Author Archives: Kerry Gilder

“Wire Transfer” Scam Email Sent to the Fordham Community on July 5, 2017

This is a Scam email that has been reported. This message was
received on or about July 5, 2017. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.
———————-———-——Begin Message ——–——————————

From: <CustomerService@interaudibank.com>
Date: July 5, 2017 at 10:51:32 AM EDT
To: <user@fordham.edu>
Subject:Wire Transfer

A wire request has been sent to Interaudi Bank on 07/05/17 at 08:13:59 AM to transfer 10000.00 to your account.
The confirmation ID for this request is ******.
Please do not respond to this confirmation. This is an unmonitored mailbox, and replies to this email cannot be read or responded to.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The information contained in this message is privileged and confidential and protected from disclosure.

If the reader of this message is not the intended recipient, or an employee or agent responsible for

delivering this message to the intended recipient, you are hereby notified that any dissemination,

distribution or copying of this communication is strictly prohibited.

If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Thank you.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

———————-———-——End of Message ——-———-———————

Scam Campaign Targeting University Communities

Please be advised that there are scam campaigns targeting University communities. We have received reports of phone calls claiming to be Apple, reporting suspicious activity on accounts and requesting to call them back.

This is not a legitimate call, if you receive it and have any concerns about your account please contact Apple directly and not the number given in this message.

Unfortunately, this is not the only campaign masquerading as Apple support so please be diligent and avoid giving any personally identifiable information over the phone or through email.

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

“Help…………………..Paul Williams” Scam Email Sent to the Fordham Community on March 30, 2017

This is a Scam email that has been reported. This message was
received on or about March 30th, 2017. Please DO NOT respond to this message or anything that looks like it. You may disregard and delete this message. If you have any questions about the validity of this email please contact IT Customer Care at 718-817-3999 or via email: helpit@fordham.edu.
————————————Begin Message ————————————
From: “Paul Williams” <Pppandpw@aol.com>
Date: Mar 30, 2017 10:14 AM
Subject: Help…………………..Paul Williams
To: <user @ fordham.edu>

Good Morning,
I thought i could reach out to you to help me out, I made a quick trip out of the country for a conference, unfortunately i had my bag stolen from me with my phone on my way back to my hotel room. I need your urgent help before my return flight.I will forever be grateful if you can help me.
Paul Williams

————————————End of Message ————————————

Article: Mobile Safari Scareware Campaign Thwarted

Via: Lookout Blog

Today, Apple released an update to iOS (10.3) that changed how Mobile Safari handles JavaScript pop-ups, which Lookout discovered scammers using to execute a scareware campaign.

The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.

However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.

Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.

An attack like this highlights the importance of ensuring your mobile device, or your employees’ mobile devices, are running up-to-date software. Left unpatched, bugs like this can unnecessarily alarm people and impact productivity.

Discovery event

This attack was initially reported to Lookout’s Support desk by one of our users running iOS 10.2. The user reported that he had lost control of Safari after visiting a website and was no longer able to use the browser. The user provided a screenshot (below) showing a ransomware message from pay-police[.]com, with an overlaid “Cannot Open Page” dialog from Safari. Each time he tapped “OK” he would be prompted to tap “OK” again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.

The user reported seeing the “Your device has been locked…” or “…you have to pay the fine of 100 pounds with an iTunes pre-paid card” messages and was no longer able to use the browser.

Abuse of pop-ups in Mobile Safari

The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.

The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money. Examples range from pornography to music-oriented websites.

The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.

The attack, based on its code, seems to have been developed for older versions of iOS, such as iOS 8. However, the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3. An endless loop of pop-ups effectively locks up the browser, which prevents the victim from using Safari, unless she resets the browser’s cache. iOS 10.3 doesn’t lock the entire browser up with these pop-ups, rather it runs on a per-tab basis so that if one tab is misbehaving, the user can close it out and/or move to another one.

Quick fix

Before the iOS 10.3 fix was available, the victim could regain access without paying any money. Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.

To clear browser history on iOS: Settings > Safari > Clear History and Website Data

Preventing the attack

Individuals are strongly encouraged to protect their iOS devices against this attack and take advantage of a number of other security patches that Apple made available in iOS 10.3. See https://support.apple.com/en-us/HT207617 for details. Lookout users will be prompted to update their operating system to 10.3 if they have not already done so.

Investigation into the campaign

This attack was documented previously on a Russian website. The JavaScript included some code that specifically set the UserAgent string to match an older iOS version.

The attack code creates a popup window, which infinitely loops until the victim pays the money. The ransom is paid by sending, via SMS, an iTunes gift card code to a phone number displayed on the scam website. The pop-up window error dialog on newer versions of iOS is actually the result of Mobile Safari not being able to find a local URL lookup, so it fails, but keeps presenting the dialog message due to the infinite loop in the code. The JavaScript code is delivered obfuscated, but was de-obfuscated by our analysts to determine its intent.

The JavaScript we obtained from the pay-police[.]com domain was slightly obfuscated using an array of hex values to masque behavior of the code. The pop-up attack on newer versions of iOS appears to DOS (denial of service) the browser.

The group involved in this campaign has purchased a large number of domains that try to catch users that are seeking controversial content on the internet and coerce them into paying a ransom to them.

Each site would serve up a different message based on the country code identifier. The sites, presumably, are used to target users visiting from different parts of the world. Each message has a separate email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.

The phishing domains and email addresses for each payload:

U.S.: us.html networksafetydept@usa[.]com
Ireland: ie.html justicedept@irelandmail[.]com
UK: gb.html cybercrimegov@europe[.]com
Australia: au.html federaljustice@australiamail[.]com
New Zealand: nz.html cybercrimegov@post[.]com

Lookout researchers continue to monitor this and other related campaigns, as well as work with platform providers to address security concerns as they arise.

Source: https://blog.lookout.com/blog/2017/03/27/mobile-safari-scareware/

Re: Appointment As UNICEF Ambassador-Sent to the Fordham Community Around March 23, 2017

This is a Phishing email that has been reported. This message was
received on or about March 23, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

UNITED NATIONS
Ambassador Registration Department,
Ambassador Ms Susan Namondo Ngongi
UNICEF (UN) Representative
P O BOX 4325
Accra, Ghana.
 
 
UNICEF GHANA 
4-8th Rangoon Close
P. O. Box AN 5051
Cantonment
Accra, Ghana.

Attn: Ambassador Select,


                                                Re: Appointment As UNICEF Ambassador.


 
  Greetings to you. Am Ms. Susan Namondo Ngongi the current UNICEF Representative in Ghana. On the behalf of the United Nations Children Fund(UNICEF) and the Federal Republic of Ghana, I wish to inform you that your name was in the Vetted list of candidate that World Health Organization (WHO) submitted for Appointment as the UNICEF New National/Regional Ambassador. Am very happy to inform you that you are among ten (10) selected by the new secretary general of United Nations Hon. António Guterres. The Executive Director of UNICEF Sir Anthony Lake, has given his acknowledgement on your  appointment as UNICEF National and Regional Ambassador as Field coordinator In Ghana, and the current new president of Ghana Nana Akfo-Addo has also given his consent to your appointment, among his agent for Ghana is to provide humanitarian and developmental assistance to children and mothers in the country. Due to the increase of natural disaster and man-made crises around the globe, which has rendered most people homeless, there is an increase of lack of food, good water, education, shelter, and medication, which call for immediate attention. The need of humanitarian service has double more than ever; there is a high need of humanitarian officer that is why we do need you to care for some responsibility in refugee camps in Asia/Africa.
 
Benefits and Entitlements.
 
Ambassador’s benefit from family friendly, work-life, and diversity policies, and UNICEF is committed to maintaining a balanced gender and geographical representation. Other Benefits and entitlements include:
 
• Annual leave
• Dependency allowance
• Medical and dental insurance
• Pension scheme
• Rental subsidy
• Education grant
• Home leave
• Life insurance
• Paid sick leave
• Family leave
• Family Visit
• Maternity / Paternity adoption leave
• Special leave
 
Job Description.
 
Your responsibility as Field coordinator will be to care for the following.
 
    An administrative headquarters to coordinate services.
    Sleeping accommodations (frequently tents).
    Hygiene facilities (washing areas and latrines or toilets).
    Clinics, hospitals and immunization centers.
    Food distribution and therapeutic feeding centers.
    Communication equipment (e.g. radio).
    Security, including protection from banditry (e.g. barriers and security checkpoints).
    Peacekeeping troops to prevent armed violence.
    Places of worship.
    Schools and training centers (if permitted by the host country).
    Markets and shops (if permitted by the host country).
    Organizing workshop to educate children and women: given then education and preventive measure on health issues such as Aids, Cancer, Malaria, sickle cell anemia and typhoid fever
    Organizing a workshop to improve Talents in camps both children and women.
    Fund-Raising and Good communication.
 
The United Nations High Commissioner for Refugees (UNHCR) will provide all these facility mentions above. Is there any Benefit of accepting this position? Yes, there are a lot of benefit and allowance that wait for the New National/Regional  UNICEF Ambassador. Below is the line-up of your salary, your salary is a post adjustment salary. The post adjustment salary includes, a monthly base salary multiplier and takes into account cost-of-living factors and exchange rate fluctuation as well as inflation.
 
 
Salary of $55,000.00USD
Health allowances $4,543.00USD
Traveling allowance $6,321.00USD
 
Which is sum up to $65,864,00USD that you will be receiving monthly, besides you will be given a compensation of $50.000USD, also a good furnish 4 bedroom Apartment (optional if you wish to relocate to the place of duty) and a private SUV of your choice from the United Nations. In addition to this, you also have the mandatory right to claim any fund from any other financial institution or organization, being you the beneficiary or benefactor, without any form of disagreement or controversy. Moreover, you will be able to set up a refugee camp or Orphanage home in your own residential country with the UN Certificate of permit that will be the issue to you.
 
 Ambassador selects, so what then hold you back from completing your registration? Kindly get back to me with the complete filled forms, alongside with a size passport photograph of yourself and any means of your identification (your personal file and document are safe with us, we cherish the confidentiality of our Staff), kindly send them as soon as possible to complete your registration, which will only take 7 working days before all files and your official document to be ready before you resume office with all benefit, allowance, and compensation to be given to you. 
 
 
 
Best Regard,
Ambassador Ms Susan Namondo Ngongi
UNICEF Representative,
For Urgent Reply: susan-unicef@diplomats.com
Accra, Ghana.
    
                                                         ©2017 Unicef – All rights reserved
 
 
 
 
——————–End  Message ——————————