Author Archives: Christopher Johnson

Hackers compromised free CCleaner software, Avast’s Piriform says

via: Reuters

SAN FRANCISCO (Reuters) – Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.

The malicious program was slipped into legitimate software called CCleaner, which is downloaded for personal computers and Android phones as often as five million times a week. It cleans up junk programs and advertising cookies to speed up devices.

CCleaner is the main product made by London’s Piriform, which was bought in July by Prague-based Avast, one of the world’s largest computer security vendors. At the time of the acquisition, the company said 130 million people used CCleaner.

A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s (CSCO.O) Talos unit said.

Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June’s “NotPetya” attack on companies that downloaded infected Ukrainian accounting software.

“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.

In a blog post, Piriform confirmed that two programs released in August were compromised. It advised users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download new versions. A spokeswoman said that 2.27 million users had downloaded the August version of CCleaner while only 5,000 users had installed the compromised version of CCleaner Cloud.

Piriform said that Avast, its new parent company, had uncovered the attacks on Sept. 12. A new, uncompromised version of CCleaner was released the same day and a clean version of CCleaner Cloud was released on Sept. 15, it said.

The nature of the attack code suggests that the hacker won access to a machine used to create CCleaner, Williams said.

CCleaner does not update automatically, so each person who has installed the problematic version will need to delete it and install a fresh version, he said.

Williams said that Talos detected the issue at an early stage, when the hackers appeared to be collecting information from infected machines, rather than forcing them to install new programs.

Piriform said it had worked with U.S. law enforcement to shut down a server located in the United States to which traffic was set to be directed.

It said the server was closed down on Sept. 15 “before any known harm was done”.

Source: https://www.reuters.com/article/us-security-avast/hackers-compromised-free-ccleaner-software-avasts-piriform-says-idUSKCN1BT0R9

Equifax Breach: Find out if you’re affected

via: Shannon Ortiz, Director of IT Security at Fordham University

Dear Colleagues and Students,

As you may have heard in the news, Equifax, a credit reporting agency widely used by major credit card companies, banks, retailers, and lenders (including lenders of student loans), has suffered a serious data breach affecting over 143 million people. Cybercriminals have stolen names, Social Security numbers, birth dates, addresses, and the numbers of some driver’s licenses.

Educate yourself about the breach: Equifax has set up a website, equifaxsecurity2017.com, with more information about the breach. Included is a page for checking whether your personally identifiable information (PII) was part of the breach.

If your PII was breached, Equifax gives you the option to enroll in their credit monitoring service, TrustedID Premier. Note that during the enrollment process, Equifax requires you to sign a consent form in which you agree to not take any legal action against Equifax related to the breach.

Good online hygiene: Fordham IT will NEVER ask for your username and password, or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the UISO to validate the legitimacy of these emails.

Educate yourself some more: Take the UISO’s online, self-paced course, “UISO Security Training.” The course can be accessed in Blackboard, under My Organizations. Login to Blackboard via My.Fordham.edu or directly from Fordham’s Blackboard portal.

If you need more information, please reach out to the University Information Security Office: infosec@fordham.edu

Hurricane-Related Scams (Update)

via: US-CERT

As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.

To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/09/08/Hurricane-Related-Scams

9 scams every college student (and parent) needs to watch for

via: cbsnews.com

Imagine you’re a scam artist looking for a vulnerable group to prey on.

Older people are often good marks, but they’re dispersed throughout the population, so finding a group to victimize can prove problematic. The very young are often protected by parents and may not have enough money to make them worthwhile targets. But college students? Perfect.

College students are old enough to have money, young enough to be vulnerable and likely to be unsupervised and away from home for the first time. Added bonus: because they congregate by the thousands on campuses nationwide, they’re not hard to find.

Now that you’ve gotten inside the head of those who might be preying on you or someone you love, take a few minutes to study some common college scams.

1. Tuition scam

Someone calls claiming to be with your school’s administration or admissions. They warn that your tuition is late and as a result, you’ll be dropped from your classes today. You’re ordered to pay immediately, over the phone, with a credit or prepaid card.

Solution: If you get a call involving money from anyone regarding anything, get off the phone and call the office that was mentioned yourself. Simply explain to whoever is calling that you’ll be calling them back, then check the status of whatever seems to be the problem.

This scam is a variation of the old unpaid bill scam, in which someone gets a call warning of dire consequences if they don’t immediately send money. In another common iteration, it’s a fake IRS agent warning of jail time.

2. Bad behavior

College students are legendary when it comes to finding ways to get into trouble or compromising positions. But now everyone has a smartphone, and therefore a camera. So, everything can, and will, be photographed and/or captured on video. And, yes, there are people who will pretend to like you but are actually setting you up for blackmail.

One only has to recall the Ashley Madison hack of 2015 to imagine what can happen when extremely personal information falls into the wrong hands.

Solution: If you’re going to do anything at college you wouldn’t do in front of your parents or a prospective employer, think twice. If you’re around people you don’t know, and/or you have been drinking, think 10 or 20 times.

3. Fake credit cards … and real ones

The Credit Card Accountability, Responsibility, and Disclosure (CARD) Act of 2009 banned banks from heavy credit card marketing on campus, but that doesn’t mean banks and card companies don’t still actively pursue college students.

Credit cards and other accounts that are heavily solicited are the ones most likely to be loaded with bad terms, big fees and high interest rates. Even worse, some credit card solicitations might be disguising an identity thief. Tread carefully.

Solution: If you need a credit card, don’t respond to one that solicits you. Instead, do your own hunt for the best card. The best deals in many areas of life, including credit cards, are often the least advertised, so look around online (we have a credit card search here) and at local banks and credit unions. Compare fees, terms and conditions, then make an informed decision.

4. Passwords

Everyone knows not to use the same simple or easy-to-guess passwords on multiple sites, or at least everyone should know. So why do we continue to risk our digital lives by using them anyway? Don’t store passwords or other sensitive information on your phone, or laptop, or anything else that can be easily stolen.

Solution: Forget changing passwords often or creating words with special characters — experts now say that advice doesn’t make passwords any harder for a bot to crack. Instead, try to make your password a long series of unrelated words. Also consider using any number of free programs to create, track and change your passwords. You just remember one password, your password manager does the rest.

5. Advance fees

If someone wants to charge you a fat fee in exchange for a loan, job, scholarship, debt counseling, completing a FAFSA (Free Application for Federal Student Aid) or almost anything else, it’s likely either a scam or someone charging too much for doing something you can do yourself.

Solution: Whatever the situation, the higher the fee, the more suspicious you should be. When it comes to scholarship and financial aid scams, the Federal Trade Commission offers these red flags to watch for:

  • “The scholarship is guaranteed or your money back.”
  • “You can’t get this information anywhere else.”
  • “I just need your credit card or bank account number to hold this scholarship.”
  • “We’ll do all the work. You just pay a processing fee.”
  • “The scholarship will cost some money.”
  • “You’ve been selected” by a “national foundation” to receive a scholarship — or “you’re a finalist” in a contest you never entered.

6. Online books

Crooks know textbooks are a huge college expense. So they set up a site, offer great deals, collect your money, then deliver nothing.

Solution: Don’t ever buy books, or anything else, online without first checking out reviews and otherwise validating the site and/or seller. Are they listed with the Better Business Bureau (BBB)? Do they have a physical address and phone number? Do you know anyone who’s used them before?

7. Nonexistent apartments

This scam is simple: Someone offers a great apartment, collects rent and/or a deposit over the phone or online for a place they don’t own, then disappears.

Solution: Don’t ever agree to rent an apartment without seeing it, both inside and out, and meeting the landlord. And don’t hand over money until you’re standing in your new apartment, key in hand.

8. Check cashing

In this scam, a “friend” asks you to cash a check for them. Maybe they even let you keep a little bit of the money for your trouble. You take their check and give them cash. Shortly after you deposit the check, it bounces. They’re long gone, and you’re out the money, as well as a returned check fee.

Solution: If you don’t know someone very well, consider cashing a check for them a gift of money from you, because it’s likely that’s what it will turn out to be.

9. Risks on Wi-Fi

Few groups are more likely than college students to spend time online via Wi-Fi at places like coffee shops, restaurants and parks. Unfortunately, public Wi-Fi subjects you to all manner of potential foul play.

Solution: Slow down hackers and ID thieves by using password protection and encryption software. Still, don’t ever log on to banking or other sensitive sites when on public Wi-Fi. And it’s not just your laptop that’s at risk. Do you have the same protections on your smartphone?

Bottom line: Remember the three golden rules of scam avoidance

While many scams, both on-campus and off, have donned high-tech clothing in recent years, most can be avoided by remembering three old-fashioned rules:

  • If something seems too good to be true, it probably is.
  • Don’t part with personal information unless you’re sure where it’s going.
  • The more someone needs money upfront, the greater the likelihood you’re about to be robbed.

Source: https://www.cbsnews.com/news/9-scams-every-college-student-and-parent-needs-to-watch-for/

MacEwan University loses $11.8 million to scammers in phishing attack

Via: edmontonjournal.com

Low-level MacEwan University staffers were tricked into transferring $11.8 million into scammers’ bank accounts in what one expert said is among the largest publicly disclosed phishing scams.

The majority of the money, $11.4 million, has been traced to bank accounts in Montreal and Hong Kong.

“We are fairly confident that we will be able to recover those funds, the $11.4 million,” MacEwan spokesman David Beharry said Thursday. “It’s a question of how long will it take for the university to retrieve that money.”

He said $6.3 million has been seized from the account in Montreal, and actions are underway to freeze the two accounts in Hong Kong.

The $11.8 million loss represents about one-10th of what MacEwan receives as an annual operating grant from the government of Alberta. In the 2015-16 financial year, the university received $118 million from the province out of its $237.1-million budget.

“I think it’s safe to say that there was a lot of disappointment and frustration because this came down to human error,” Beharry said.

The fraud was discovered Aug. 23 after a supplier said it had not been paid. Beharry would not identify the supplier.

Fraudsters had created a website that resembled the domain site of one of the university’s major supplier. Using that site, the fraudsters impersonated the supplier, asking the university to transfer accounts payable to a new bank account the fraudsters controlled.

Three MacEwan staffers made three payments to the bogus account over a nine-day period ending Aug. 19. The university paid out $1.9 million, $22,000, and finally $9.9 million.

Beharry would not say if the staffers have been disciplined or fired.

“The university does not believe there has been any sort of collusion,” he said. “We really believe this is simply a case of human error.”

The university is working with lawyers in Montreal, London and Hong Kong on civil action to recover the money. The status of the remaining $400,000 is not known.

MacEwan conducted an audit of its business processes after discovering the fraud and put controls in place “to prevent further incidents.” An internal audit group will also investigate the incident.

An early assessment determined that “controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.”

David Shipley, CEO of Beauceron Security and former cyber-security lead at the University of New Brunswick, said MacEwan was likely the victim of what’s known as a business email compromise scam.

“It’s the single largest publicly disclosed amount I’ve seen,” he said. “That’s not to say there aren’t private companies that aren’t required to disclose this stuff that haven’t had (larger) losses.”

MacEwan spokesman David Beharry says “the university does not believe there has been any sort of collusion.”

Shipley said Facebook and Google fell victim to similar scams, transferring “in the $100-million range” after being invoiced by fake suppliers.

“This is the intersection of people, process and technology,” he said. “People in that they got tricked, process in that being able to transfer that amount of money should have required additional financial controls. Technology played the smallest role — as in why didn’t their email filter it or alert them that (the sender) wasn’t who it said it was.”

Beharry said the university has funds to pay the supplier. The loss would not impact students, he said.

In a statement, Advanced Education Minister Marlin Schmidt said he is “disappointed” the university fell victim to the scam and has instructed all post-secondary institutions to review their financial controls.

“I expect post-secondary institutions to do better to protect public dollars against fraud,” Schmidt said.

Source: http://edmontonjournal.com/news/local-news/11-8-million-transferred-from-macewan-university-accounts-in-phishing-attack