Category Archives: News and Events

IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts

Via: KrebsonSecurity

“Identity thieves who specialize in tax refund fraud have been busy of late hacking online accounts at multiple tax preparation firms, using them to file phony refund requests. Once the Internal Revenue Service processes the return and deposits money into bank accounts of the hacked firms’ clients, the crooks contact those clients posing as a collection agency and demand that the money be “returned.”

In one version of the scam, criminals are pretending to be debt collection agency officials acting on behalf of the IRS. They’ll call taxpayers who’ve had fraudulent tax refunds deposited into their bank accounts, claim the refund was deposited in error, and threaten recipients with criminal charges if they fail to forward the money to the collection agency.

This is exactly what happened to a number of customers at a half dozen banks in Oklahoma earlier this month. Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said many financial institutions in the Oklahoma City area had “a good number of customers” who had large sums deposited into their bank accounts at the same time.

Dodd said the bank customers received hefty deposits into their accounts from the U.S. Treasury, and shortly thereafter were contacted by phone by someone claiming to be a collections agent for a firm calling itself DebtCredit and using the Web site name debtcredit[dot]us.

“We’re having customers getting refunds they have not applied for,” Dodd said, noting that the transfers were traced back to a local tax preparer who’d apparently gotten phished or hacked. Those banks are now working with affected customers to close the accounts and open new ones, Dodd said. “If the crooks have breached a tax preparer and can send money to the client, they can sure enough pull money out of those accounts, too.”

Several of the Oklahoma bank’s clients received customized notices from a phony company claiming to be a collections agency hired by the IRS.

The domain debtcredit[dot]us hasn’t been active for some time, but an exact copy of the site to which the bank’s clients were referred by the phony collection agency can be found at jcdebt[dot]com — a domain that was registered less than a month ago. The site purports to be associated with a company in New Jersey called Debt & Credit Consulting Services, but according to a record (PDF) retrieved from the New Jersey Secretary of State’s office, that company’s business license was revoked in 2010.

“You may be puzzled by an erroneous payment from the Internal Revenue Service but in fact it is quite an ordinary situation,” reads the HTML page shared with people who received the fraudulent IRS refunds. It includes a video explaining the matter, and references a case number, the amount and date of the transaction, and provides a list of personal “data reported by the IRS,” including the recipient’s name, Social Security Number (SSN), address, bank name, bank routing number and account number.

All of these details no doubt are included to make the scheme look official; most recipients will never suspect that they received the bank transfer because their accounting firm got hacked.

The scammers even supposedly assign the recipients an individual “appointed debt collector,” complete with a picture of the employee, her name, telephone number and email address. However, the emails to the domain used in the email address from the screenshot above (debtcredit[dot]com) bounced, and no one answers at the provided telephone number.

Along with the Web page listing the recipient’s personal and bank account information, each recipient is given a “transaction error correction letter” with IRS letterhead (see image below) that includes many of the same personal and financial details on the HTML page. It also gives the recipient instructions on the account number, ACH routing and wire number to which the wayward funds are to be wired.

A phony letter from the IRS instructing recipients on how and where to wire the money that was deposited into their bank account as a result of a fraudulent tax refund request filed in their name.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

On Feb. 2, 2018, the IRS issued a warning to tax preparers, urging them to step up their security in light of increased attacks. On Feb. 13, the IRS warned that phony refunds through hacked tax preparation accounts are a “quickly growing scam.”

“Thieves know it is more difficult to identify and halt fraudulent tax returns when they are using real client data such as income, dependents, credits and deductions,” the agency noted in the Feb. 2 alert. “Generally, criminals find alternative ways to get the fraudulent refunds delivered to themselves rather than the real taxpayers.”

The IRS says taxpayer who receive fraudulent transfers from the IRS should contact their financial institution, as the account may need to be closed (because the account details are clearly in the hands of cybercriminals). Taxpayers receiving erroneous refunds also should consider contacting their tax preparers immediately.

If you go to file your taxes electronically this year and the return is rejected, it may mean fraudsters have beat you to it. The IRS advises taxpayers in this situation to follow the steps outlined in the Taxpayer Guide to Identity Theft. Those unable to file electronically should mail a paper tax return along with Form 14039 (PDF) — the Identity Theft Affidavit — stating they were victims of a tax preparer data breach.”

Source: https://krebsonsecurity.com/2018/02/irs-scam-leverages-hacked-tax-preparers-client-bank-accounts/

Scammers Mimic Apple in Latest Round of Phishing Campaigns

Via: Malwarebtes Labs

We’ve seen a number of Apple-related phishes in circulation over the last few days. While most of them already lead to deactivated phishing sites, we thought it was worth highlighting some of the tricks being used to bait people into handing over payment details at the moment.

Fake receipt emails
First up, a number of fake “receipt” emails ranging in date from February 2–6. While the content of some of the emails varies slightly, most of them use a subject line similar to the below:

[ New Statement ] Your receipt from Apple [ 02 February 2018 ]

In the cases we’ve seen, the mails claim to be receipts for a payment of $9.99 made out to, er, Mr. Edward Snowden. Apparently, privacy campaigns and 2 terabyte storage plans go together nicely.

 


The good news for potential clickers is, the site the scammers are trying to bounce through is already wise to the scam and has effectively killed the one-way street to the phish page. The phish link itself is also offline, so we can’t show you what may lay in wait. But we can confirm people won’t be losing money to this one anytime soon.

 

Someone else logged in
Elsewhere, we have a “Reminder” notification that someone else is logging in on your Apple account with an iPod in Monaco.

The email reads as follows:

[Reminder] [Notification Update] Statement new log-in your Apple account with other device
Fοuг уοuг ѕаfеtу, уοuг Αррlе ID hаѕ Ьееn lοсκеd Ьесаuѕе wе fοund ѕοmе ѕuѕрісіοuѕ асtіνіtу οn уοuг ассοunt. Ѕοmеοnе ассеѕѕіng уοuг ассοunt аnd mаκе ѕοmе сhаngе οn уοuг ассοunt іnfοгmаtіοn. This the details :
Country : Monaco
IP Address :
Date and Time : 13:09, 06 Feb 2018
OS : iPod
Browser : Safari
If you did not make these action or you believe an unauthorized person has accessed your account, you should login to your account as soon as possible to verify your information.

Apart from the lazy typos (“Four your safety”) and awful sentence structure, they also make use of some Cyrillic characters in a likely attempt to bypass Beyesian filtering. While the destination site was offline again, it’s worth noting that all of the examples tried to send potential victims to HTTPs websites, instead of the plain old HTTP landing page. All phishers now want to look as “secure” as they possibly can—anything to help pull the wool over your eyes.

Always worth repeating: Just because a website is HTTPs, does not mean it is a legitimate website. Phish pages can lurk anywhere, no matter what security the page you’re on happens to be touting.

Apple care scare
There’s also some dubious texts going around claiming to be from Apple Care:

It reads as follows:

Final Notification
Your Apple ID is due to expire today. Prevent this by confirming your Apple ID at
appleid-revise(dot)com
Apple Inc

As you can see, there’s a big push to apply pressure to potential victims, and everything falls somewhere between the two extremes of “Payment made, quick do something!” and “So, your account is going to be terminated.” While we’re happy to say this is another one that came to our attention already DOA, even as texts were going out, the sad truth is that for every site taken down there are many more happily accepting credit card details and personal information.

Fake app purchases
We’ve also seen some fake app purchases, and this one rather spookily has an order number attached that was actually of some relevance to the recipient.

While one hopes this is just some horrible coincidence, it could just as easily have prompted the above individual to start visiting rogue links—and that’s all it really takes. Just one fragment of information from an otherwise garbled email missive could be enough to cost someone a small fortune—or even worse, a very large one.

If you’re worried about the pushy tone of a supposed Apple missive, contact them directly to check its validity, and wander over to their help page for more information on securing your Apple account. These are some of the most common scams around, and for as long as Apple IDs are tied to valuable purchases and personal information, criminals will continue target these accounts.

Read the full article.

Chrome to Start Blocking Annoying Ads February 15

Via: Gizmodo

On Thursday, the Chrome browser will begin to automatically filter out ads that don’t meet certain quality standards. Your browsing experience is about to change a little bit. Here’s what you need to know.

In April of last year, the news first broke that Google planned to integrate some form of ad-blocking into its browser that would be on by default. Since then we’ve seen a gradual rollout of the feature, beginning with the ability to mute autoplay videos with sound on the sites of your choosing. Now, Google going all-in with a set of criteria for what ads will be kosher in Chrome.

12 types of ads that Chrome will now automatically block.

Along with its fellow ad giant Facebook, Google is a member of the Coalition for Better Ads, an industry group that has performed research on what forms of web advertising annoys people the most. It’s created a list of the 12 types of web experiences that should ideally be avoided by advertisers. Now Google is going to enforce that list with Chrome, which is used by over half of all people accessing the web with a browser.

On Wednesday, the company published a blog post detailing how the system will work. Initially, Google will take a sample of various pages on a specific domain and analyze whether that page is serving any of the offending ad categories. It’ll be given a score of “Passing, Warning, or Failing.” Sites that don’t manage to get a passing grade will be notified by Google and they can review an ad experience report for details on what needs to change. If a site ignores multiple warnings, its ads will be blocked by default after 30 days.

If a user visits a site that’s being filtered by Chrome, they’ll see a message in the address bar that gives them the option to still allow ads—on mobile, users will see a pop-up at the bottom of the screen that will give them the same option. Yes, pop-up ads are blocked, and Google will be informing you with a pop-up notification.

View the full article.

 

Educational Institutions Attractive Target for Cybercriminals

Via: NJ Cybersecurity and Communications Integration Cell

The NJCCIC assesses with high confidence that educational institutions across the globe will remain attractive targets for a range of cyber-attacks designed to disrupt daily operations, steal sensitive data, instill fear in the community, and hold critical operational data for ransom. In October 2017, the US Department of Education issued an updated Cyber Advisory warning schools about a new method of cyber extortion impacting institutions across the country.

In recent attacks, cyber-criminals demanded large ransom payments in exchange for sensitive student record information obtained via schools’ compromised networks. In some instances, cyber-criminals made direct threats to the safety of students and staff members via SMS messaging. According to Verizon’s 2017 Data Breach Investigations Report, the education sector was impacted by approximately 455 security incidents in 2016, with at least 73 of these events involving the disclosure of data. As the use of technology within the classroom is increasingly required for educational purposes, more schools are implementing Bring Your Own Device (BYOD) policies, allowing students and employees to connect their personal computers, tablets, and mobile phones to their networks. Unfortunately, if BYOD is not implemented with security in mind, schools could be exposing their networks and sensitive data to an increased risk of compromise created by vulnerable and infected devices. Sophisticated and profit-motivated threat actors are cognizant of this fact and will continue to target universities and school districts as many of them do not have adequate resources, funding, or staffing to properly protect and defend their networks.

  • The NJCCIC recently alerted its education sector members to a cyber-extortion campaign targeting educational institutions in Florida. In this targeted attack, emails were sent to the presidents of several colleges and universities threatening mass shootings and bombings if a payment of 1.2 Bitcoin, approximately $18,000 USD at the time, was not received. The emails originated from onlyfair[@]protonmail.com and reportedly contained threats of imminent violence against students and staff.

 

  • In November 2017, SchoolDesk, a company that provides website hosting solutions for schools, suffered a breach by a hacking group known for distributing ISIS propaganda videos. The breach resulted in the defacement of the Bloomfield Public School District website, where an ISIS-sponsored video was displayed for approximately two hours before being detected and removed. Although no sensitive information was accessed or released, the ability of threat actors to gain remote access to web servers highlighted the impact that third-party vendor vulnerabilities can have on educational institutions.

 

  • A group known as The Dark Overlord claimed responsibility for the breach of numerous school districts in several states across the US in late 2017, including the Johnston Community School District in Iowa, the Splendora Independent School District in Texas, and the Columbia Falls School District in Montana. The breaches stemmed from compromised servers that exposed confidential information including names, phone numbers, and addresses of students, parents, and staff. In some instances, students and parents received violent, threatening messages from the attackers resulting in school closures and canceled extracurricular programs.

Recommendations
The NJCCIC advises our education sector members to take proactive steps to reduce their cyber risk, beginning with comprehensive audits of their networks to identify and patch existing vulnerabilities in outdated operating systems, applications, servers, and websites. Continuously monitor systems for indicators of compromise by running reputable and up-to-date antivirus software and maintain network traffic logs in accordance with your data retention policy. Limit user privileges to only those systems and files required by one’s job functions, and implement strict authentication policies incorporating mandatory password resets, minimum character requirements, and multi-factor authentication for email, web services, and remote access tools. Additionally, encrypting systems and databases that contain sensitive personal data, financial information, and user credentials can mitigate the impacts of data breaches and render stolen data useless. Have an incident response plan in place and report cyber-attacks to your local police department, the FBI, and the NJCCIC.

Meltdown & Spectre – How to Protect Yourself

Following up on our previous post sharing what was then breaking information about these vulnerabilities, the UISO would like to share some additional best practices to follow in order to reduce one’s risk to attack.

Install Operating System Updates on Personal Devices

Staying current with security updates on personal for security features is always advised, and all major operating systems not currently end-of-life have patches in place that aid in reducing risk. The following are guides for updating one’s operating system for those not familiar with the process.

Limit JavaScript in your Web Browser

One of the methods by which Meltdown and Spectre can be triggered is via JavaScript, which can be activated by visiting a website hosting malicious code intentionally or via a targeted advertisement. The UISO recommends adding a browser extension that limits exposure to potentially malicious JavaScript.

For performance purposes, it is recommended to install one or the other of these extensions, but not both.

 

Research is still underway, and as further methods to mitigate the risk posed by these vulnerabilities are assessed by the information security community we will share them accordingly.

As always, please subscribe to this blog, our Twitter feed, or our FaceBook page for updates, and contact the UISO with any questions or concerns.

Critical macOS High Sierra Update

Apple has released a security update resolving the widely reported authentication bug known as iAmRoot. The UISO recommends that Apple computers running High Sierra (macOS 10.13.x) install this security update.

Due to its critical nature, Apple has deployed this as an automatically-installing update. However, it is still recommended to check for this and any other pending security updates.

The process to update is:

  • Click the  logo in the Taskbar
  • Click App Store
  • Click Updates
  • Install any security related updates shown
    • The recommended patch is Security Update 2017-001

Please do not hesitate to to contact infosec@fordham.edu with any questions.

Sources:

US-Cert: Apple Releases Security Update for macOS High Sierra

New security update fixes macOS root bug

Alert: Tragic Event Related Scams

Via: US-CERT

“In the wake of Sunday’s tragic event in Las Vegas, US-CERT warns users to be watchful for various malicious cyber activity targeting both victims and potential donors. Users should exercise caution when handling emails that relate to the event, even if those emails appear to originate from trusted sources. Event-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, fraudulent donation websites, and door-to-door solicitations relating to the recent tragic event.

To avoid becoming victims of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/10/03/Tragic-Event-Related-Scams

Article: Hackers Say Humans Most Responsible for Security Breaches

Via: SecurityWeek.com

Hackers Say Humans Are the Weakpoint and That Traditional Defenses Cannot Protect Them

Under the principle of set a thief to catch a thief, 250 hackers at Black Hat 2017 were asked about their hacking methods and practices. By understanding how they work and what they look for, defenders can better understand how to safeguard their own systems.

Thycotic surveyed (PDF) a cross section of hackers attending Black Hat. Fifty-one percent described themselves as white hats; 34% described themselves as grey hats using their skills for both good and bad causes; and 15% self-identified as out-and-out black hats.

The hackers’ number one choice for fast and easy access to sensitive data is gaining access to privileged accounts (31%). Second is access to an email account (27%), and third is access to a user’s endpoint (21%). All other routes combined totaled just 21%.

The hackers also confirmed that perimeter security, in the form of firewalls and anti-virus, is irrelevant and obsolete. Forty-three percent are least troubled by anti-virus and anti-malware defenses, while 29% are untroubled by firewalls. “Hackers today are able to bypass both firewalls and AV using well known applications and protocols or even VPN that hide within expected communications,” explains Joseph Carson, Thycotic’s chief security scientist. “For example, VOIP, streaming services etc. Because of the ability to hide within normal business applications or the use of authenticated stolen credentials, they are stating that these technologies are no longer sufficient to prevent cyber-attacks on their own.”

Overall, the hackers find MFA and encryption their biggest obstacles. “As hackers increasingly target privileged accounts and user passwords,” explains Thycotic, “it’s perhaps not surprising that the technologies they considered the toughest to beat include Multi-Factor Authentication (38%) and Encryption (32%), with endpoint protection and intrusion prevention far behind at 8% and 5 % respectively.”

Ultimately, however, the hackers believe that humans are most responsible for security breaches. Only 5% consider that insufficient security software is the problem, while 85% named humans as most responsible for security breaches. The problem is ‘cyber fatigue’.

Cyber fatigue is blamed on the constant pressure to obey policy and good practice. “‘Remembering

and changing passwords’ was the top source of cybersecurity fatigue (35%), a major vulnerability that hackers are all too willing to exploit,” notes Thycotic. “Other contributing factors included ‘Information overload’ (30%), ‘Never ending software updates’ (20%) and ‘Living under constant cyber security threats’ (15%).”

Perhaps surprisingly, hackers do not consider threat intelligence solutions to be an obstacle. “Because Threat Intelligence solutions are also accessible to hackers, they may be able to easily identify how they work and therefore avoid detection them,” suggests Thycotic.

The survey suggests that humans are a weakpoint, traditional perimeter defenses are ineffective, and user credentials are the target. “With traditional perimeter security technologies considered largely irrelevant, hackers are focusing more on gaining access to privileged accounts and email passwords by exploiting human vulnerabilities allowing the hacker to gain access abusing trusted identities,” comments Carson. “More than ever, it is critical for businesses to mitigate these risks by implementing the right technologies and process to ward off unsuspecting attacks and access to sensitive data.”

His conclusion is that “The new cybersecurity perimeter must incorporate an identity firewall built around employee and data using identity and access management technology controls which emphasizes the protection of privileged account credentials and enhances user passwords across the enterprise with multi-factor authentication.”

Source: http://www.securityweek.com/hackers-say-humans-most-responsible-security-breaches

Article: Apple fixes dozens of security bugs for iPhones, Macs.

Via: ZDNet

“Apple has squashed dozens of security bugs in its latest releases of its iPhone, iPad, and Mac operating systems.

The Cupertino, Calif.-based company rolled out 23 security fixes in iOS 10.3.2 and another 30 fixes in macOS 10.12.5, both of which were released on Monday.

Among the bugs, two bugs in iBooks for iOS could allow an attacker to arbitrarily open websites and execute malicious code at the kernel level. Over a dozen flaws were found in WebKit, which renders websites and pages on iPhones and iPads, that could allow several kinds of cross-site scripting (XSS) attacks.

A separate flaw in iBooks for macOS desktops and notebooks could allow an application to escape its secure sandbox, a technology used to prevent data loss or theft in the case of an app compromise.

Almost half of the bugs found were attributed to Google’s Project Zero, the search giant’s in-house vulnerability-finding and security team.

One of the iOS bugs credited to Synack security researcher Patrick Wardle described a kernel flaw in which a malicious application could read restricted memory, such as passwords or hashes.

In a blog post last month, Wardle explained how he found the zero-day flaw following a supposed fix in an earlier version of macOS 10.12. He said that Apple’s patch “did not fix the kernel panic” and worse, “introduced a kernel info leak, that could leak sensitive information” that could bypass the operating system’s security feature that randomizes the kernel’s memory address locations.

In an email, Wardle admitted he “didn’t realize it affected iOS too.”

Patches are available through the usual automatic update channels.”

Source: http://www.zdnet.com/article/apple-fixes-dozens-of-security-bugs-in-ios-10-3-2-macos-updates/?loc=newsletter_large_thumb_related&ftag=TREc64629f&bhid=22897651806331074555632548278564

Alert: Critical Microsoft Vulnerability

Description

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Defending Against Ransomware Generally

Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.