CCIT News and Notices

Category: Cybersecurity Alerts

SEO Poisoning

November 7, 2025

Have you ever searched for something on the internet using your favorite browser search engine and gotten results that are completely wrong? For example, you search for your specific car insurance company’s official website. However, the top results you see may list the name of your car company, but the website URL is not your company’s official website.

These types of results can be caused by Search Engine Optimization (SEO) Poisoning. In this type of attack, cybercriminals employ various methods to manipulate search engine results, attempting to redirect traffic to their malicious websites. On these fake websites, users may be prompted to enter their personal account credentials, which the attackers will steal, or the fake sites may include malware that is unknowingly downloaded to the user’s computer.

To avoid SEO Poisoning:

  • Always visually verify links before clicking. Examine the URL carefully. Look for name misspellings or letter substitutions in the domain name. Double-check that the domain extension (.com, .edu, .gov, etc.) is correct.

  • Be skeptical of the top results. Many of the first results are often “sponsored” results, meaning that they are paid to be listed first, regardless of your actual search results.

  • Go directly to official websites. If you know the URL of the actual website you want, such as Amazon, then type “amazon.com” directly into the browser address bar, rather than searching for “Amazon”.
Woman holding phone with text displayed over image saying "Search Engine Poisoning" and a poison symbol.

AI Summarization Vulnerability

October 24, 2025

Artificial Intelligence (AI) continues to grow in popularity as a tool that can help users do all sorts of things. Unfortunately, cybercriminals understand that and are also using AI for their scams.

One of the common ways that people use AI is to have it summarize content, such as an email, a large document or a spreadsheet. But cybercriminals are taking advantage of that AI usage by embedding hidden and malicious AI instructions in files that are unseen by the user.

For example, a user could receive a lengthy email, and they use AI to summarize the message. But embedded in the email could be a hidden, malicious AI prompt that could force your AI program to search for and read other sensitive emails and documents, which could then be sent to the attacker.

Even documents like an Excel spreadsheet that you ask AI to summarize could contain hidden white text on a white background across multiple sheets, which contain AI task modifications and commands that could hijack your AI’s processes and behavior.

To help avoid falling for this type of scam, users should not open files from people that they do not know, nor open a file that they are not expecting. Also, you should carefully consider what content you have AI summarize or process for you, as well as monitor any AI outputs very closely.

A hooded hacker, masked and cloaked in a dark background, holds artificial intelligence circuitry.

SharePoint File Share Fake

August 5, 2025

Clemson University users are experiencing an increase in a SharePoint-related cyberattack, like the email pictured below. In this scheme, cybercriminals have likely already compromised a legitimate user and are using the account’s SharePoint site to send a document share email to other users. Sharing files through this method can sometimes circumvent security tools, which could possibly detect these malicious files.

The shared file could be a Word document, a PDF or a similar type of file. The file can contain malware that would infect your computer if you opened it, or it may ask you to log in with your Clemson credentials before you can see the file. This would allow them to steal your login and password information.

To avoid this scam, you should do the following:

  • Always use extra caution before opening any file sent to you, especially if you do not know the sender or if you are not expecting a file.

  • Avoid opening an email attachment file if you see the External Sender banner on any email. Those emails are coming from someone outside of Clemson.

  • Before logging in with your Clemson credentials, you should first verify that the URL has “clemson.edu” as the domain address.

  • If you do receive an email that you are unsure about, please use the Report Phishing button in Outlook, and the CCIT Security Team will be happy to investigate it for you to determine if it is legitimate and safe to open.

Screen shot of email from SharePoint asking to share a file with user. Email has the External Sender banner on it.

Passwords expiring for many Clemson accounts on July 31 to enhance security

July 23, 2025

New passwords must be at least 20 characters long, contain no username or blocked words, and can't be detected in a data breach.

To enhance digital security, Clemson Computing and Information Technology (CCIT) is enforcing password expiration for approximately 30,000 Clemson University accounts to help protect data and personal information. While this change will not impact all Clemson users, those who are impacted will receive instructions for the expiration and creation of a new password for their Clemson account. This effort is to strengthen security for accounts that were identified with vulnerable passwords. In the age of artificial intelligence and high performance computing, strong passwords are some of our best defenses against threats or bad actors. 

What to expect

  • CCIT engineers will prompt password expiration for specific accounts on the morning of July 31, 2025. 
  • The identified users will be emailed more detailed information about what to expect. 
  • Users are required to create passwords that meet the new security requirements. 

If you need assistance during the password change process, please contact the CCIT Support Center. Those who are not identified in this round of expiration are also welcome to strengthen their passwords to the more secure passphrase format at any time. 

Report Phishing button change in Microsoft Outlook

June 19, 2025

Screenshot of the Report button in Outlook

Clemson University faculty, staff and students using Microsoft Outlook for email can now use the generic Report button to report phishing or junk emails. Reporting an email through this method will still send your email to the Clemson Security Operations Center (CSOC) for review and investigation. The Security Shield Report button has been removed from Outlook to help streamline this process.

But if you need to provide additional information beyond just reporting an email, use the Report Phishing Service through the TigerHub system.

Please contact the CCIT Support Center if you have any questions.

Malware in AI Tools

June 10, 2025

Cybercriminals are leveraging the high interest in artificial intelligence (AI) tools as part of new targeted campaigns. These often appear as “free” AI tools or in false advertisements that link to sites impersonating an official AI site.

If downloaded, the fake AI tool will include a ransomware executable, which will encrypt files and demand payment to unlock the user’s content.

Here are some tips to help avoid falling for this scam:

  • Only download from official websites. Always examine the URL carefully.
  • Be suspicious of “free” tools or offers that seem too good to be true.
  • Research a company or product first before downloading anything.
  • Scan files with security tools before opening them.

If you need assistance with downloading AI tools, please contact your Clemson University IT Consultant.

Copy to Fix Scam

June 10, 2025

Proofpoint has recently discovered a new attack vector that cybercriminals are using to compromise users’ computers. In this scheme, users are prompted with a notification pop-up on a webpage, in a Word document or when opening a PDF file, saying that there is a problem. And the notification will include a button saying something like “How to Fix” or “Auto-Fix”.

The fake instructions for how to “fix” the problem will typically ask the user to copy and paste some code into Windows PowerShell or the Run dialog box. Because this code is only being copied and pasted, most antivirus software will not have an opportunity to inspect and catch the malicious code. Once this code is run by the victim on their computer, it triggers the download of additional malware and other nefarious activities.

Clemson University users should exercise caution if presented with this error, and it is recommended to reach out to the area’s IT Consultant for assistance.

For additional details, please see the full article on the Proofpoint website.

A screenshot of a malicious pop-up that tells the user there is something wrong with displaying a page and a button to 'Copy fix' the issue.

AirPlay Vulnerability

May 1, 2025

A new vulnerability in Apple’s AirPlay has been uncovered by Oligo Security Research that could potentially allow bad actors to compromise devices such as your Mac laptop, AirPlay speakers and receivers, or even the CarPlay system in your automobile.

Because of this vulnerability, users could experience a denial of service, loss of sensitive information, or possibly distractions while driving in the form of unwanted sounds or images being displayed on your automobile console.

The Apple Logo with a bug icon representing a computer virus next to an iPhone with the AirPlay icon displayed.

To help protect yourself against this vulnerability:

  • Update any device that supports AirPlay to the latest version of the software available.
  • Verify on your AirPlay device that the setting “Allow AirPlay for” is set to just “Current User.”
  • Disable the AirPlay receiver on any device where it is not needed.

For additional information, please see the full article at:
https://www.oligo.security/blog/airborne

QR Code Scam

April 15, 2025

Clemson users are seeing an influx of QR Scam emails. In these emails, like the one below targeting employees referencing a Compensation Guide, the recipient is given a QR code to scan with their phone.

But if a user follows the link from the QR code, they are presented with a fake login page which will steal the user’s login and password account information. The cybercriminals are hoping that you will be less protected and have limited information by moving you to your phone.

Some of these fake QR code emails claim to be from Microsoft, while others are targeting students with fake job opportunities.

An email with the Subject Line 'Reminder: 2025 Employee Compensation Plan is awaiting your signature' and containing a QR code stating that the user should complete a task.

You should always check the sender’s email address before following any link or QR code. Any official email from Clemson will have a clemson.edu address.

If you receive a suspicious email with a QR Code, use the Report Phishing button in Outlook to have the Clemson Security Operations Center review and investigate the email for you.

Financial Support Phish

October 2, 2024

Clemson users should be aware of another targeted phishing campaign. This one claims to be a University Supported Program and offers to help staff and students with financial support.

Below is an example of one of these types of emails.

Users are prompted to follow a link within the email, which takes them to a login page that asks them to enter their email address, username and password. They are hoping that you will enter your Clemson account information.

But this is actually a scam designed to steal users’ credentials. If you receive an email similar to this, you should report it using the Report Phishing button in Outlook or by forwarding it to phishing@clemson.edu.