topic Genuine or phishing attempt? in Member Support

Genuine or phishing attempt?

RobEllis — Thu, 08 Nov 2018 06:46:39 GMT

I received this email earlier today from donotreply@isc2.brightspace.com. Is this a genuine isc2 communication?

You have been enrolled in D2L Support - D2L Support for ISC2 - International Information System Security.

To access D2L Support - D2L Support, log into ISC2 - International Information System Security using your username myemail and password, then select D2L Support from your list of courses.

Re: Genuine or phishing attempt?

CraginS — Thu, 08 Nov 2018 11:01:41 GMT

@RobEllis wrote:
I received this email earlier today from donotreply@isc2.brightspace.com. Is this a genuine isc2 communication?

Rob,

Probably not phishing or spam, since Brightspace appears to be the course management contractor for (ISC)2, operating the web site learn.isc2.org . Other threads relating to posting CPE based on (ISC)2 courses or registering for (ISC)2 courses have mentioned Brightspace. Linking to their home page at www.brightpace.com redirects to and lands on www.d2l.com.

With the major overhaul of the set of (ISC)2 web sites last year, to include creation of this Community, (ISC)2 set up a relatively complex set of multiple contractor companies running separate domains and supporting the cross linking. Thus, www.isc2.org, cpe.isc.org, community.isc2.org, and learn.isc2.org, are each run separately, with all of them using isc2org.okta.com as a single sign-on manager across all of those sites.

The challenge that (ISC)2 has not adequately solved is how to manage e-mail sent from each of those separate companies. Apparently, Brightspace has not been authorized to use the main (ISC)2 mail server to send out their mail related to learn.isc2.org. A large number of enterprises have set up the same problem by using a mass mail manager such as Constant Contact for marketing and awareness e-mail campaigns.

Re: Genuine or phishing attempt?

TXWayne — Thu, 08 Nov 2018 12:40:24 GMT

I received the same and when I hover over the link it seems proper but of course I did not click on it. I instead logged in and checked out my learning. Nothing there but a GDPR course. I suspect we will be getting a "Sorry you inadvertently received an email" email soon.

Re: Genuine or phishing attempt?

Thalpius — Thu, 08 Nov 2018 15:26:39 GMT

That’s probably the best thing to do and a good tip as well. Never click a link. Go to the website itself and check.

Re: Genuine or phishing attempt?

amandavanceISC2 — Thu, 08 Nov 2018 17:23:28 GMT

@RobEllis Thank you for reaching out to us regarding the registration into the D2L Support course.

This is not a phishing email; however, the registration/email was sent by error. Please disregard. We apologize for any confusion.

Best Regards,

Amanda Vance

Re: Genuine or phishing attempt?

denbesten — Thu, 08 Nov 2018 17:58:42 GMT

@CraginS wrote:
www.isc2.org, cpe.isc.org, community.isc2.org, and learn.isc2.org, are each run separately ... The challenge that (ISC)2 has not adequately solved is how to manage e-mail sent from each of those separate companies.

Bottom line is that we need to simultaneously need to ensure 3rd parties should not be able to send mail that is indistinguishable from our corporate email, but that their emails "look legitimate".

Our messaging guy worked out a solution to this. We ask Brighttalk to send emails from something@learn.isc2.org and then we add their mail settings (MX, SPF, etc) to the learn.isc2.org DNS entry itself. This allows the Brighttalk emails to pass both smell and validation checks. It also prevents Brighttalk from forging our CEO's emails. If replies need to go somewhere reasonable, we ask they include a message header "reply-to: member-support@isc2.org".

D2L?

rslade — Thu, 08 Nov 2018 20:11:19 GMT

I have been enrolled in the online course for D2L Support! Lucky me!

Trouble is, I didn't ask to be enrolled. I just got a notification that I was enrolled. In fact, until a few minutes ago, I had no idea what D2L was, let alone want to support it.

It seems to be related to BrightSpace, those brightsparks who provide the infrastructure for the ISC2 courses on GDPR (complete with large sets of errors) and what to do if someone is actively shooting at you. (Duck?) D2L seems to list itself as a separate company, though, aka Desire2Learn, so maybe it is an infrastructure behind the infrastructure. (It does seem to have some connection with various colleges.)

Anybody else?

Re: Genuine or phishing attempt?

RobEllis — Thu, 08 Nov 2018 20:37:08 GMT

Thanks for confirming

Re: D2L?

SamanthaO_isc2 — Thu, 08 Nov 2018 20:44:50 GMT

Hello @rslade,

I believe you are talking about the same things as this thread in the community here: Genuine or phishing attempt? There was an email sent in error from D2L, we apologize for any inconvenience this may have caused. Our teams are looking into it; however, you can disregard the email at this time.

If you confirm that this is the same, I can merge the two posts together in the Community.

Thanks,

Re: D2L?

rslade — Thu, 08 Nov 2018 20:49:17 GMT

Ah. Yeah, probably.

Herewith the full text with headers:

Return-Path: donotreply@isc2.brightspace.com
Received: from mi06-ssvc.dcs.int.inet (LHLO mi06.dcs.int.inet)
(10.0.141.211) by cds130.dcs.int.inet with LMTP; Wed, 7 Nov 2018 17:12:34
-0700 (MST)
Received: from us04psmtp.brightspace.com ([34.192.219.221])
   by cmsmtp with ESMTP
   id KXw0g39L585hUKXw2g4wfs; Wed, 07 Nov 2018 17:12:34 -0700
X-Authority-Analysis: v=2.3 cv=c5t6vi1l c=1 sm=1 tr=0
a=s7ttwxT6BZOTtU1gLNnecA==:117 a=s7ttwxT6BZOTtU1gLNnecA==:17
a=IkcTkHD0fZMA:10 a=JHtHm7312UAA:10 a=kp2It1cLG0kA:10 a=bec8-HjUAAAA:8
a=_Dj-zB-qAAAA:8 a=9dNCaxv6scXIjPRefXoA:9 a=QEXdDO2ut3YA:10
a=uqhqpWusF5nysF070nEo:22 a=c-cOe7UV8MviEfHuAVEQ:22 awl=host:2067
Received: by us04psmtp001b.aue1.int.d2l (Postfix, from userid 1001)
   id 717B6436F2; Thu, 8 Nov 2018 00:12:32 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
   us04psmtp001b.aue1.int.d2l
X-Spam-Level:
X-Spam-Status: No, score=-1.8 required=8.0 tests=ALL_TRUSTED,BAYES_00,
   HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY autolearn=no
   autolearn_force=no version=3.4.0
Received: from isc2.brightspace.com (us04pmail002a.aue1.int.d2l [172.27.2.230])
   by us04psmtp001b.aue1.int.d2l (Postfix) with ESMTP id 64322423C9
   for <rmslade@shaw.ca>; Thu, 8 Nov 2018 00:12:29 +0000 (UTC)
Authentication-Results: us04psmtp001b.aue1.int.d2l; dmarc=none header.from=isc2.brightspace.com
Received: from US04PWC007AA37 ([172.27.26.195]) by isc2.brightspace.com with Microsoft SMTPSVC(8.5.9600.16384);
   Thu, 8 Nov 2018 00:12:29 +0000
To: <rmslade@shaw.ca>
From: "learn@isc2.org" <donotreply@isc2.brightspace.com>
Message-ID: <8f73e6ea5b4f419099f59de9b4109066@isc2.brightspace.com>
Date: Thu, 08 Nov 2018 00:12:29 +0000
Subject: D2L Support - D2L Support: Enrollment Confirmation ISC2 - International Information System Security
MIME-Version: 1.0
Content-type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-OriginalArrivalTime: 08 Nov 2018 00:12:29.0619 (UTC) FILETIME=[BCBE8830:01D476F7]
X-Virus-Scanned: clamav-milter 0.99.3 at us04psmtp001b
X-Virus-Status: Clean
X-CMAE-Envelope: MS4wfM2Gt9E4nziHuK6Op3MAKSx7jVLN1Dp1ORO4V5Ou+WS0nt0RTTjO7iIeIKDnEQW65nHJmvpckZAKxq4SlrHzYUnKmswmuIsAkZSSeUpuDK8ZLpuJLI+v
lMdJDeBsZEFAgNVEErXIFk/HMBzyQhBr6K0neg3OngxnjQVTd21qwGVQNsGP/L6XLLuauz93iPiV9+BZ/9IeQOc7VgfFXjKHl+o=
X-Antivirus: Avast (VPS 181108-4, 11/07/2018), Inbound message
X-Antivirus-Status: Clean
X-PMFLAGS: 34079360 0 1 P777F0.CNM

Hi Robert,You have been en= rolled in D2L Support - D2L Support for ISC2 - International Inf= ormation System Security=2ETo access D2L Support - D2L Suppor= t, log into ISC2 - International Information System Security using your username rmslade@shaw=2Eca and password, then selec= t D2L Support from your list of courses=2E Sent: Wednesday, N= ovember 7, 2018 7:12 PM EST

Re: D2L?

SamanthaO_isc2 — Thu, 08 Nov 2018 21:03:59 GMT

Thank you for sending this along, @rslade. These do appear to be the same, so I will go ahead and merge them together.

Re: D2L?

sbromberger — Tue, 13 Nov 2018 22:56:48 GMT

Just FYI, I received one of these a few minutes ago, so the misguided email campaign appears to be continuing.

Re: Genuine or phishing attempt?

gudguy1a — Tue, 13 Nov 2018 23:15:41 GMT

Ha, ha, ha....

Don'cha just love it when InfoSec/Cyber security folks respond to this kind of thing.... Love it. Security pros doing what they are preaching, outstanding.

[Oh yes, I also got one - did not click on it... 🙂 ]

Patrick

MBA MS Cyber Security CISSP-ISSEP

Re: Genuine or phishing attempt?

Shannon — Wed, 14 Nov 2018 01:30:45 GMT

@amandavanceISC2 & @SamanthaO_isc2, for the record, I too received such an email a few hours ago.

(I've disregarded it, but was wondering whether any progress has been made in addressing this.)

Re: Genuine or phishing attempt?

gudguy1a — Wed, 14 Nov 2018 10:44:57 GMT

Hello there.

Yes, they responded earlier in the thread. Just disregard at this time.

Re: Genuine or phishing attempt?

amandavanceISC2 — Wed, 14 Nov 2018 17:12:00 GMT

All,

We apologize for the inconvenience. Yes, a second enrollment email went out yesterday evening. Please disregard as this was sent in error and is not a phishing attack. I can confirm our Education team is working with D2L to resolve this issue.

Again, I apologize for the inconvenience.

Best Regards,

Amanda Vance

Re: Genuine or phishing attempt?

rslade — Thu, 15 Nov 2018 02:15:11 GMT

> Shannon (Contributor II) posted a new reply in Member Support on 11-13-2018 08:30 PM in the (ISC)Â² Community :

> Â @amandavanceISC2Â &Â @SamanthaO_isc2, for the record, I too received such an email a few hours ago.

So did I. Along with a really interesting invite to the meeting in January--which also invited me to *vote* ...

Date sent:         Tue, 13 Nov 2018 16:50:48 -0500
From:              "ISC2" <info@isc2.org>
Subject:           NOTICE OF ANNUAL MEETING OF THE
MEMBERS

(ISC)² Annual Election Voting Instructions

It is that time of year when we encourage all of our members to
participate in the (ISC)² Board of Directors election process
beginning 05 September. Your vote helps to set the direction of
the organization over the next year.

Voting is done electronically via the (ISC)² website at
http://send.isc2.org/link.cfm?r=SrlS9Zu_UEa1rggjl6sM1w~~&pe=n
xDFwV_pR_9uFfawRVcQTWnBrPJ8qIz9MewqRvWSeMy5pAYMY
QXJf_8duEHU69hC&t=4QMkkvC71t5_lxMrNa2AEg~~. You can
only cast one ballot; there will be NO voting in person. Your votes
will be collected and voted at the (ISC)² Annual Meeting on
January 12, 2019.

Please Note: It is recommended that you sign in to the member
portal prior to the election to ensure there are no problems with
your login. If problems arise, please contact Member Support at
membersupport@isc2.org.

To record your vote beginning 05 September 2018, please launch
the election application online at
http://send.isc2.org/link.cfm?r=SrlS9Zu_UEa1rggjl6sM1w~~&pe=b
1WWuery4c9_X47BLse-
uT3Sy2g6YUnvLctllmDg5MMyyiQSh6Wo9U0vhkVt1F16&t=4QMk
kvC71t5_lxMrNa2AEg~~.

Re: Genuine or phishing attempt?

wmahoney87 — Fri, 30 Nov 2018 01:29:52 GMT

I just got another one of these...this is absurd. I'm blocking learn@isc2.org until they figure this out.

Re: Genuine or phishing attempt?

rslade — Fri, 30 Nov 2018 02:41:59 GMT

> wmahoney87 (Viewer) posted a new reply in Member Support on 11-29-2018 08:29 PM

> I just got another one of these...this is absurd. I'm blocking learn@isc2.org
> until they figure this out.

Actually, I'm wondering if I/we really are signed up for all these "courses" ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
`Who hath dared to wound thee?' cried the giant; `tell me, that I
may take my big sword and slay him.'
`Nay!' answered the child, `but these are wounds of love.'
- `The Selfish Giant,' Oscar Wilde
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Genuine or phishing attempt?

Shannon — Fri, 30 Nov 2018 05:20:57 GMT

@rslade wrote:

Actually, I'm wondering if I/we really are signed up for all these "courses" ...

There might be another reason. This hasn't been the 1st and may not be the last --- perhaps it's all to pave the way to dole out a Tolerance badge...