operating system. IRT staff are carefully reviewing each case and will work together with faculty to find the best solution.

If the cost of replacing or upgrading equipment seems prohibitive, Stanford recently announced a financial assistance program; departments are highly encouraged to take advantage of this program when possible.  Alternatively, if your devices will be put at greater risk due to expired operating systems, the School of Medicine offers a special network to provides enhanced security and safeguards for your computers and data. If you would like to discuss protecting your computers by placing them on this new network, please contact us, and fill out a compliance variance request form (below).

Devices connected to the new WindowsXP SecureNet will have to fulfill certain security requirements, including:

  • No other applications allowed (no email, no web browsing, etc)
  • Wired connection only (no wireless; it’s inherently insecure)

To apply for an exception to the WindowsXP migration deadline, or to another of the new data security requirements, please submit a Compliance Variance Request Form to ensure the temporary exemption is documented.

Linux Security Flaw Discovered; Users Should Update Now

Attention, Linux users: Developers have just announced the discovery of a serious security flaw in the GnuTLS library, affecting many, many open source applications and software packages. This includes users of Red Hat, Debian, and Ubuntu, among many others.

Similar to the newly-discovered iOS security bug, the Linux bug leaves users vulnerable to eavesdropping. Because it causes errors in the verification of security certificates, the bug makes it easy for attackers to bypass SSL and TLS connections in any website or application that uses that particular library, allowing them to eavesdrop on—and decode— encrypted traffic.

Developers recommend that all users update GnuTLS to version 3.2.12

For more information, see this article at arstechnica.com.

Important Apple iOS Update: Fixes Security Flaw

Attention, users of Apple devices: Just this weekend, Apple released a security update for iOS that fixes a major security problem in their software. Without the update, your iPad/iPhone/iPod Touch is left vulnerable to having your private information intercepted, while you’re using public WiFi connections.

Apple strongly recommends that iOS users update to the latest version of the software, available by connecting your device to iTunes and clicking “Check for updates,” or by opening the “Settings” app on your device and then selecting “General” and then “Software Update.”

Apple as yet has no patch for the same flaw in desktop/laptop systems, so in the meantime, you should avoid using insecure public WiFi (like at a coffee shop or airport) for transactions involving personal or financial information.

For more information about the problem, you can read this Slate Magazine article.

Scam: “Greetings everyone!”

There’s been a phishing scam circulating on campus lately that has been submitted to us by several members of the Stanford Medicine community—because it’s being widely circulated, and because it’s also got some glaring warning signs that people have spotted right away.

This phishing scam employs the strategies of vague-enough-to-seem-relevant, and mundane-enough-to-seem-safe.  Yet even in such a short email there are numerous strange phrases and misspellings. But the biggest warning sign is the URL, in red below: it’s not even close to a Stanford address. Yes, it’s a fake.

Thanks everyone for checking before you click, and letting us know when you find scam emails!

Below is the email text:

From: “© Stanford University” <knbrevard@email.wm.edu>
Sent: Wednesday, February 19, 2014 1:40:07 PM
Subject: Greetings everyone!

Stanford University
450 Serra Mall
Stanford, CA 94305-2004

Deal All

A private message have been sent to you by the HEAD of department. Use
the link below to Login and view your message.


HEAD of department
Info Centre stanford
(c) Stanford University. All Rights Reserved.

Scam: “SSL VPN Access”

Here is a new twist on a by-now-familiar scam. They’re warning you that access to something will expire soon, unless you take action: the service in question this time is the VPN.

The target link is very sneaky: the linked text in the email leads you to believe that it might be correct. BUT, if you hover your mouse over the link, the REAL link will pop up, and it begins with:  //sussl.stanford.edu-u.tk/ It may begin with a link you recognize, but because it has more characters after “.edu” before the first slash, it means the link is a fake.

To be your own hero, always hover your mouse over a link in any email and check the pop-up link to see where it’s really pointing you. Any real Stanford address will only have /_____.stanford.edu/ between the first set of slashes; if it doesn’t, don’t click on it!

Full phishing email text below:

 From: Digital Access Librarian
Sent: Thursday, January 23, 2014 12:21 PM
Subject: SSL VPN Access

Dear User,
Your SSL VPN access will expire soon, therefore you must reactivate it immediately or it will be closed automatically. If you intend to use this service in future, you must take action at once!
To reactive your access, simply visit the SSL VPN page and login with your account then begin your secure session.

SSL VPN Login Page:



Lewis Barnes
Digital Access Librarian
Stanford University Library
557 Escondido Mall
Stanford, California 94305-6063


Scams: Inactive SUNet ID, Mailbox Quota

Happy New Year, everyone! And here are two more iterations of very familiar phishing scams. The first warns, “Your SUNet ID Account will be Inactive in 2 days,” and the second shouts, “ !!!Administrative Notice Faculty/Staff/Student/Employee/Admin Warning!!! ” In both cases, the emails are trying to scare you into thinking that a service you rely on is about to end abruptly, so you should click on a link and fill out a form giving away your personal information.

The first email, as you may notice, is riddled with peculiar spelling errors, which is a red flag. Plus, the situation they’re describing seems unfamiliar and unlikely to Stanford affiliates. The second one is merely vague and very alarmist—and contains an awful lot of exclamation points.

But the most important thing to check is always the link they’re directing you to click on. Any Stanford link pointing to a webauth page should contain only /weblogin.stanford.edu/ between the first set of slashes.  The crucial link in the first email, for example, contains those characters at the beginning, BUT the URL continues and the first set of slashes ends with xxx.ir/. If you hold the cursor over a link and a URL pops up that doesn’t look right, don’t click!

Stay smart and safe in the New Year, everyone! Full email text below:

Email #1: 

From: “Stanford SUNet Support” <Support@Stanford.edu>
Subject: Your SUNet ID Account will be Inactive in 2 days
Date: January 15, 2014 9:57:37 PM PST

Dear Stanford Student, Faculty, Staff

Your Authcate Account will be inactive in 2 days. Because of some security problems about login from strange IP addresses we decided to make some changes (Upgrade) and this is due to the implementation of a new version of Centeral Authentication System(CAS) Weblogin in new year(2014).

You can active your account by going to the CenteralAuthenticationSystem(CAS) Weblogin and simply login by your SUNet ID to activate your account.

Then, after seccussfull login click on “Logout” and you will be redirect to http://account.stanford.edu and in StatusChecker  check your account state. if your Account Status is Active or not. If there was error in login, try to activate again.

Please note: If you get an Authentication Error Just try 2 times to login again, and return to the https://stanfordyou.stanford.edu/ portal login page and start again. because System will automatically block your IP and Account and you should contact Support System to Unclock.

Answers to some frequently asked questions (FAQs) are available on the helpsu.


IT Services

Email #2:

Subject: RE: !!!Administrative Notice Faculty/Staff/Student/Employee/Admin Warning!!!
Sent: Fri 17/01/2014 08:01
Subject: !!!Administrative Notice Faculty/Staff/Student/Employee/Admin Warning!!!

465MB                 500 MB
Current size        Maximum size

Please increase your mailbox quota size automatically by clicking [URL removed] and fill-out the necessary requirements to automatically increase your mailbox quota size.

IMPORTANT NOTE : You won’t be able to send and receive mail messages at 480MB .

ITS help desk