Ransomware Awareness

What is Ransomware?

According to the FBI, “Ransomware is a type of malicious software cyber actors use to deny access to systems or data.” Typically, the malicious actor will hold the system or data hostage via encryption using a private key that only they know. The only way for the victim to regain access to their system or data is to pay the ransom fee to the malicious actor. If the ransom is not paid, the data will remain unavailable or be deleted by the malicious actor or the ransomware itself. In addition, ransomware may spread to storage drives and other systems present on the network.

How Does Ransomware Get Installed on a System?

Ransomware can be installed on a system through the following means:

  • According to Symantec, “Ransomware is predominantly found on suspicious websites, and arrives either via a “drive-by download”, stealth download or through a user clicking on an infected advert. Some distribution via email has also been seen.”
  •  Remote installation via a software vulnerability.
  • Opening or clicking on a malicious attachment or link found in an email.

Below is an example of CryptoLocker, a common ransomware variant.


How Do I Protect Myself?

Prevention is one of the best methods to defend against ransomware. Below are several steps you can take to prevent ransomware from being installed on your system:

  •  Ensure proper anti-virus and anti-malware software is installed on your machine and that it is updated regularly. Please note, Fordham offers free antivirus software to students and faculty here.
  • Ensure your Operating System and programs have received the most current updates. Attackers can easily exploit vulnerabilities in out-of-date software.
  • Regularly backup your computer and important files. This allows you to have a recovery option in place so your data is not lost forever. If using portable media, make sure the device is removed once the backup is complete.
  • Do not click on or open any suspicious links, pop-ups, or attachments. If you come across questionable or suspicious emails or websites, contact IT Customer Care immediately and allow the University Information Security Office (UISO) to validate the respective content.

Paying a Ransomware Fee

As per the FBI:

“We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks:

  • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom.
  • Some victims who paid the demand have reported being targeted again by cyber actors.
  • After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key.
  • Paying could inadvertently encourage this criminal business model.”

Useful Links

The FBI provides a more in-depth description of what ransomware is and what can be done to avoid becoming a victim.


The SANS Institute newsletter provides further information on ransomware and steps that can be taken to protect against it.


Article: 500 Million Yahoo Accounts Stolen

“Yahoo confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.

The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.

Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.

The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.

Yahoo is working with law enforcement to learn more about the breach.

“The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”

A large-scale data breach was first rumored in August when a hacker who goes by the name of “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn  and MySpace.

Yahoo originally said it was “aware of a claim” and was investigating the situation. Nearly two months later, it turns out the situation is even worse.

“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.”

U.S. Sen. Richard Blumenthal called for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”

“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” he said in a statement.

Here are steps to take to secure your online accounts.

Change passwords often

Yahoo is asking anyone who hasn’t changed their password since 2014 to update it. This is good advice for everyone: Passwords should be changed often. You won’t always get a timely notice from a company that an account was compromised — and sometimes it might not even know about a hack until much later. In this case, it took two years for the company to confirm the breach.

Never use the same password twice

Never use the same password twice. If hackers get the password for one of your online accounts, they can try to use it to access your other accounts that take the same credentials.

Pick better passwords

Consider using a phrase instead of single words that are more easily guessed. Don’t go for common phrases like cliches: Pick a combination of words that don’t go together — i.e. rather than “herecomesthesun,” go for something like “wombatbootsparade”.

Avoid using common passwords like 1-2-3-4-5-6 or p-a-s-s-w-o-r-d, and include a mixture of numbers, letters and characters.

Update those security questions

If you forget a password, using security questions is an easy way to gain access back into your own account — its not like you’ll ever forget your mom’s maiden name. But some Yahoo security answers and questions were a part of the breach. The company has already disabled any unencrypted security answers on its accounts.

If you frequently use the same security questions and answers for other online accounts, you’ll want to change those, as well. Attackers could use the information taken from Yahoo to obtain access to other online accounts that contain even more sensitive information.

Avoid choosing the obvious questions and don’t provide answers that are easy to find online through Google searches, social media sites or old Live Journal entries.

Be alert

The company is urging users to look through their Yahoo accounts (email, calendar, groups, etc.) for any signs of suspicious activity. Although it doesn’t say what to look for, start by checking outgoing emails.

Be extra careful about clicking on links or opening downloads from unknown email addresses. If anyone emails asking for your password, it’s a red flag — even if it looks like it’s coming from a legitimate place like Yahoo or a bank. Never share any account information or passwords over email.”

Sources: http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/



Article: Fake-Game: The Emergence of a Phishing-as-a-Service Platform

“Malware-as-a-Service (MaaS) business models continue to thrive in the cyber underground. It has allowed cyber crooks to generate renewable income through renting malware rather than selling their tool for a one-time payment. As a result, the business model has been adopted in various underground commodities such as exploit kits andremote access trojans. Recently, we saw the emergence of Ransomware-as-a-Service (RaaS) platforms.

During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form of a Russian website called “Fake-Game.” Appearing in (at least) July 2015, Fake-Game offers a Phishing-as-a-Service (PHaaS) platform to anyone who signs up on their website:

Once a user has logged in, a tutorial window pops-up (the rest of the images in this post have been translated from Russian to English to allow our general readers to understand them):

The site then asks the user to choose which type of credential it wishes to steal:

To see how it works, we tried to simulate the platform’s Gmail phishing tool. Upon choosing the Google option from the dropdown menu above, a link containing the subdomain “gmail” was generated:

The link is appended by an affiliate ID which, in this case, is our subscriber’s ID. This allows the website to track which stolen accounts belong to which subscriber.

A subscriber can then spread the phishing site to prospective victims. Once a victim enters a credential into the subscriber’s phishing link, a prompt showing the stolen information appears:

In order to assist novice cyber criminals using the platform, the above prompt provides a hyperlink to another Russian site where subscribers can sell the credentials they have stolen. The stolen credentials can be sold from $0.015 USD up to $15.39 USD at current exchange rates.

A summary of stolen credentials appear on the subscriber’s profile:

How Does the Phishing Webpage Work?

The Gmail phishing page looks like the legitimate Gmail log in page:

The Fake-Game platform has a feature that verifies the validity of credentials. If an entered credential is valid, it replies with a compressed string that translates to “good” once decompressed:

The phishing page’s code then checks to see if Fake-Game responded with the required value. If not, it displays an error and re-loads the phishing page:

The Fake-Game Phishing-as-a-Service (PHaaS) Business Model

Fake-Game earns money by offering VIP subscriptions for relatively low prices. The VIP account also offers subscribers extra privileges (listed below) that are not available for normal one-time users. The prices for such an account are $3.50 USD for a month, $5.70 USD for two months and $7.12 USD for three months:

Like legitimate businesses, Fake-Game has a real-time chat support feature available on its website:

Users are also given the privilege to chat with each other after reaching a rating of over 50 on the website:

User ratings are achieved by purchasing VIP accounts. Higher VIP package purchases reward users with higher ratings.

In addition, referral programs are available in order to attract more users to use the PHaaS platform:

As of this writing, the Fake-Game website shows that there are currently 61,269 subscribers using the platform. Furthermore, a total of 679,511 credentials were stolen based on their current statistics:


With the thriving malware-as-a-service business model, it is unsurprising to see the emergence of a Phishing-as-a-Service platform such as Fake-Game. However, it is important to be aware of these services and understand their implications. In this case, an effective business model such as this has the capability to amplify phishing attacks in the wild by making malicious services available and convenient to just about anyone.

While Fake-Game caters specifically to Russian cyber criminals, we believe that similar services will be available to other regions soon, if they are not already happening.

We want to reemphasize that it is always a good idea to make sure that the website link on your browser address bar is legitimate before entering online credentials. If you are unsure, manually typing in the correct website URL can help prevent phishing attacks. Furthermore, remember that unsolicited requests for credentials arriving through email or social media are typically fraudulent, and are best avoided.”

Source: https://blog.fortinet.com/2016/08/31/fake-game-the-emergence-of-a-phishing-as-a-service-platform

Article: Update OS X Right Now or You Could Get Some Nasty Spyware

Image: Mark Lennihan/AP

“Apple has issued an urgent security update for OS X El Capitan, OS X Yosemite and Safari to protect against the same security vulnerability that hit iOS last week.

To update on OS X, go to App Store > Updates and then install the Security Update 2016-001 (for El Capitan) or 2016-005 (for Yosemite). For users on OS X Mavericks, a Safari update is available as well.

Oh and while you’re at it, you should update iOS as well. (Just go to Settings > General > Software Update on your device, and follow the instructions.) The urgent OS X patch comes a week after Lookout Security and Citizen Lab discovered a nasty strain of spyware that could hijack an iPhone with a simple text message. Lookout Security’s Mike Murray called it “one of the most sophisticated pieces of cyberespionage software we’ve ever seen.”

The malware was used to target human rights activist Ahmed Mansoor. Mansoor noticed a strange text message on his phone, and rather than clicking the link, he turned his phone over to experts. It’s a good thing he did. That malware could have been used to read text messages, emails, and track calls and contacts.

Because OS X and iOS share a lot of the same code, it makes sense that a vulnerability in iOS would also exist in OS X. It isn’t clear exactly how the exploit would be used on OS X—on iOS users would be hit with a rogue SMS message—but don’t take any chances. Update!”

Article: Dropbox hack ‘affected 68 million users’



“A Dropbox security breach in 2012 has affected more than 68 million account holders, according to security experts.

Last week, Dropbox reset all passwords that had remained unchanged since mid-2012 “as a preventive measure”.

In 2012, Dropbox had said hacks on “other websites” had affected customers who used their Dropbox password on other sites too.

But now what purports to be the details of 68.6 million Dropbox accounts have emerged on hacker trading sites.

The 5GB document has been acquired by a Motherboard reporter, who also said it had been verified as genuine by a “senior Dropbox employee” speaking on the condition of anonymity.

The data includes email addresses and hashed passwords.

But security researcher Troy Hunt, who has also seen the document, said the hashing algorithm that obscured the passwords was “very resilient to cracking”.

“Frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” he said.

Mr Hunt said he had managed to independently verify the hack by finding the password of his wife within the cache.

He told BBC News the document contained a “very unique, 20-character, completely random password” used by his wife to login to Dropbox.

It had been created by a password manager, he said, making the chance of it having been correctly guessed “infinitely small”.

Mr Hunt wrote his blog: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords – you simply can’t fabricate this sort of thing.”

Security researcher Ken Munro also said the hack appeared to be genuine and to have “taken place in 2012”.

In a statement sent to the BBC, Dropbox said: “This is not a new security incident.”

And there was “no indication” Dropbox user accounts had been improperly accessed.

“Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012,” said the statement.

“We can confirm that the scope of the password reset we completed last week did protect all impacted users.

“Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts.”

Meanwhile, on Tuesday the password management service OneLogin – of which Dropbox is a client – revealed that a user gained access to one of its systems used for log storage and analytics.

Alvaro Hoyos, chief information security officer at OneLogin, has said that this incident is not connected to the Dropbox hack.

“We have no indication that OneLogin’s August 2016 incident is connected to any further incidents currently in the news,” Mr Hoyos told the BBC.

“To reiterate what our recent blog post stated, the impacted system is a standalone system and there are no signs of suspicious activity in any of our other systems.

“The security of our customers is of the utmost importance and we are carrying out an extensive investigation in partnership with a third-party cybersecurity firm. We are advising impacted customers as soon as any additional information becomes available as a result of the investigation.””

Source: http://www.bbc.com/news/technology-37232635

FYI – Phishing Email Sent to the Fordham Community on 08/29/2016

This is a Phishing email that has been reported. This message was
received on or about August 29th, 2016. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:

——————–Begin Message ——————————
From:  Denise Nethaway <dnetha01@baker.edu>
Date: Mon, Aug 29, 2016 at 12:48 PM
Subject: FYI
To: user@fordham.edu


See the below vital docs i sent to you
>> Documents (<—LINK HERE)
Best Regards

—————————–End Message —————

Alert: Update your IPhone device ASAP. Major Vulnerability discovered.

“NSO Group, a company that sells hacking services to governments so they can spy on journalists and dissidents, exploited gaping security holes in iPhone software, according to a report byLookout Security and Citizen Lab. But don’t worry: Apple just pushed a fix.

The New York Times reports:

The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user.

This is about as bad as it gets. Apple released a patch yesterday to fix these massive security problems, and you should download it immediately.

 Lookout security researcher Mike Murray explained the scary exploit in an interview with Motherboard. “We realized that we were looking at something that no one had ever seen in the wild before,” Murray said. “Literally a click on a link to jailbreak an iPhone in one step. One of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Screenshot from a leaked NSO manual via Citizen Lab.

This level of sophistication in malware has never been seen before, and it was used to target human rights activist Ahmed Mansoor, according to Citizen Lab. Mansoor, who has been the target of surveillance since 2011, discovered the malware when he was sent a suspicious link via claiming to have more details on people being tortured in the United Arab Emirates. The link would have actually installed the sophisticated malware on Mansoor’s phone.

Companies that hack tech products to conduct surveillance aren’t new, but a weapon that can completely takeover a supposedly secure device like the iPhone is remarkable. Anything can be hacked, of course, and companies like Apple will always be playing catch up when it comes to locking down their devices from well funded hackers like NSO. But for now, you should definitely update your iPhone.”

Source: http://gizmodo.com/israeli-cyber-weapon-dealers-figured-out-how-to-hack-ev-1785747391?

see documents – Phishing Email Sent to the Fordham Community on 08/25/2016

This is a Phishing email that has been reported. This message was
received on or about August 25th, 2016. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:

——————–Begin Message ——————————
From: user@fordham.edu
Date: Thurs, Aug 25, 2016 at 12:56 PM
Subject: see documents
To: user@fordham.edu

See below the confidential document i sent
>>> File (LINK HERE)
Best regards

—————————–End Message —————

FYI – Phishing Email Sent to the Fordham Community on 08/24/2016

This is a Phishing email that has been reported. This message was
received on or about August 24th, 2016. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:

——————–Begin Message ——————————
From: user@fordham.edu
Date: Wed, Aug 24, 2016 at 02:36 PM
Subject: FYI
To: user@fordham.edu

see the important documents i sent below
<<<<<doc file>>> (LINK HERE)

—————————–End Message —————

Article: Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks

“Off Path Attack means malicious hackers can be located anywhere on the internet.”

“An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren’t encrypted, inject malicious code or content into the parties’ communications, researchers from mobile security firm Lookout said Monday.

As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In ablog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.

“The tl;dr is for Android users to ensure they are encrypting their communications by using VPNs, [or] ensuring the sites they go to are encrypted,” Lookout researcher Andrew Blaich told Ars. “If there’s somewhere they’re going to that they don’t want tracked, always ensure they’re encrypted.”

The vulnerability makes it possible for anyone with an Internet connection to determine whether any two parties are communicating over a long-lived transport control protocol connection, such as those that serve Web mail, news feeds, or direct messages. In the event the connections aren’t encrypted, attackers can then inject malicious code or content into the traffic. Even when the connection is encrypted, the attacker may still be able to determine a channel exists and terminate it. The vulnerability is classified as CVE-2016-5696.

One of the more likely ways exploits might target Android users is for them to insert JavaScript into otherwise legitimate Internet traffic that isn’t protected by the HTTPS cryptographic scheme. The JavaScript could display a message that falsely claims the user has been logged out of her account and instruct her to re-enter her user name and password. The login credentials would then be sent to the attacker. Similar injection attacks might also attempt to exploit unpatched vulnerabilities in the browser or e-mail or chat app the targeted Android user is using.

To make the attack work, the adversary must first spend about 10 seconds to test whether two specific parties—say a known Android user and USA Today—are connected. It then takes another 45 seconds or so to inject malicious content into their traffic. The time required probably makes it impractical to carry out opportunistic attacks that hit large numbers of people. Still, the technique appears well suited for targeted attacks, in which the adversary—say, a stalker or a nation-backed surveillance agency—is attempting to infect or spy on a specific individual, especially when the hacker knows some of the sites frequented by the target.

A Google representative said company engineers are are already aware of the vulnerability and are “taking the appropriate actions. As noted in this post, the representative pointed out the flaw resides within vulnerable versions of the Linux kernel and it’s not Android specific. The representative went on to say that the Android security team rates the risk “moderate,” as opposed to “high” or “critical” for many of the vulnerabilities it patches. Maintainers of the Linux kernel have already patched CVE-2016-5696. It wouldn’t be surprising if that fix is incorporated into a new Android release in the next month or so.”

Source: http://arstechnica.com/security/2016/08/linux-bug-leaves-1-4-billion-android-users-vulnerable-to-hijacking-attacks/