Author Archives: Anthony Barracca

Article: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

A phishing attack is when an attacker sends you an email that contains a link to a malicious website. You click on the link because it appears to be trusted. Merely visiting the website may infect your computer or you may be tricked into signing into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive information they can trick you into providing.

This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

As you can see both of these domains appear identical in the browser but they are completely different websites. One of them was registered by us, today. Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com.

The real epic.com is a healthcare website. Using our unicode domain, we could clone the real epic.com website, then start emailing people and try to get them to sign into our fake healthcare website which would hand over their login credentials to us. We may then have full access to their healthcare records or other sensitive data.

We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt. Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox.

How to fix this in Firefox:

In your firefox location bar, type ‘about:config’ without quotes.
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.
Now if you try to visit our demonstration site you should see:

Can I fix this if I use Chrome?

Currently we are not aware of a manual fix in Chrome for this. Chrome have already released a fix in their ‘Canary’ release, which is their test release. This should be released to the general public within the next few days.

Until then, if you are unsure if you are on a real site and are about to enter sensitive information, you can copy the URL in the location bar and paste it into Notepad or TextEdit on Mac. It should appear as the https://xn--….. version if it is a fake domain. Otherwise it will appear as the real domain in its unencoded form if it is the real thing.

Source: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

Phishing Email With Subject ‘Urgent’ Sent to the Fordham Community on 01/17/17

This is a Phishing email that has been reported. This message was
received on or about January 17th, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From: user@fordham.edu
Date: Tue, Jan 17, 2017 at 8:29 AM
Subject: Urgent
To: user@fordham.edu

2017 FORDHAM email update program, click UPDATE (<–Link here) and fill the form correctly to update your email.

——————–End Message ——————————

Article: How to protect yourself while online shopping for the holidays

A recent article from Mashable provides researched geared towards protecting yourself online while shopping for the holidays:

—Begin—

With many retailers offering internet-only promotions to go along with their in-store doorbusters, more Americans than ever seem to be choosing to stay home to take advantage of the best deals of the season.

Research from Visa projects an 18 percent increase in online holiday spending this year, which follows 16 percent growth over the 2015 season from the year before. That uptick in 2015 resulted in about $11 billion of online sales over the five-day Thanksgiving weekend period (Thanksgiving Day through Cyber Monday). That’s why it’s essential that shoppers protect themselves and their personal information more than ever in 2016. Especially since “25 percent of all security breaches [are] taking place in the retail sector,” said Experts Exchange COO Gene Richardson in a statement to Mashable.

As a former head of the data security teams of IBM, Charles Schwab and Motorola, Richardson has extensive experience advising companies and consumers alike on how to avoid fraud and protect their identities online.

With that in mind, he’s assembled a set of helpful online shopping safety tips:

1. Ensure that the website address is secure and has a valid encryption certificate. It will usually display a “locked, green” indicator in front of the website name. If it doesn’t have that, it does not have a higher level of security that has been guaranteed by a known entity like Verisign, Symantec and others.

2. Ensure your system has the most recent recommended system and security patches.

3. Always use a credit card that is not tied directly to your personal bank account(s), even if you are using PayPal, Bitcoin or some other payment method.

4. Never give anything other than name, address and phone number. You should not need to answer security or privacy questions when making a purchase or checking out. If they ask, see if you can checkout as a “guest” instead.

5. Monitor your credit through a third party for identify theft and have SMS and email alerts sent to you immediately.

6. Set-up alerts with your credit card company that send both SMS and emails when any purchases are made and the credit card was not scanned (meaning, it wasn’t in someone’s hand when the charge was made). Set them as low as $25 per purchase. Also, set-up alerts for total purchases over $500 in a billing period to protect multiple $24.99 purchases. And if possible, a maximum amount of purchases allowed in a billing period such as $1500 before card will get declined.

7. Ensure that you have a reputable Antivirus program running on your computer and that your browser has an Ad blocking plug-in.

8. Ensure that the network your computer/device is on is secure and you know who has access to your network. This is usually done with your router. You want to lock down your router so that traffic can be initiated from the inside-out but you do not want traffic to be initiated from the outside-in. If you are using a WiFi connection, make sure that network is also secure and requires a password to join. If it is a public WiFi network that doesn’t require a password, then the traffic coming from your device can be monitored and stolen.

9. Any passwords that you use should be strong, hard to guess ones. Or, even better, hard to guess, but easy to remember.

10. Don’t click on unfamiliar links to sites advertising sales, coupons, etc.

11. Use two-factor authentication/verification, if it is offered.

Mobile Concerns

To stay safe while shopping on your phone or tablet, be sure to follow these tips, according to RiskIQ:

1. Only download apps from official app marketplaces like Google Play or Apple’s App Store.

2. Be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info.

3. Check out the background of an app before downloading. Research the developer and be cognizant of the spelling of brand names.

4. Make sure to take a deep look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be enormous red flags — threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

Common Sense

Just like any other time of the year, a deal found online over Thanksgiving weekend that seems too good to be true might be just that.

In addition to Richardson’s first tip about web page encryption certificates, always check website addresses after following links on Twitter, Facebook or even Google to be sure you haven’t been redirected. Legitimate retailers will almost always be determined by the “S” in HTTPS at retail sites.

Finally, keep your personal and financial information close at hand. Never provide anything until you’ve done your homework on a site or app, and even then never input anything until you’ve selected your purchase and are checking out.

With a measured approach to online shopping, you can dodge the in-store lines and the security risks this holiday season.

—End—
Source: http://mashable.com/2016/11/21/online-shopping-safety-black-friday-cyber-monday/#6OHl_1zRaqql

Article: Post-Election Spear Phishing Campaigns

A recent article warns of election related spear-phishing and malware infected emails.

—Begin—

In the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the nation’s President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns.

These e-mails came from a mix of attacker created Google Gmail accounts and was appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.”

The post-election attacks launched by the Dukes on November 9 were very similar to previous attacks seen from the Dukes in both 2015 and 2016. The PowerDuke malware, first seen in August 2016, was once again used in these most recent attacks. Three of the five attack waves contained links to download files from domains that the attackers appear to have control over. The other two attack contained documents with a malicious macros embedded within them. Each of these different attack waves were slightly different from one another and are detailed below.

Attack Wave 1: eFax – The “Shocking” Truth About Election Rigging
Attack Wave 2: eFax – Elections Outcome Could Be revised [Facts of Elections Fraud]
Attack Wave 3: Why American Elections Are Flawed

—End—

More information can be found at: https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

Article: Hackers Selling 117 Million LinkedIn Passwords

LinkedIn was hacked four years ago, and what initially seemed to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords.

On Wednesday, the professional social network company acknowledged that a massive batch of login credentials is being sold on the black market by hackers.

The advice for everyone who uses LinkedIn (LNKD, Tech30) at this point is: Change your password and add something called two-factor authentication, which requires a text message every time you sign in from a new computer.
….

LinkedIn said it’s reaching out to individual members affected by the breach. This particular hack affects a quarter of the company’s 433 million members.

Hackers are selling the stolen LinkedIn database on a black market online called “The Real Deal,” according to tech news site Motherboard.

For its part, LinkedIn offered the same, go-to statement used by every company after a data breach.

“We take the safety and security of our members’ accounts seriously,” wrote Cory Scott, the company’s chief information security officer.

Source: http://money.cnn.com/2016/05/19/technology/linkedin-hack/

Article: College Scam Alert: Con Artists Target Students

“If you know some college students who are living on their own, you’ll want to make sure they know how to protect themselves from scam artists.

Ruth to the Rescue has sounded the alarm about con artists targeting adults, especially the elderly, but those crooks are also using “college versions” of their schemes to steal money from students.

The website Credit.com recently posted the scams it calls the most common on campus. If you know a college student, share this information! It could prevent someone from losing a lot of money, and most college students don’t have money to lose.

1) Fake Late Tuition Calls: Beware of someone calling and telling a student that his/her tuition is late and in order to not be dropped from their classes they need to pay right then with their credit or debit card. As in similar scams, (fake IRS, fake power bill) the student should get off the phone immediately and contact the finance office, using a number they know is legitimate. If you want to be prepared in advance, make sure you know how your school will handle late payments, so you know what to expect.

2) Advanced Fees: Remind your college kid that if someone is trying to charge them a large sum of money for something they can most likely do on their own such as scholarships; debt counseling, FAFSA completion or a loan, they should hang up and speak with an adult educated on the matter right away.

3) Online Textbooks: College textbook prices can be crazy expensive and while it is smart for your student to research sites that they may be able to find the books cheaper, it is imperative that they also do their homework on these sites before buying with them. Many too-good-to-be-true sites, will simply collect your students money and deliver nothing.

4) Fake Landlords: For out of state students especially, it is very common nowadays to look online for school apartments and housing. Make sure that your student always sees the apartment in person, inside and out, checks out reviews online, and meets the landlord in person before paying any sort of apartment bill. This is also a scam used against adults, where fake landlords rent homes or apartments they don’t really own. If you cannot get inside to see the place, that’s a huge red flag.

5) Check Cashing: Be wary of “friends” and acquaintances who may ever ask you to cash a check for them. In this scam college students will usually take the check and give the person cash in exchange. When they go to cash the check it bounces and the original check holder is long gone with their money.

6) Beware Public Wi-Fi: College students are notorious for hitting up cafes and parks for free Wi-Fi, but it is imperative that they are aware of everything you subject your electronic device to when you join a Wi-Fi network. Load your student’s computer up with password protection and encryption software before they head off to school and also remind them to never sign into sensitive accounts, such as banking, when on public Wi-Fi.

You Are Your Own Best Defense

Working with the Better Business Bureau, Ruth to the Rescue has come us with this 4-step strategy that really helps to battle any scam artist, using any scheme to try to get your money or your personal information.

1) IGNORE!

It’s really important that you get caller ID and train yourself to ignore any call if you don’t recognize the number. Just don’t answer! If it’s someone you know, they will leave a message and you can call them right back. Every time you pick up a call from a scam artist, you are telling that scammer you are a live target. The same goes for strange emails, delete them! And, never click on links in emails from someone you’re not 100 percent is a friend or legitimate business.

2) RESIST

If you answer a call and someone is demanding money or personal information, resist their offers or their threats. It should become obvious that something’s not right, depending on which buttons their trying to push.

“If they’re really just trying to prey on my emotions or my fear, that’s when you should just immediately hang up!” advises Melanie Duquesnel, CEO for the local Better Business Bureau in Southfield.

She says you never want to share personal information or make a payment, during that first point of contact, especially when that call comes out of the blue. You can listen (without sharing any of your information) but always remember to hang up and do more research!

You can also come up with a “refusal script” in your head that you can use on any scammer or aggressive sales person to reject their offers. Come up with a way to tell them you always do more research on any offer and it’s just a standard procedure that you don’t do business without 24 hours to consider the offer.

“You can come off politely, but at the same time firmly,” said Duquesnel.

3) VERIFY!

If the caller says something that catches your attention, makes you nervous, or seems worth checking out, do further research to see if what they’re saying is true. Remember, never call the numbers they give you for that extra research. Find a legitimate number to call. If you keep calling them back, you could be hearing more lies.

Another good idea, google some of the key facts of the story you’ve been told. There is a lot of information online about scams that are making the rounds. Victims often post their stories, including the names of the scammers, the phone numbers they’ve used, and other details that can help you spot a scam.

Be sure to go sources beyond that first call before you spend any money.

“The initial call is never homework. If someone calls you and says ‘Hey, you’ve won a million dollars!’ and you consider that your homework, I’m going to say absolutely not! You have flunked out of the how to avoid a scammer class,” said Duquesnel.

4) NOTIFY!

Finally, if somebody tries to scam you, tell other people so they can be on the lookout. Share you story with friends, family, and even social media so others know what kind of scams are currently making the rounds and how to spot them.

If you lose money, do not be embarrassed to tell someone. They might be able to help you stop further losses, and again, they will be on the lookout for these fast-talking criminals. It’s also important to notify local police when appropriate, the IRS, the Federal Trade Commission, or whatever agency might be able to offer you assistance.

Anyone can fall victim to a scam artist, if the scammer finds the right button to push to pressure them into surrendering their money.

“You must inform. You must share and in doing so you save somebody else,” said Duquesnel.

If you’d like more help from the Better Business Bureau, follow this link.

And, to read more from Credit.com, follow this link.”

Source: http://www.clickondetroit.com/consumer/ruth-to-the-rescue/college-scam-alert-con-artists-target-students

Article: Smoking vs. Weak Passwords

“A study revealed that government spent $48 million on anti-smoking campaigns. Every year same or higher amount of money is spent on such campaigns. Government still allows its sales though smoking is injurious to health

Why talk about advertisements and sale of cigarettes and what does it have to do with weak passwords?

Like smoking, weak passwords have consequences. CISO’s and security professionals spend thousands if not millions of dollars on awareness but still allows weak passwords.

Security professionals those protecting Organizations, leave many applications allowing users to enter weak passwords. Problems of weak passwords are higher where Organizations allows Shadow IT applications. Many e-commerce websites accept weak passwords in favor of better user experience.

A strong password is a default necessity to increase our chances to stay protected. Yet, in a recent study, “123456” and “password” remains most popular password in the year 2014 and 2015.  Not only CISO’s but end users too needs to understand the dangers of weak passwords. But, sometimes “Ignorance is bliss” costs.

Password strength vs. User experience is going to be a never ending debate. But as security professionals, we need to analyze risks and favor strong Passwords.

Government have powers to ban cigarettes so do CISO’s and security professionals. Security managers too have powers to enforce strong passwords or make two-factor authentication mandatory.

It is clear that just awareness is not enough to reduce exposure on weak passwords. Perhaps, awareness must include real-life cases of breaches due to weak passwords. Just like cancer patients are cast for anti-smoking advertisements!”

Source: https://www.linkedin.com/pulse/smoking-vs-weak-passwords-vishant-pai

The worst passwords of 2015!

These are the Worst Passwords That You Still Keep Using

“123456” tops the list.

If you’re still wondering whether “123456” would make a strong password, the answer is still no.

The all-too-easy numerical sequence has been named by security appliance firm SplashData as the worst password of 2015, defined by the company as the most commonly-used phrase out of 2 million leaked passwords, which put users at risk of hacking and identity theft due to weak, easily-guessed combinations.

SplashData’s findings also revealed “password” was the second-worst choice of 2015. Other bad choices included sports (“football” and “baseball” rank in the top 10) and Star Wars references (with “princess,” “solo,” and “starwars” coming in as new entrants into the top 25). “123456” and “password” were also No. 1 and 2 last year.

“As we see on the list, using common sports and pop culture terms is also a bad idea,” Morgan Slain, CEO of SplashData, said in a statement.

Worst passwords of 2015

frtnpwrd15

The importance of increasing security around personal information online has shot up due to the rise in data breaches and cyberattacks over recent years. Last year, around 480 million personal data records were leaked according to one estimate, which included high-profile data breaches at extramarital affairs site Ashley Madison and the U.S. Office of Personnel Management.

Source: http://fortune.com/2016/01/20/passwords-worst-123456/

Internet Explorer End of Life – Update Required

Dear Colleagues and Students,

As of January 12, 2016, Microsoft stopped supporting Internet Explorer versions 7, 8, 9 and 10 on most operating systems. To keep your computer and transactions safe, and to protect yourself and the University, you must download Internet Explorer 11 via the following link: http://windows.microsoft.com/en-gb/internet-explorer/download-ie.

The following are Microsoft-supported operating systems and supported Internet Explorer versions:

Windows Desktop Operating Systems Internet Explorer Version
Windows 7 SP1 Internet Explorer 11
Windows 8.1 Update Internet Explorer 11
Windows 10 Internet Explorer 11 and Edge

The end of life notices for Internet Explorer 7, 8, 9 and 10 means that these versions won’t receive any more security updates or other patches. If you are still using these browsers, you may be vulnerable to security threats and even hacks, depending on what other (if any) security software you have installed.

Also, be wary of popups from browsers asking you to update Internet Explorer, as these messages may be attempts to install malicious software on your machine. Only trust legitimate downloads and installations, which are accessed from the link provided, above.

Questions? Contact IT Customer Care: 718-817-3999 | HelpIT@fordham.edu

Keep in touch with Fordham IT

Twitter: @FordhamIT or twitter.com/FordhamIT

UISO on Twitter: @FordhamSecureIT or twitter.com/FordhamSecureIT

Facebook: facebook.com/FordhamSecureIT

Blog: itnews.blog.fordham.edu

IT Security Blog: ITsecurity.blog.fordham.edu
Website: fordham.edu/IT

Article: Don’t Take the Bait; Avoid Phishing and Malware to Protect Your Personal Data

IRS Security Awareness Tax Tip:

“Update your account now.”  “You just won a cruise!” “The IRS has a refund waiting for you.”

In the cyber world of phishing, the sentences are “bait” – lures from emails, telephone calls and texts all designed to separate you from your cash, your passwords, your social security number or your very identity.

The IRS has teamed up with state revenue departments and the tax industry to make sure you understand the dangers to your personal and financial data. Taxes. Security. Together. Working in partnership with you, we can make a difference.

No doubt you’ve heard that warning to beware of phishing many times. But, phishing remains a problem because it works. Cyber-criminals on a daily basis concoct new ways to trick people into turning over cash or sensitive data that can affect your taxes.

When it comes to this type of crime, the main line of defense is not technology, it is you!

Criminals pose as a person or organization you trust and/or recognize. They may hack a friend’s email account and send mass emails under their name.  They may pose as your bank, credit card company or tax software provider. Or, they may pose as a state, local or federal agency such as the Internal Revenue Service or a state agency. Criminals go to great lengths to create websites that appear legitimate but contain phony log-in pages.

Just remember: No legitimate organization – not your bank, not your tax software company, not the IRS – will ever ask for sensitive information through unsecured methods such as emails. And the IRS never sends unsolicited emails or makes calls with threats of lawsuits or jail.

Scam emails and websites also can infect your computer with malware without you even knowing it. The malware can give the criminal access to your device, enabling them to access all your sensitive files or track your keyboard strokes, exposing login information.

Here are a few simple steps you can take to protect yourself:

  • Avoid suspicious phishing emails that appear to be from the IRS or other companies; do not click on the links- go directly to their websites instead.
  • Beware of phishing scams asking you to update or verify your accounts.
  • To avoid malware, don’t open attachments in emails unless you know who sent it and what it contains.
  • Download and install software only from websites you know and trust.
  • Use security software to block pop-up ads, which can contain viruses.
  • Ensure your family understands safe online and computer habits.

To learn additional steps you can take to protect your personal and financial data, visit Taxes. Security. Together. You also can read Publication 4524, Security Awareness for Taxpayers.

Each and every taxpayer has a set of fundamental rights they should be aware of when dealing with the IRS. These are your Taxpayer Bill of Rights. Explore your rights and our obligations to protect them on IRS.gov.

 

Source: https://www.irs.gov/uac/Dont-Take-the-Bait-Avoid-Phishing-and-Malware-to-Protect-Your-Personal-Data