Author Archives: Louis Papa

Scammers Mimic Apple in Latest Round of Phishing Campaigns

Via: Malwarebtes Labs

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails
First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.

 


The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page. The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

 

Someone else logged in
Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device
Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari
If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare
There’s also some dubious texts going around claiming to be from Apple Care:

It reads as follows:

Final Notification
Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at
appleid-revise(dot)com
Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases
We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

Read the full article.

Chrome to Start Blocking Annoying Ads February 15

Via: Gizmodo

On Thursday, the Chrome browser will begin to automatically filter out ads that don’t meet certain quality standards. Your browsing experience is about to change a little bit. Here’s what you need to know.

In April of last year, the news first broke that Google planned to integrate some form of ad-blocking into its browser that would be on by default. Since then we’ve seen a gradual rollout of the feature, beginning with the ability to mute autoplay videos with sound on the sites of your choosing. Now, Google going all-in with a set of criteria for what ads will be kosher in Chrome.

12 types of ads that Chrome will now automatically block.

Along with its fellow ad giant Facebook, Google is a member of the Coalition for Better Ads, an industry group that has performed research on what forms of web advertising annoys people the most. It’s created a list of the 12 types of web experiences that should ideally be avoided by advertisers. Now Google is going to enforce that list with Chrome, which is used by over half of all people accessing the web with a browser.

On Wednesday, the company published a blog post detailing how the system will work. Initially, Google will take a sample of various pages on a specific domain and analyze whether that page is serving any of the offending ad categories. It’ll be given a score of “Passing, Warning, or Failing.” Sites that don’t manage to get a passing grade will be notified by Google and they can review an ad experience report for details on what needs to change. If a site ignores multiple warnings, its ads will be blocked by default after 30 days.

If a user visits a site that’s being filtered by Chrome, they’ll see a message in the address bar that gives them the option to still allow ads—on mobile, users will see a pop-up at the bottom of the screen that will give them the same option. Yes, pop-up ads are blocked, and Google will be informing you with a pop-up notification.

View the full article.

 

Educational Institutions Attractive Target for Cybercriminals

Via: NJ Cybersecurity and Communications Integration Cell

The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyber-attacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom. In October 2017, the US Department of Education issued an updated Cyber Advisory warning schools about a new method of cyber extortion impacting institutions across the country.

In recent attacks, cyber-criminals demanded large ransom payments in exchange for sensitive student record information obtained via schools’ compromised networks. In some instances, cyber-criminals made direct threats to the safety of students and staff members via SMS messaging. According to Verizon’s 2017 Data Breach Investigations Report, the education sector was impacted by approximately 455 security incidents in 2016, with at least 73 of these events involving the disclosure of data. As the use of technology within the classroom is increasingly required for educational purposes, more schools are implementing Bring Your Own Device (BYOD) policies, allowing students and employees to connect their personal computers, tablets, and mobile phones to their networks. Unfortunately, if BYOD is not implemented with security in mind, schools could be exposing their networks and sensitive data to an increased risk of compromise created by vulnerable and infected devices. Sophisticated and profit-motivated threat actors are cognizant of this fact and will continue to target universities and school districts as many of them do not have adequate resources, funding, or staffing to properly protect and defend their networks.

  • The NJCCIC recently alerted its education sector members to a cyber-extortion campaign targeting educational institutions in Florida. In this targeted attack, emails were sent to the presidents of several colleges and universities threatening mass shootings and bombings if a payment of 1.2 Bitcoin, approximately $18,000 USD at the time, was not received. The emails originated from onlyfair[@]protonmail.com and reportedly contained threats of imminent violence against students and staff.

 

  • In November 2017, SchoolDesk, a company that provides website hosting solutions for schools, suffered a breach by a hacking group known for distributing ISIS propaganda videos. The breach resulted in the defacement of the Bloomfield Public School District website, where an ISIS-sponsored video was displayed for approximately two hours before being detected and removed. Although no sensitive information was accessed or released, the ability of threat actors to gain remote access to web servers highlighted the impact that third-party vendor vulnerabilities can have on educational institutions.

 

  • A group known as The Dark Overlord claimed responsibility for the breach of numerous school districts in several states across the US in late 2017, including the Johnston Community School District in Iowa, the Splendora Independent School District in Texas, and the Columbia Falls School District in Montana. The breaches stemmed from compromised servers that exposed confidential information including names, phone numbers, and addresses of students, parents, and staff. In some instances, students and parents received violent, threatening messages from the attackers resulting in school closures and canceled extracurricular programs.

Recommendations
The NJCCIC advises our education sector members to take proactive steps to reduce their cyber risk, beginning with comprehensive audits of their networks to identify and patch existing vulnerabilities in outdated operating systems, applications, servers, and websites. Continuously monitor systems for indicators of compromise by running reputable and up-to-date antivirus software and maintain network traffic logs in accordance with your data retention policy. Limit user privileges to only those systems and files required by one’s job functions, and implement strict authentication policies incorporating mandatory password resets, minimum character requirements, and multi-factor authentication for email, web services, and remote access tools. Additionally, encrypting systems and databases that contain sensitive personal data, financial information, and user credentials can mitigate the impacts of data breaches and render stolen data useless. Have an incident response plan in place and report cyber-attacks to your local police department, the FBI, and the NJCCIC.

The Weakest Passwords of 2017

Via: USA Today

Strong passwords, these were not.

With Star Wars: The Last Jedi now in theaters, “starwars” made its debut among the worst passwords used in 2017, according to security company SplashData.

The password “starwars” entered their list in the 16th spot, ahead of passwords including “passw0rd” and “hello.”

“Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words,” said Morgan Slain, CEO of SplashData, in a statement.

SplashData said in a statement Tuesday the list is based on more than five million passwords leaked during the year.

Once again, “123456” is the worst password of the year, followed by “password.” New entrants into SplashData’s list include “123456789” (No. 6) and “letmein” (No. 7).

The company estimates nearly 3% of people used the worst password on the list, while almost 10% have used at least one of the top 25.

To keep accounts secure, users can follow these tips:

Think passphrase, not password. Originally, experts suggested thinking of a super complex password with a variety of numbers, uppercase and lowercase letters, and symbols. The problem is they’re way too tough to remember. Instead, consider a phrase for your password, then tweak it with numbers or symbols you can more easily recall.

Use two-factor authentication. Most big websites offer an additional layer to the login process, where you can request a text message with numeric code or confirmation through an authenticator app to verify your identity.

Make passwords unique. Use a different password for every website. According to SplashData, if hackers get a password for one set of credentials, they will try them across other services.

Consider password managers. If you have a lot of logins to manage, password managers such as Dashlane and LastPass offer automatically generated passwords for the sites you use. The user will have one master password they need to remember to log in to the manager.

View the full article.

Phishing Scams Now Harder to Detect

Via: Krebs On Security

Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

Phishers are moving to HTTPS because it helps increase the likelihood that users will trust that the site is legitimate. After all, your average Internet user has been taught for years to simply “look for the lock icon” in the browser address bar as assurance that a site is safe.

Perhaps this once was useful advice, but if so its reliability has waned over the years. In November, Phishlabs conducted a poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites.

“More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true,” he wrote.

What the green lock icon indicates is that the communication between your browser and the Web site in question is encrypted; it does little to ensure that you really are communicating with the site you believe you are visiting.

So what can you do to make sure you’re not the next phishing victim?

Don’t take the bait: Most phishing attacks try to convince you that you need to act quickly to avoid some kind of loss, cost or pain, usually by clicking a link and “verifying” your account information, user name, password, etc. at a fake site. Emails that emphasize urgency should be always considered extremely suspect, and under no circumstances should you do anything suggested in the email.

Phishers count on spooking people into acting rashly because they know their scam sites have a finite lifetime; they may be shuttered at any moment. The best approach is to bookmark the sites that store your sensitive information; that way, if you receive an urgent communication that you’re unsure about, you can visit the site in question manually and log in that way. In general, it’s a bad idea to click on links in email.

Links Lie: You’re a sucker if you take links at face value. For example, this might look like a link to Bank of America, but I assure you it is not. To get an idea of where a link goes, hover over it with your mouse and then look in the bottom left corner of the browser window.

Yet, even this information often tells only part of the story, and some links can be trickier to decipher. For instance, many banks like to send links that include ridiculously long URLs which stretch far beyond the browser’s ability to show the entire thing when you hover over the link.

The most important part of a link is the “root” domain. To find that, look for the first slash (/) after the “http://” part, and then work backwards through the link until you reach the second dot; the part immediately to the right is the real domain to which that link will take you.

“From” Fields can be forged: Just because the message says in the “From:” field that it was sent by your bank doesn’t mean that it’s true. This information can be and frequently is forged.

If you want to discover who (or what) sent a message, you’ll need to examine the email’s “headers,” important data included in all email.  The headers contain a lot of information that can be overwhelming for the untrained eye, so they are often hidden by your email client or service provider, each of which may have different methods for letting users view or enable headers.

Describing succinctly how to read email headers with an eye toward thwarting spammers would require a separate tutorial, so I will link to a decent one already written at About.com. Just know that taking the time to learn how to read headers is a useful skill that is well worth the effort.

Keep in mind that phishing can take many forms: Why steal one set of login credentials for a single brand when you can steal them all? Increasingly, attackers are opting for approaches that allow them to install a password-snarfing Trojan that steals all of the sensitive data on victim PCs.

So be careful about clicking links, and don’t open attachments in emails you weren’t expecting, even if they appear to come from someone you know. Send a note back to the sender to verify the contents and that they really meant to send it. This step can be a pain, but I’m a stickler for it; I’ve been known to lecture people who send me press releases and other items as unrequested attachments.

If you didn’t go looking for it, don’t install it: Password stealing malware doesn’t only come via email; quite often, it is distributed as a Facebook video that claims you need a special “codec” to view the embedded content. There are tons of variations of this scam. The point to remember is: If it wasn’t your idea to install something from the get-go, don’t do it.

Lay traps: When you’ve mastered the basics above, consider setting traps for phishers, scammers and unscrupulous marketers. Some email providers — most notably Gmail — make this especially easy.

When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that with a “+” sign just to the left of the “@” sign in your email address. For example, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to Gmail and create a folder called “Example,” along with a new filter that sends any email addressed to that variation of my address to the Example folder.

That way, if anyone other than the company I gave this custom address to starts spamming or phishing it, that may be a clue that example.com shared my address with others (or that it got hacked!). I should note two caveats here. First, although this functionality is part of the email standard, not all email providers will recognize address variations like these. Also, many commercial Web sites freak out if they see anything other than numerals or letters, and may not permit the inclusion of a “+” sign in the email address field.

View the full article.

Alert: Phishing Messages from WeTransfer

Please be advised that there are suspicious emails circulating that are targeting members of the Fordham Community. The subject line of these emails contain the words “sent you files via WeTransfer”. The messages contain a file download link from a seemingly legitimate email source. However, the file itself instructs the user to go to a phishing site and enter confidential information.

These are not legitimate emails and should be reported immediately.
Please remain diligent and avoid giving any personally identifiable information through email. Files sent via WeTransfer can be easily crafted to look like they are from legitimate email addresses and even trusted third parties. Do not assume a message from WeTransfer is trustworthy based on the displayed name of the sender. Pay attention to the sender of the email and if something appears suspicious, contact the sender directly to verify the messages legitimacy. DO NOT respond via email. If direct contact with the sender is not possible, please contact ITCC for assistance.

The content of the email is as follows:

————Start of Message————

From: WeTransfer <noreply@wetransfer.com>
Date:
Subject: fake@notreal.com sent you files via WeTransfer
To:

————End of Message————

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.