Category Archives: Alerts

Phishing Scams Targeting Direct Deposits

An increase in cyber threat actors sending phishing emails to education employees for the purposes of obtaining account login information has been seen across the education sector and universities. In these incidents, this information is then typically used to modify the employees’ direct deposit account information. By changing this information, the cyber threat actors reroute the employees’ paychecks to a financial account under the actors’ control. No specific payroll platforms are being targeted, as reports indicate the victims have used various platforms for payroll functionality.

This type of attack utilizes the inherent risk behind the use of single sign-on (SSO) features. SSO allows for the use of a single set of credentials to gain access to connected systems, providing authentication, authorization, access control, and password synchronization across an environment. In these incidents the cyber threat actor usually sends education sector staff a phishing email, a PDF attachment or malicious link. The phishing email often spoofs the account of an IT administrator or senior official. Upon clicking the link or downloading the attachment, the user is prompted to enter their login credentials, which the cybercriminal uses to log into the payroll system. The cybercriminal then changes the direct deposit information for that employee so that the employee’s paycheck is sent to a different account or pre-paid credit card. According to the FBI, in some instances the cyber threat actor is also accessing the employee’s email account and creating rules that immediately forward incoming emails containing specific words to the deleted folder so the employee does not get alerted to the criminal activity.

Fordham University has certain protections in place against such attacks thanks in part to the email protection built into Gmail, email protection services from Proofpoint and DUO’s two-factor authentication. The combination of all these security aspects help protect Fordham accounts from being compromised even if one’s credentials are attained.

If you believe you have received a phishing message or similar suspicious message, please do the following:

  • Do not respond to the message.
  • Do not click on any attachments or links.
  • Do not call the number listed.
  • Do not provide any information such as username and password.
  • If you did respond to the email and provided confidential information, please contact Fordham IT Customer Care ASAP at (718) 817-3999 for instructions on how to manually reset your password.
  • Delete the message.

Please note: Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these emails.

To learn more about protecting yourself online against such phishing attacks as these and others, please take the UISO’s online course, “UISO Security Training.” The course can be accessed in Blackboard, under My Organizations. You can login to Blackboard either via the portal, at My.Fordham.edu, or directly from Fordham’s Blackboard portal.

If you have any questions or concerns, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.

Alert: Phishing Messages from WeTransfer

Please be advised that there are suspicious emails circulating that are targeting members of the Fordham Community. The subject line of these emails contain the words “sent you files via WeTransfer”. The messages contain a file download link from a seemingly legitimate email source. However, the file itself instructs the user to go to a phishing site and enter confidential information.

These are not legitimate emails and should be reported immediately.
Please remain diligent and avoid giving any personally identifiable information through email. Files sent via WeTransfer can be easily crafted to look like they are from legitimate email addresses and even trusted third parties. Do not assume a message from WeTransfer is trustworthy based on the displayed name of the sender. Pay attention to the sender of the email and if something appears suspicious, contact the sender directly to verify the messages legitimacy. DO NOT respond via email. If direct contact with the sender is not possible, please contact ITCC for assistance.

The content of the email is as follows:

————Start of Message————

From: WeTransfer <noreply@wetransfer.com>
Date:
Subject: fake@notreal.com sent you files via WeTransfer
To:

————End of Message————

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

Critical macOS High Sierra Update

Apple has released a security update resolving the widely reported authentication bug known as iAmRoot. The UISO recommends that Apple computers running High Sierra (macOS 10.13.x) install this security update.

Due to its critical nature, Apple has deployed this as an automatically-installing update. However, it is still recommended to check for this and any other pending security updates.

The process to update is:

  • Click the  logo in the Taskbar
  • Click App Store
  • Click Updates
  • Install any security related updates shown
    • The recommended patch is Security Update 2017-001

Please do not hesitate to to contact infosec@fordham.edu with any questions.

Sources:

US-Cert: Apple Releases Security Update for macOS High Sierra

New security update fixes macOS root bug

Beware of This Apple iPhone Password Phishing Scam

ios security phishing

Apple’s iPhone customers could potentially fall victim to a scam that would see them unwittingly hand over their Apple ID credentials.

Security researcher Felix Krause on Tuesday published a proof-of-concept that shows how easy it is for hackers to replicate the familiar “Sign In to iTunes Store” Apple prompt on the iPhone and steal a user’s password. According to Krause, developers can turn on an alert inside their apps that look identical to the legitimate pop-up requesting a user’s credentials. If the person inputs the password, the malicious app owner could steal the information and users wouldn’t even know they were targeted.

“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” Krause wrote in a blog post. “However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app.”

Apple ID alerts are common fare in a typical day using the iPhone. They come up when users want to make an app purchase or when account content, like iCloud data, needs to be accessed. Apple’s legitimate pop-ups display information and then request users input their Apple ID passwords to proceed.

According to Krause, any app developer can create an identical pop-up, and he was able to do just that as part of his research. Users, then, would be hard-pressed to determine whether it was a legitimate password request or one that could leave their credentials open for theft.

Still, Krause said that users can protect themselves by never inputting passwords into pop-ups and instead going into the iPhone’s Settings menu and do it there to ensure it’s a legitimate request. He also suggests clicking the home button when a pop-up is displayed. If the home button closes the app, it was a phishing scam, but if the pop-up remains, it’s a real Apple request.

Looking ahead, Krause believes the best way to fix the problem is by Apple making some tweaks to the way apps ask for Apple ID passwords. Rather than use pop-ups, he says, Apple should ask users to open the Settings app and input their credentials there, thereby eliminating the apps from the process altogether.

(source: http://fortune.com/2017/10/10/apple-iphone-password-phishing-scam/)

Yahoo says all three billion accounts hacked in 2013 data theft

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

Source: https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

Alert: Tragic Event Related Scams

Via: US-CERT

“In the wake of Sunday’s tragic event in Las Vegas, US-CERT warns users to be watchful for various malicious cyber activity targeting both victims and potential donors. Users should exercise caution when handling emails that relate to the event, even if those emails appear to originate from trusted sources. Event-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, fraudulent donation websites, and door-to-door solicitations relating to the recent tragic event.

To avoid becoming victims of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/10/03/Tragic-Event-Related-Scams

Netflix Scam Warning

via: malwarebytes

Always be on your toes

While we are used to receiving scam attempts pretending to be from banks, online shops, credit card companies, and international courier services that does not mean all the other emails are safe. Far from it. To demonstrate this point we will show you a scam aimed at Netflix customers which has been used in the Netherlands and is now doing the rounds in the UK but could just as easily spread to the US.

The mail in question

The sender address, in this case, was supportnetflix@checkinformation[.]com and the content of the email informs us that there has been a problem with our last payment. Obviously to those of us who are not customers of Netflix this is the first red flag. The fact that the domain name checkinformation[.]com does not belong to Netflix is another big red flag. In fact, the domain is for sale at the moment of writing.

phishing mail

Netflix

Account disabled!

Dear User,

We’re having some trouble with your current billing information. We’ll try again. But in the meantime you may want to update your payment details. During the next login process, you will be required to provide some informations like (billing info, phone number, payment info)

 

So the email asks us to fill out our payment details on a site. This should always be a red flag for everyone. A security-aware company does not provide you with a clickable button to their site. They will tell you to log into their site and provide you with instructions on how to proceed. They will not provide a direct link to a page with a form to fill out asking for billing information and what not.

Pay attention to

When you have to provide such details always look for the green padlock in the address bar of your browser.

green padlock

Remember that the green padlock is not the sole condition, but it is a must before you proceed.

Another telltale sign is spelling errors, but again, the lack of them is not a definite green light to proceed. Scammers have learned that their efficiency goes up if they pay attention to their spelling.

Also never judge a site by its looks, because phishers are masters in the art of copying the layout and images from legitimate sites. In fact, they usually link to the actual layout and images of the website they are pretending to be.

source: https://blog.malwarebytes.com/cybercrime/2017/09/netflix-scam-warning/

Hackers compromised free CCleaner software, Avast’s Piriform says

via: Reuters

SAN FRANCISCO (Reuters) – Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.

The malicious program was slipped into legitimate software called CCleaner, which is downloaded for personal computers and Android phones as often as five million times a week. It cleans up junk programs and advertising cookies to speed up devices.

CCleaner is the main product made by London’s Piriform, which was bought in July by Prague-based Avast, one of the world’s largest computer security vendors. At the time of the acquisition, the company said 130 million people used CCleaner.

A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s (CSCO.O) Talos unit said.

Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June’s “NotPetya” attack on companies that downloaded infected Ukrainian accounting software.

“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.

In a blog post, Piriform confirmed that two programs released in August were compromised. It advised users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download new versions. A spokeswoman said that 2.27 million users had downloaded the August version of CCleaner while only 5,000 users had installed the compromised version of CCleaner Cloud.

Piriform said that Avast, its new parent company, had uncovered the attacks on Sept. 12. A new, uncompromised version of CCleaner was released the same day and a clean version of CCleaner Cloud was released on Sept. 15, it said.

The nature of the attack code suggests that the hacker won access to a machine used to create CCleaner, Williams said.

CCleaner does not update automatically, so each person who has installed the problematic version will need to delete it and install a fresh version, he said.

Williams said that Talos detected the issue at an early stage, when the hackers appeared to be collecting information from infected machines, rather than forcing them to install new programs.

Piriform said it had worked with U.S. law enforcement to shut down a server located in the United States to which traffic was set to be directed.

It said the server was closed down on Sept. 15 “before any known harm was done”.

Source: https://www.reuters.com/article/us-security-avast/hackers-compromised-free-ccleaner-software-avasts-piriform-says-idUSKCN1BT0R9

Equifax Breach: Find out if you’re affected

via: Shannon Ortiz, Director of IT Security at Fordham University

Dear Colleagues and Students,

As you may have heard in the news, Equifax, a credit reporting agency widely used by major credit card companies, banks, retailers, and lenders (including lenders of student loans), has suffered a serious data breach affecting over 143 million people. Cybercriminals have stolen names, Social Security numbers, birth dates, addresses, and the numbers of some driver’s licenses.

Educate yourself about the breach: Equifax has set up a website, equifaxsecurity2017.com, with more information about the breach. Included is a page for checking whether your personally identifiable information (PII) was part of the breach.

If your PII was breached, Equifax gives you the option to enroll in their credit monitoring service, TrustedID Premier. Note that during the enrollment process, Equifax requires you to sign a consent form in which you agree to not take any legal action against Equifax related to the breach.

Good online hygiene: Fordham IT will NEVER ask for your username and password, or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the UISO to validate the legitimacy of these emails.

Educate yourself some more: Take the UISO’s online, self-paced course, “UISO Security Training.” The course can be accessed in Blackboard, under My Organizations. Login to Blackboard via My.Fordham.edu or directly from Fordham’s Blackboard portal.

If you need more information, please reach out to the University Information Security Office: infosec@fordham.edu

Hurricane-Related Scams (Update)

via: US-CERT

As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.

To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/09/08/Hurricane-Related-Scams