On Feb 15, 2023, Signiant learned that some of our Media Shuttle customers were the targets of a malicious domain spoofing and email phishing attack and communicated an advisory to all Media Shuttle admins. The following article provides technical details on how you can audit your portal to spot any suspicious activities.
Review the Portal Events:
The Events tab displays portal activity logs, including authentication, feature events, transfer attempts, member permission changes, and file management tasks.
We recommend exporting the event log (by clicking export on the top left of the event table) with a date range of February 7 To today’s date. This will download a CSV spreadsheet of the file or portal events over the span of a specific date range.
Check for Added Members:
In the “Event Name” columns, note inspect any and all rows with “Member Added” events and ensure they are recognized accounts. If the accounts seem legitimate and added by recognized members of the portal, we recommend enforcing a password reset (steps included below) on the account.
If you have any reasons to believe the account is suspicious, we recommend removing this member from the portal completely (steps included below)
Check for Multiple account login attempts from same IP address:
For security reasons, account sharing should always be avoided.
Multiple login attempts from different accounts using the same IP address should be investigated.
|Failed login by <someone>@gmail.com from IP address 220.127.116.11|
|Failed login by <someone_else>@outlook.com from IP address 18.104.22.168|
|Failed login by <random>@hotmail.com from IP address 22.214.171.124|
Check for Password Resets Events:
Displayed as “Successful password update”, no harm in resetting the password a second time.
Since we do not know if the password reset was in fact requested by the portal member, we recommend administrators reset the password a second time for extra security. This request will send an email to the portal member, which will serve as the verification that it is being reset by them.
How to remove portal members:
- To remove one portal member, select the member in the Members list and click Remove.
- To remove multiple portal members, use Ctrl-click (Windows) or Command-click (macOS) to select all the members to delete. Click Remove and confirm the removal.
How to Reset Member Passwords
To reset a portal member's password, select the member in the Members list and click Reset Member Password.
The portal member will receive an email with instructions to set a new password for their account.
If you have a large number of portals, your IT Admin can contact Support and we can get a list of users for your account.
How to Enable SAML
SAML allows you to authenticate portal members using services such as Microsoft Active Directory Federation Services or other third-party providers such as Okta or OneLogin.
To learn how to enable and configure SAML for your portals, please refer to the following article for details:
Other steps users can take to prevent phishing:
- Be cautious of unsolicited emails
- Check and confirm the URL before entering any personal information.
- Make sure the website address starts with “https”
- Use Anti-phishing tools
- Do no share login credentials with anyone