Alert: Suspicious E-Mails Targeting University Staff

Posted on June 21, 2017 by | Comments Off on Alert: Suspicious E-Mails Targeting University Staff

Please be advised that there are suspicious emails circulating that are targeting University faculty and staff to include secretaries, assistants and receptionists. We have received reports of several different emails circulating requesting the recipient to reply.

These are not legitimate emails and should be reported immediately.
Please remain diligent and avoid giving any personally identifiable information through email. Pay attention to the sender of the email and if something appears suspicious, contact the sender directly to verify the messages legitimacy. DO NOT respond via email. If direct contact with the sender is not possible, please contact ITCC for assistance.

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

Comments Off on Alert: Suspicious E-Mails Targeting University Staff

Posted in Alerts, Security Awareness

Article: Apple fixes dozens of security bugs for iPhones, Macs.

Posted on May 18, 2017 by | Comments Off on Article: Apple fixes dozens of security bugs for iPhones, Macs.

Via: ZDNet

“Apple has squashed dozens of security bugs in its latest releases of its iPhone, iPad, and Mac operating systems.

The Cupertino, Calif.-based company rolled out 23 security fixes in iOS 10.3.2 and another 30 fixes in macOS 10.12.5, both of which were released on Monday.

Among the bugs, two bugs in iBooks for iOS could allow an attacker to arbitrarily open websites and execute malicious code at the kernel level. Over a dozen flaws were found in WebKit, which renders websites and pages on iPhones and iPads, that could allow several kinds of cross-site scripting (XSS) attacks.

A separate flaw in iBooks for macOS desktops and notebooks could allow an application to escape its secure sandbox, a technology used to prevent data loss or theft in the case of an app compromise.

Almost half of the bugs found were attributed to Google’s Project Zero, the search giant’s in-house vulnerability-finding and security team.

One of the iOS bugs credited to Synack security researcher Patrick Wardle described a kernel flaw in which a malicious application could read restricted memory, such as passwords or hashes.

In a blog post last month, Wardle explained how he found the zero-day flaw following a supposed fix in an earlier version of macOS 10.12. He said that Apple’s patch “did not fix the kernel panic” and worse, “introduced a kernel info leak, that could leak sensitive information” that could bypass the operating system’s security feature that randomizes the kernel’s memory address locations.

In an email, Wardle admitted he “didn’t realize it affected iOS too.”

Patches are available through the usual automatic update channels.”

Source: http://www.zdnet.com/article/apple-fixes-dozens-of-security-bugs-in-ios-10-3-2-macos-updates/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=22897651806331074555632548278564

Comments Off on Article: Apple fixes dozens of security bugs for iPhones, Macs.

Posted in Alerts, News and Events, Security Awareness

Alert: Critical Microsoft Vulnerability

Posted on May 18, 2017 by | Comments Off on Alert: Critical Microsoft Vulnerability

Description

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Defending Against Ransomware Generally

Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.

Comments Off on Alert: Critical Microsoft Vulnerability

Posted in Alerts, News and Events, Security Awareness

Alert: Employment Scam Targeting College Students Remains Prevalent

Posted on May 9, 2017 by | Comments Off on Alert: Employment Scam Targeting College Students Remains Prevalent

Via: IC2

“College students across the United States continue to be targeted in a common employment scam. Scammers advertise phony job opportunities on college employment websites, and/or students receive e-mails on their school accounts recruiting them for fictitious positions. This “employment” results in a financial loss for participating students.

How the scam works:

  • Scammers post online job advertisements soliciting college students for administrative positions.
  • The student employee receives counterfeit checks in the mail or via e-mail and is instructed to deposit the checks into their personal checking account.
  • The scammer then directs the student to withdraw the funds from their checking account and send a portion, via wire transfer, to another individual. Often, the transfer of funds is to a “vendor”, purportedly for equipment, materials, or software necessary for the job.
  • Subsequently, the checks are confirmed to be fraudulent by the bank.

The following are some examples of the employment scam e-mails:

“You will need some materials/software and also a time tracker to commence your training and orientation and also you need the software to get started with work. The funds for the software will be provided for you by the company via check. Make sure you use them as instructed for the software and I will refer you to the vendor you are to purchase them from, okay.”

“I have forwarded your start-up progress report to the HR Dept. and they will be facilitating your start-up funds with which you will be getting your working equipment from vendors and getting started with training.”

“Enclosed is your first check. Please cash the check, take $300 out as your pay, and send the rest to the vendor for supplies.”

Consequences of participating in this scam:

  • The student’s bank account may be closed due to fraudulent activity and a report could be filed by the bank with a credit bureau or law enforcement agency.
  • The student is responsible for reimbursing the bank the amount of the counterfeit checks.
  • The scamming incident could adversely affect the student’s credit record.
  • The scammers often obtain personal information from the student while posing as their employer, leaving them vulnerable to identity theft.
  • Scammers seeking to acquire funds through fraudulent methods could potentially utilize the money to fund illicit criminal or terrorist activity.

Tips on how to protect yourself from this scam:

  • Never accept a job that requires depositing checks into your account or wiring portions to other individuals or accounts.
  • Many of the scammers who send these messages are not native English speakers. Look for poor use of the English language in e-mails such as incorrect grammar, capitalization, and tenses.
  • Forward suspicious e-mails to the college’s IT personnel and report to the FBI. Tell your friends to be on the lookout for the scam.”

Source: https://www.ic3.gov/media/2017/170118.aspx

Comments Off on Alert: Employment Scam Targeting College Students Remains Prevalent

Posted in Alerts, News and Events, Security Awareness

Google provides explanation on recent Google Docs campaign

Posted on May 4, 2017 by | Comments Off on Google provides explanation on recent Google Docs campaign

A Google spokesperson shared the following statement with TNW, noting that 0.1 percent of Gmail users were affected. That’s roughly 1 million users, though:

“We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1 percent of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.”

Source: https://thenextweb.com/security/2017/05/03/massive-google-docs-phishing-attack-currently-sweeping-internet/#.tnw_G8nzqYyw

Comments Off on Google provides explanation on recent Google Docs campaign

Posted in Alerts, Exploits and Vulnerabilities, Malicious Email, News and Events, Security Awareness

Article: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

Posted on April 18, 2017 by | Comments Off on Article: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

A phishing attack is when an attacker sends you an email that contains a link to a malicious website. You click on the link because it appears to be trusted. Merely visiting the website may infect your computer or you may be tricked into signing into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive information they can trick you into providing.

This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

As you can see both of these domains appear identical in the browser but they are completely different websites. One of them was registered by us, today. Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com.

The real epic.com is a healthcare website. Using our unicode domain, we could clone the real epic.com website, then start emailing people and try to get them to sign into our fake healthcare website which would hand over their login credentials to us. We may then have full access to their healthcare records or other sensitive data.

We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt. Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox.

How to fix this in Firefox:

In your firefox location bar, type ‘about:config’ without quotes.
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.
Now if you try to visit our demonstration site you should see:

Can I fix this if I use Chrome?

Currently we are not aware of a manual fix in Chrome for this. Chrome have already released a fix in their ‘Canary’ release, which is their test release. This should be released to the general public within the next few days.

Until then, if you are unsure if you are on a real site and are about to enter sensitive information, you can copy the URL in the location bar and paste it into Notepad or TextEdit on Mac. It should appear as the https://xn--….. version if it is a fake domain. Otherwise it will appear as the real domain in its unencoded form if it is the real thing.

Source: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

Comments Off on Article: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

Posted in Uncategorized

Alert: Easter Holiday Phishing Scams and Malware Campaigns

Posted on April 12, 2017 by | Comments Off on Alert: Easter Holiday Phishing Scams and Malware Campaigns

Via: US CERT

“Original release date: April 11, 2017

As the Easter holiday approaches, US-CERT reminds users to stay aware of holiday scams and cyber campaigns, which may include:

  • unsolicited shipping notifications that may actually be scams by attackers to solicit personal information (phishing scams),
  • electronic greeting cards that may contain malicious software (malware),
  • requests for charitable contributions that may be phishing scams or solicitations from sources that are not real charities, and
  • false advertisements for holiday accommodations or timeshares.

US-CERT encourages users and administrators to use caution when reviewing unsolicited messages. Suggested preventive measures to protect against phishing scams and malware campaigns include:

  • Do not click web links in untrusted email messages.
  • Refer to the Shopping Safely Online Tip.
  • Use caution when opening email attachments. Check out the Using Caution with Email Attachments Tip for more information on safely handling email attachments.
  • Review the Federal Trade Commission’s page on Charity Scams. Use the links there to verify a charity’s authenticity before you donate.
  • Read the Avoiding Social Engineering and Phishing Attacks Tip.
  • Refer to the Holiday Traveling with Personal Internet-Enabled Devices Tip for more information on protecting personal mobile devices.”

Source: https://www.us-cert.gov/ncas/current-activity/2017/04/11/Easter-Holiday-Phishing-Scams-and-Malware-Campaigns

Comments Off on Alert: Easter Holiday Phishing Scams and Malware Campaigns

Posted in Alerts, Malicious Email, Scam, Security Awareness

Scam Campaign Targeting University Communities

Posted on April 5, 2017 by | Comments Off on Scam Campaign Targeting University Communities

Please be advised that there are scam campaigns targeting University communities. We have received reports of phone calls claiming to be Apple, reporting suspicious activity on accounts and requesting to call them back.

This is not a legitimate call, if you receive it and have any concerns about your account please contact Apple directly and not the number given in this message.

Unfortunately, this is not the only campaign masquerading as Apple support so please be diligent and avoid giving any personally identifiable information over the phone or through email.

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

Comments Off on Scam Campaign Targeting University Communities

Posted in Scam, Security Awareness

“Help…………………..Paul Williams” Scam Email Sent to the Fordham Community on March 30, 2017

Posted on March 30, 2017 by | Comments Off on “Help…………………..Paul Williams” Scam Email Sent to the Fordham Community on March 30, 2017
This is a Scam email that has been reported. This message was
received on or about March 30th, 2017. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.
————————————Begin Message ————————————
From: “Paul Williams” <Pppandpw@aol.com>
Date: Mar 30, 2017 10:14 AM
Subject: Help…………………..Paul Williams
To: <user @ fordham.edu>

Good Morning,
I thought i could reach out to you to help me out, I made a quick trip out of the country for a conference, unfortunately i had my bag stolen from me with my phone on my way back to my hotel room. I need your urgent help before my return flight.I will forever be grateful if you can help me.
Paul Williams

————————————End of Message ————————————

Comments Off on “Help…………………..Paul Williams” Scam Email Sent to the Fordham Community on March 30, 2017

Posted in Malicious Email, Scam, Security Awareness

Article: Mobile Safari Scareware Campaign Thwarted

Posted on March 29, 2017 by | Comments Off on Article: Mobile Safari Scareware Campaign Thwarted

Via: Lookout Blog

Today, Apple released an update to iOS (10.3) that changed how Mobile Safari handles JavaScript pop-ups, which Lookout discovered scammers using to execute a scareware campaign.

The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.

However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.

Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.

An attack like this highlights the importance of ensuring your mobile device, or your employees’ mobile devices, are running up-to-date software. Left unpatched, bugs like this can unnecessarily alarm people and impact productivity.

Discovery event

This attack was initially reported to Lookout’s Support desk by one of our users running iOS 10.2. The user reported that he had lost control of Safari after visiting a website and was no longer able to use the browser. The user provided a screenshot (below) showing a ransomware message from pay-police[.]com, with an overlaid “Cannot Open Page” dialog from Safari. Each time he tapped “OK” he would be prompted to tap “OK” again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.

The user reported seeing the “Your device has been locked…” or “…you have to pay the fine of 100 pounds with an iTunes pre-paid card” messages and was no longer able to use the browser.

Abuse of pop-ups in Mobile Safari

The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.

The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money. Examples range from pornography to music-oriented websites.

The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.

The attack, based on its code, seems to have been developed for older versions of iOS, such as iOS 8. However, the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3. An endless loop of pop-ups effectively locks up the browser, which prevents the victim from using Safari, unless she resets the browser’s cache. iOS 10.3 doesn’t lock the entire browser up with these pop-ups, rather it runs on a per-tab basis so that if one tab is misbehaving, the user can close it out and/or move to another one.

Quick fix

Before the iOS 10.3 fix was available, the victim could regain access without paying any money. Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.

To clear browser history on iOS: Settings > Safari > Clear History and Website Data

Preventing the attack

Individuals are strongly encouraged to protect their iOS devices against this attack and take advantage of a number of other security patches that Apple made available in iOS 10.3. See https://support.apple.com/en-us/HT207617 for details. Lookout users will be prompted to update their operating system to 10.3 if they have not already done so.

Investigation into the campaign

This attack was documented previously on a Russian website. The JavaScript included some code that specifically set the UserAgent string to match an older iOS version.

The attack code creates a popup window, which infinitely loops until the victim pays the money. The ransom is paid by sending, via SMS, an iTunes gift card code to a phone number displayed on the scam website. The pop-up window error dialog on newer versions of iOS is actually the result of Mobile Safari not being able to find a local URL lookup, so it fails, but keeps presenting the dialog message due to the infinite loop in the code. The JavaScript code is delivered obfuscated, but was de-obfuscated by our analysts to determine its intent.

The JavaScript we obtained from the pay-police[.]com domain was slightly obfuscated using an array of hex values to masque behavior of the code. The pop-up attack on newer versions of iOS appears to DOS (denial of service) the browser.

The group involved in this campaign has purchased a large number of domains that try to catch users that are seeking controversial content on the internet and coerce them into paying a ransom to them.

Each site would serve up a different message based on the country code identifier. The sites, presumably, are used to target users visiting from different parts of the world. Each message has a separate email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.

The phishing domains and email addresses for each payload:

U.S.: us.html networksafetydept@usa[.]com
Ireland: ie.html justicedept@irelandmail[.]com
UK: gb.html cybercrimegov@europe[.]com
Australia: au.html federaljustice@australiamail[.]com
New Zealand: nz.html cybercrimegov@post[.]com

Lookout researchers continue to monitor this and other related campaigns, as well as work with platform providers to address security concerns as they arise.

Source: https://blog.lookout.com/blog/2017/03/27/mobile-safari-scareware/

Comments Off on Article: Mobile Safari Scareware Campaign Thwarted

Posted in News and Events, Security Awareness